How to prepare for the next WannaCry with security audits

By June 30, 2017 Security
WannaCry

The WannaCry ransomware attack took many businesses by surprise when it wrought havoc all over the world back in May. Unfortunately, it wasn’t the first major cybersecurity threat to hit businesses, and it certainly won’t be the last. The constantly evolving cybersecurity landscape requires all businesses to stay up-to-date with the newest threats while ensuring they are adopting the latest technology and best practices for safeguarding their digital resources.

No one is particularly keen on the idea of having an auditor poke around through their entire IT infrastructure looking for potential security holes. But without doing so, your business is bound to suffer tenfold when a cyber attacker finds one of those holes.

Cybersecurity audits help prevent this from happening by isolating and describing any potential vulnerabilities so that you have a chance to address them before it’s too late. This is precisely what organizations such as Telefónica, FedEx and Deutsche Bahn should have done before they fell victim to the WannaCry attack.

Security audits vs. assessments

The first step to safeguarding your business from potential cybersecurity threats is to perform a thorough analysis of the current state of your infrastructure. Security audits and security assessments are terms often used interchangeably, but they’re not necessarily the same thing.

More formal than an assessment, an audit typically refers to a checklist drawn up to validate your written security policies. Audits should be performed by a third-party organization that has the necessary certifications.

Any cybersecurity strategy starts with an initial audit, but there’s much more to locking down your network than simply making sure everything complies with your security policy. This is where ongoing cybersecurity management come in. Unlike a formal audit, cybersecurity assessments involve testing the effectiveness of the controls you have in place. In other words, audits check that you have all the policies in place, but an assessment actually tests whether they work.

Bringing the two together

A regular audit program is essential, but it should never be considered the be-all and end-all of cybersecurity. An audit itself includes a summary of any potential vulnerabilities found and recommendations for addressing them. It should also make note of the methods and tools used to carry out the audit as well as any assumptions and limitations to the upcoming assessment.

By contrast, the assessment should include a vulnerability test and risk assessment followed by any recommended actions you should take to address any concerns unveiled.

How to Get Started

Your security policies form the foundation of your strategy by creating a goal-driven framework for what you want to achieve. You’ll ideally want to have this framework in place before you start looking for an auditing firm.

By clearly defining your goals and objectives, you’ll prevent potential security breaches that might occur beyond the scope of the audit. If you have made any major changes to your IT infrastructure recently or haven’t had an audit in quite some time, then you’ll likely want a wider-reaching assessment of all your firewalls, routers, data-bearing devices, operating systems and applications.

Above all, you should never rely on having your own staff carry out an audit. Often, they will not have the time nor the skills to conduct an exhaustive survey of your system. External auditors are accredited professionals whose job is to find the sort of problems that internal teams are likely to miss. Professional auditors will also put together a statement of work detailing how they will carry out your audit and meet your objectives.

Here at Truewater, we use a tried and tested security assessment methodology for identifying risks, testing systems, analyzing data, and providing detailed reports. To get started with your security assessment, give us a call today.

Truewater

Truewater

Truewater was established in 2001 with the vision of bringing enterprise class IT support to small and medium sized businesses.