Cybersecurity Audit for SMEs
As a small or mid-sized business owner, there is a seemingly endless list of things to keep track of. From hiring and HR to social media and PR outreach, your to-do list is never ending. But one of the most important priorities that any SME owner avoids at their own peril is security.
The area of data security is an ever-evolving, dynamic challenge. Just when you think you’ve got your data landscape on lockdown, a new threat can develop that affects your company directly. That’s why, in addition to keeping up with the latest risks and technological developments, it can be helpful to do a yearly cybersecurity “audit”, where you take stock of your entire security apparatus, and try and find weak spots you may have previously missed.
This is a step that may be time and resource intensive, but it is worth the investment. As the CEO of The Institute of Internal Auditors wrote, setting up a cybersecurity action plan is not enough: “Organizations must constantly monitor cybersecurity practices, policies, and plans. This is where internal audit plays a crucial role. Once cybersecurity plans are created, organizations should enlist internal audit to do what it does best – test for effectiveness and efficiency of controls and protocols, and provide the board and management with assurance about those protections.”
Here are some steps for preparing for and carrying out your own cybersecurity audit:
Start with a baseline: If you have just started paying attention to your organisation’s cybersecurity, then you’re probably not quite ready for an audit. Having well-established practices, protocols, and norms that everyone in your organisation follows is necessary before you undergo an audit. Make sure that these protocols have been in place long enough to become routine for your employees. You want to make sure that when an audit does take place, your employees have fallen into habits that you can analyse for weaknesses. In other words, you want your cybersecurity to be entirely routine before you audit them.
Hire externally: While it might seem like a prudent measure to have someone from your organisation carry out your internal audit, it really isn’t. Even if it’s a cost saving measure, it’s likely you’ll miss a key vulnerability that could cost you much more later on. Hiring an outside auditor is a much more sensible choice. As TechTarget wrote: “Keeping up with patches, making sure OSes and applications are securely configured, and monitoring your defense systems is already more than a full-time job. And no matter how diligent you are, outsiders may well spot problems you’ve missed.”
Set clear ground rules: Once you settle on an auditor, make sure the ground rules and expectations are abundantly clear from the start. Your auditors will likely ask you for wide access and a great deal of information, all of which can and does take time to prepare. Don’t assume that once you’ve hired someone, your work is done; be prepared to work collaboratively and diligently with your auditor so they can get the widest picture and the most honest results from their audit.
Get your staff on board: There is no point in going to the great effort of doing a cybersecurity audit if you don’t get your staff aligned with your commitment to security. It’s important to remember that the biggest vulnerabilities come from inside your team. This was demonstrated in the recent WannaCry ransomware attack, which provided us with “a shocking wakeup call that even the most basic phishing attacks still can have devastating impacts. The ransomware virus, which claimed more than 200,000 victims in 150 countries, could have been successfully rebuffed with basic cybersecurity measures.” It’s a great reminder that a big part of caring about cybersecurity is getting your staff to care about it too.