The statistics are merciless. The frequency and effectiveness of attacks on organizations is increasing. The tools of attackers are improving and their competencies are higher. The Center for Strategic and International Studies (CSIS) list of successful cyber-attacks on government agencies, the defense sector, high-tech companies, or economic crimes where losses due to attacks exceeded one million dollars, already contains nearly 600 examples. In 2019 alone, nearly 100 items were added to it.
In view of the data cited above, concerns about whether we have any unknown “irons not turned off" in our business are most justified. We must also remember that even in specialized security teams, vigilance can weaken over time. They develop an accidental insensitivity to obvious gaps or start accepting known risks that have not ended in an incident for many years.
An information security audit, especially when it is performed by external experts with a fresh look at numerous issues, can be very helpful in eliminating security gaps. Obviously, auditors do not have full information about the organization and must obtain it from the employees of the audited entity. At the same time, however, the auditors start their work armed with knowledge about ensuring information security in business, and practical experience and knowledge of the most common mistakes and security gaps.
Additional support is provided by criteria and good practices contained in standards, e.g. ISO 27001, 20000, 22301, 62443, and security systems (VDA ISA/TISAX, TPN and other). The effect of a fresh look at existing solutions is also important. Often it is easier for an outsider to see obvious mistakes to which the internal team has become insensitive.
The performance of an information security audit allows various goals to be achieved, depending on the current needs of a given organization. An audit conducted by an external partner will also help extend the scope and improve the quality of internal audits.
If the company prepares to implement a management system based on a specific standard or system, the performance of a security audit according to specified criteria helps determine the scale of deviations of the organization from a selected standard. We can define a detailed plan and cost estimate of the implementation (the above may also apply to specific acts, e.g. PDPA or NIF).
When an organization has already implemented a management system and wants to obtain a certificate, the audit helps determine the level of its preparation for certification. It is recommended to conduct such an audit as a dress rehearsal. If gaps are identified, we can avoid costly interruption of the certification audit as a result of finding large non-compliances.
An audit in an organization that is already certified can be used as an example of an audit carried out by an independent external entity. Some standards require such actions. It can also be used as an element of a management system review.
Let’s leave certification issues. The performance of a zero audit creates a snapshot of the organization management and security level at a given time. We expose gaps in information security and business continuity in relation to generally accepted good practices. We can determine the real level of risks associated with various assets and strategic objectives. Finally, we can make adjustments to risk management plans based on actual needs.
Experienced auditors coming to the organization from outside are able to catch hidden or obvious gaps (“a child in the fog" effect) that escape the attention of specialists from within the organization.
During the audit, the auditors act as a neutral, external organization. This makes it easier to talk to employees. Guaranteeing them anonymity, they collect information about security gaps. Often this is the only way for this knowledge to reach the top management of the organization.
By performing an audit, the organization obtains verification whether information security processes and incidents are properly addressed and reported to the highest level.
While preparing for the audit, employees involuntarily, “by the way", raise their competencies, increasing the compliance of the processes with the policies and procedures adopted in the company. Moreover, by talking to employees during the audit, the auditors raise their level of knowledge about possible risks and indicate methods of avoiding them;
A documented information security audit, especially in combination with penetration and social engineering tests, can be used to prove to our counterparties how much importance we attach to secure organization and data management. This is important because practically every business interaction involves the exchange of sensitive data.
Organizations are increasingly responsible for the compliance of the information security level with the good practices and standards accepted in the market. Successive laws, including the recent National Cyber Security System Act or the previous General Data Protection Regulation, increase the financial and even criminal liability of companies and their managers. For GDPR violations in Europe alone, 130 penalties have already been imposed, the highest of which exceeded EUR 10 million.
Typical risk areas
Threats to information security are usually associated with hacking attacks, viruses, high-tech malicious software. However, a large and often ignored risk is associated with trivial security gaps that have nothing to do with IT, and result from lack of awareness, negligence or recklessness. We present selected examples of security threats encountered by SNP auditors.
- Open back doors. Very strong security measures “at the front" of the organization, and at the same time no protection of other access routes (unprotected doors, wickets and barriers, protection only on one side of a facility, armored walls at the front, rusty wire fencing at the back);
- Obvious security gaps. CCTV monitors with images from sensitive areas visible to visitors, protection provided 24 hours a day, but only 5 days a week, employees disabling or dismantling security equipment or directly opposing its installation.
- Communication disruptions. Lack of on-/offboarding processes (former employees having access to the organization’s assets for many years, using the company’s resources for their own purposes, e.g. living on the company premises, a Bitcoin mine on company servers), parts of the company operating “on their own", no development of the organizational structure despite the increase in the number of employees from a few to several thousand people, foreign language employees not provided with materials in their own language.
- Lack of business continuity. CEOs carrying backups in their pockets, on pendrives, employees encrypting all resources of a company with one malware/pendrive, relying on “financial cushions" to ensure further operation, bottlenecks due to lack of designated substitutions in case of absence, delegation of tasks or lack of clear channels of information flow, especially in case of crisis, loss of access to assets due to one employee leaving the company, damage to backups unverified by recovery tests, single points of failure (six devices, one charger).
- Useless documentation. Outdated policies, non-compliance with policies (e.g. no deletion of permissions, accounts, employees using company accounts 2 years after leaving the company), certifications carried out by unknown companies, demonstrating compliance and risking loss of a contract in the absence of actually implemented solutions, assigning random employees to perform responsible roles and tasks.
- Virtual security zones. A catering provider enters everywhere, conference rooms adjacent to public kitchens with only a thin wall between them, staff cloakrooms in the server room, a production area unprotected against theft by employees, logistics areas with button opening, passwords to IT resources in the logistics/production/loading areas stuck to monitors, open mail/fax rooms.
- Inadequate control of environment. Opening windows in the server room instead of proper air conditioning, generators not tested since their installation, communication and server nodes open for guests, using the server room as a warehouse for used IT parts, lack of notification systems, water extinguishing systems in facilities with electrical installations, water heating systems in server rooms, putting sensitive objects in particularly vulnerable places (control rooms in the vicinity of customer service desks, showers for the staff located above the server rooms, putting servers in boiler rooms, kitchens, elevator shafts), detection of oil fire with gas sensors, installed systems and equipment that are not supervised by anybody or that have an unknown purpose.
- Lack of resources. Printing payrolls on scrap paper, displaying older materials, still sensitive, in unprotected areas, securing sensitive resources only in a minimal way (a key);
- Dishonest employees. Private clouds, working on private resources (Windows 95 serviced by a grandson), using company resources for private/competitive activities (problematic materials left in the company environment – third party data, naked photos);
- Gaps in employee competencies. Lending passwords, saving passwords in unsecured assets, performing risky activities, lack of training, throwing sensitive information into the trash can.