Audits can help companies identify weaknesses and make a company more resilient in the event of a cyberattack.
Washington, D.C. magazine CFO reports financial auditors are increasingly concerned about cybersecurity, demanding greater transparency on how organizations are managing and mitigating cyber risk. And why shouldn’t they? A cyberattack or a data breach can lead to major financial losses, business disruption, loss of customer confidence, costly lawsuits and irreversible damage to reputation.
Cybersecurity audits and assessments are one of the best ways organizations can improve their security posture. When done right, they can help identify cyber risks, validate the effectiveness of cybersecurity programs, protect the business against cyberattacks, and provide assurance to stakeholders. However, cybersecurity is such a vast domain that it is difficult to determine what constitutes the “right” way of doing things. Here are five common mistakes that every organization must avoid when it comes to auditing its cybersecurity:
1. Choosing an auditor that is not pure play security
In March, the Wall Street Journal reported a follow-up story on the three major U.S. bank failures, learning they had one thing in common: KPMG. This was not the first time the audit quality of Big Four accounting firms was questioned. Not too long ago, the Big Four used to be the Big Five and the Big Five used to be the Big Six, and the Big Six used to be the Big Eight. A head-spinning tale of M&A activity, interdepartmental fiefdoms and turf wars have blurred the areas of expertise.
Similarly, security is a hot commodity, generating a lot of M&A activity with teams everywhere mixing it up and claiming to offer universal cybersecurity coverage. To make an understatement, organizations must evaluate the experience and background of the firm auditing their cybersecurity. Are they pure-play cybersecurity? Do they understand their industry? Will they run a thorough audit and not drum up a superficial checklist? The whole point of a cyber audit is to identify and mitigate risk, not run a checkbox exercise.
2. Auditing too many things instead of priority areas
Cybersecurity audits are complex affairs. Cybersecurity teams are frequently bogged down, trying to fix too many issues that are beyond their capacity. Additionally, post audit completion, businesses are under pressure to implement mandatory compliance requirements which can overwhelm an already burnt out security team. Auditors may present a lengthy list of unranked or unweighted checklist items, which can dismiss or fail to scope out priorities. It is therefore advisable that auditors turn to high-value systems first, instead of going inch-deep in multiple areas.
3. Taking on complex audits instead of getting the basics right
Traditional auditing mechanisms focus on identifying faults in controls and processes. However, most cybersecurity risks stem from basic things like human error, unpatched IT systems and third-party vulnerabilities. This is why it is important to start with the basics such as reviewing privileged access permissions, assessing cybersecurity awareness in employees, auditing substantial risk suppliers as well as taking stock of any outdated software before assuming more complex forms of auditing such as red team exercises or threat hunting. If basic security is not addressed, running a red team exercise will be a complete waste of time, effort, and money.
4. Treating cyber as only an IT risk
Businesses and management teams have difficulty accepting the fact that cyber risk is not only an IT risk, but a bona fide business risk. Not taking a holistic view of the results of a cyber audit (technical, legal, financial, human, compliance) and its impact on the enterprise is one of the biggest mistakes organizations make during an audit. Cybersecurity effectiveness should be viewed in the context of the whole business and the entire organization needs to be involved (not just security teams) in ensuring the right culture, controls, plan/processes, and mechanisms are established to prevent the organization from being compromised.
5. Running audits too infrequently or delaying them
Most organizations conduct audit checks once annually. Given the evolving and dynamic nature of the security landscape, it is quite possible that an organization is breached overnight. This is why it is necessary for organizations to run health checks every quarter so they can obtain a timely and more accurate view of underlying risks. It is also common for businesses to delay audits due to conflicting priorities, and because audits are perceived as time intensive. That said, security audits are like an oil change — you can delay them for a while until the tailpipe starts bellowing a foul, blue smoke and you need an engine overhaul. Likewise, the business ends up expending more resources dealing with the aftermath.
To summarize, do not fear audits — embrace them as you would any other trusted partner who can work unobtrusively in the background while the business continues its frontline activities. Organizations that invest efforts in finding the right auditing partner will certainly go a long way to making their business resilient to cyberattacks and breaches.