Nettitude Blog

How to effectively conduct a cyber security audit

Posted by Nettitude on Sep 19, 2018 3:13:47 PM

A cyber security audit conducted by Nettitude will provide your organisation with a high-level appraisal of your cyber security posture. You will receive a personalised report containing actionable advice and a clear set of guidelines to remediate any security threat or weaknesses identified. The audit will focus on your people, process, technology and policy.  

Cyber Security Audit - how to carry out

 

Why is cyber security so crucial to your business?

Cyber security has become a dominant threat facing today’s organisations, requiring an investment of both time and money to protect against increasingly sophisticated and widely available attack vectors.

The reality is any business operating from any location in the world, within any business sector is a target for a cyber attack.0

Some cyber stats

Did you know?

  • A staggering 80% ofbusinesses think they’ll experience a cyber-attack sometime this year (Capterra)
  • Sadly, 60% of small companies go out of business within six months of a cyber-attack (Inc)
  • Acts of malicious intent cause 48% of data security breaches. Human error or system failure account for the rest (Information Age)

Commenting on Cisco’s 2018 Cyber Security Report, John Stewart talks about the need to adopt a security strategy that embraces people, process, technology and policy, just like Nettitude does.   

“No single strategy, technological solution or approach will solve all of the challenges that our adversaries throw at us. It takes a comprehensive and unified approach across people, process, technology and policy.”

Security audits should be part of a wider assurance program. Nettitude’s cyber experts and award-winning security consultants recommend adopting a continuous cyber assurance improvement program, including regular reviews of the organisation’s cyber security controls.

Combined with routine penetration testing, vulnerability scanning, a comprehensive incident response plan, threat monitoring and security awareness training – ensuring you always stay one step ahead of the criminals looking to compromise your company. 

Don’t ignore your inside threats! Employee security awareness is essential!

60% of all cyber attacks reported in 2016 came from insiders (IBM)

Through regular security awareness training and education, your employees become more aware and security savvy and less vulnerable to risks such as phishing campaigns. Nettitude has experienced security trainers and tailored programmes, to help you overcome what can be an organisation’s biggest weakness.

Top 3 cyber security myths resolved by a security audit

- Assuming systems are secure without evidence (myth)
- Regular in-depth audits can accurately determine security posture (True)

- Cyber security is the sole responsibility of the IT department (myth)
- Security is the responsibility of all employees (True)

- The IT team performs a cyber security audit (myth)
- In fact, this is a special audit that requires an independent cyber consultancy such as Nettitude to work with your internal teams (True)

What will a cyber security audit include?

  • The audit will assess the cyber maturity of your organisation’s four key areas: people, process, technology and policy
  • A security assessment will involve a minimum of one-day on-site at your organisation. However, because this is a tailored service, the scope of works will be bespoke to your needs

    Request a free consultation to find out what will be suitable for your company’s audit
  • The audit will usually be requested by a senior member of the IT team. However, key personnel such as HR, Legal and Operations, need to be aware of the audit and may be asked to provide information and access to systems ahead of the assessment
  • Here are the four critical stages involved in a cyber security Each stage should be agreed upon by both parties (client and cyber security auditing company)
  1. Planning and preparation
  2. Audit objectives
  3. Perform the audit
  4. Audit report document
  • During the engagement, a security consultant will carry-out a high-level cyber review of your organisation and its IT environment
  • The audit aims to determine the threats, vulnerabilities and risks within the business and externally. It will also assess the impact and probability of such risks manifesting across the organisation’s key areas of control

The scope of works in a security audit

The 11 key areas covered in a cyber security audit performed by Nettitude:

  1. Business continuity planning
  2. Critical cyber assets
  3. Cyber risk governance
  4. Cyber security controls both technical & physical
  5. Employee training & awareness
  6. Incident management
  7. Information Security Management System (ISMS)
  8. Legal, regulatory & contractual constraints
  9. Policies
  10. Risk register
  11. Roles & responsibilities

Reporting

Reporting our findings is the final stage of the audit process, and this is where working with an experienced cyber specialist such as Nettitude is key. 

