IT security operates in a fast-moving and complex environment with new technology created daily. This means companies — regardless of size or industry — are increasingly susceptible to cyberattacks, requiring a flexible and proactive approach to cybersecurity.
This necessitates that companies continually assess and update their cybersecurity measures. The Internet of Things, for example, is defined as the interconnection via the Internet of everyday objects that can send and receive data. Although it makes the world easier to live in and control, it also provides new channels for criminals to access and steal important information.
Companies can employ an IT audit to help them respond to these threats and enact security measures and controls that safeguard every channel. This includes a two-step process: assessing areas of risk and identifying measures that can protect sensitive information.
There are myriad ways to protect against threats — it comes down to determining the resources a company is able to allot to its cybersecurity efforts. Regardless, an IT audit should be a key component of any company’s cybersecurity. It includes the following steps:
• Risk assessment. Develops a heat map of risks based on where sensitive information is stored, processed, and transmitted.
• IT assessment. Reviews areas of risk identified in the risk assessment and provides guidance on how to more securely store, process, and transmit sensitive information.
Companies can run into trouble when they fail to identify all areas of risk in their IT environment. These risk areas are different for every business and depend on the information that flows through the organization, but they always fall into two categories: external and internal.
While many companies know how to protect themselves from obvious external threats, they can unknowingly leave back doors open to criminals.
For example, a travel agency provides information to a client through its Web application — including a travel itinerary and flight details. This information is stored on a server, which the company believes is secured by a firewall. However, the company might have an unsecured wireless port connected to the Ethernet the server is on. A criminal only needs to use the unsecured wireless access port to enter the company’s network and access the database to download client data.
Threats to cybersecurity can also be internal — from employees or third-party vendors. This is why companies should only provide information and systems access on a need-to-know basis.
Employees: Access to information shouldn’t be given to employees who don’t need access to complete their job duties. This requires an assessment of each job function to determine which functions require different types of access. Once a company has that information, it can segment its database to allow for different access levels according to job function.
Third-party vendors: Controlling access for third-party vendors is often simpler. Most of the time, they don’t need to access a company’s internal network. They shouldn’t be allowed to use a company’s wireless internet either; instead, a company should install and configure a completely separate wireless router and network for third-party use. It’ll cost more, but ultimately make the IT environment more secure.
Once a company has determined its risk areas, an IT assessment identifies ways to strengthen its defenses. Common areas for review include:
Francis Tam has practiced public accounting and consulting since 1994. Tam can be reached at 310-295-3852 or firstname.lastname@example.org.