Nettitude prides itself on the most comprehensive and useful reports in the industry. Every care and attention to detail is taken to ensure that with each engagement the report is both thorough, yet actionable.

Types of audit reporting

Nettitude produces a high-level management report and an in-depth technical review document for each engagement. These documents will highlight security vulnerabilities and identify areas for exploitation. The reports also provide guidance on remediation, with a focus on preventative countermeasures.

To gain access to anonymous management and technical reports related to your industry vertical, please email solutions@nettitude.com.

Audit debrief

Security audits can be complicated, however, at Nettitude we do not think that the reports, presentations, and debriefs also need to be.

Nettitude ensures that all audits have a full debrief at the end of the engagement. Followed by a presentation of critical and high-level vulnerabilities along with guidance on remediation and countermeasures.

Post audit guidance

Clients that engage with Nettitude for cyber security audits receive three months of complimentary access to its Security Support Centre (SOC).

The SOC team can provide a level of assurance through the remediation phase of the audit, ensuring that you can get all your vulnerabilities fixed in a time sensitive manner.

When should a cyber security audit take place?

As well as a routine annual activity, a security audit can be initiated after a significant organisational event such as a:

  • Breach or incident
  • Merger or acquisition
  • Industry/competitor breach
  • Implementation of a new system/operation
  • Business growth
  • Changes to industry regulation

Are there any legal requirements or regulations that need to be adhered to for audits?

A security audit is a valuable baseline exercise for organisations assessing their compliance towards legal and regulatory compliance as well as security frameworks:

  • EU General Data Protection Regulation (GDPR)
  • NIST Cybersecurity Framework
  • ISO 27001
  • Cyber Essentials
  • National Cyber Security Centre (NCSC) - 10 Steps to Cyber Security

It is also a good measure of assurance around internally deployed security controls.

By conducting security audits your organisation is taking its responsibility to be cyber secure seriously, providing enhanced confidence with your key stakeholders (the board, employees, clients, investors) and new prospective customers.       

Find a cyber security audit partner you can trust

15 years of experience - Through its 15 years of experience delivering security audits across the world, for the best-known brands and organisations, Nettitude has built up a reputation of trust and the highest standards.       

Global presence - Nettitude delivers high quality, intelligence-led security assurance and risk management services across the world with head offices in the UK and North America.

Clients across every sector - Its clients include retail, financial service, telecommunication, media, insurance, logistics, e-commerce, manufacturing, and government organisations.

Research & innovation focused - A cyber consultancy with a strong focus on innovation and thought leadership, and a dedicated research function, Nettitude also create custom tools and platforms to help organisations manage their cyber risks. 

Full circle cyber services - Nettitude has full circle services based around a define – defend – detect –  respond – assure lifecycle. Nettitude has one of the strongest international red team capabilities in the industry, working closely alongside its security operations centres to deliver a managed security service to clients.

Accreditations & pedigree- Nettitude is ISO9001, ISO27001, ISO14001 and Investors in People certified. Nettitude is accredited under the Penetration Testing, Cyber Security Incident Response, Simulated Targeted Attack & Response, CBEST and Cyber Essentials programs.

Award-winning consultants recognised within their field. The consultancy most recently received awards at the 2018 annual Info Security PG's Global Excellence Awards for ‘Best Security Company’ and ‘Best Managed Service’.

Acquired by Lloyd’s Register in 2018, Nettitude is proud to now be part of the Lloyd’s Register Group of companies.

About Nettitude

Nettitude is the trusted cyber security provider to thousands of businesses around the world. We stop at nothing to keep your data and business secure in an age of ever-evolving cyber threats.

Our experts use an award winning Threat Intelligence led approach that incorporates real-time data, ensuring that your company is protected at every stage of its journey.

Receive an update when we post!

Recent Posts