Bolstered by the technology expansion and the surge in data growth and with the state-sponsored attacks, the threat from cyberattacks is continuously evolving. Also, the industry experts suggest that cybercrime could cost businesses more than $2 trillion by 2019. In order to keep their business safe, many companies have taken significant steps in the past year by integrating cybersecurity risk into their internal audit plans, according to a new survey from global consulting firm Protiviti. Nearly three out of four companies (73 percent) invest in internal audit as a part of their annual audit plan to evaluate the cyber security risks. This undoubtedly shows that organizations are highly concerned towards their network security.
Internal audit plays a vital role in helping organizations in winning the battle against the faceless enemy,by
providing an independent assessment of existing and needed controls,
and helping the audit committee and board to understand and address the
security risks. As every organization is unique, the internal cyber
security audit report is generated by considering three important factors – Vulnerability Assessment, Penetration Test, and Holistic Audit approach.
Vulnerability assessment plays a crucial role in network security and risk management process. It is a process which defines, identifies and classifies the security loopholes identified in the organization's network. According to the Gartner report, organizations that implement a vulnerability assessment in its security audit experience very fewer attacks. The Network Vulnerability assessment allows organizations to identify the potential threats and protect themselves from cyber attacks.
Besides, the vulnerability analysis forecasts the effectiveness of the proposed countermeasures and assesses its actual effectiveness once they are implemented in the network infrastructure. Vulnerability analysis consists of different steps viz defining and classifying the network resources, assigning a relative
level of significance to every resource, identifying potential threats,
developing a strategy to deal with these threats, and implementing
suitable countermeasures to mitigate the identified threats.
If any loopholes are identified during the vulnerability assessment, a vulnerability disclosure is released. However, if the identified vulnerability is not classified under a high-level threat, the company gets a fixed time to neutralize the problem before the issue is disclosed publicly or exploited by the bad actors. Sometimes, the third stage of vulnerability analysis is performed by the ethical hackers. Using this method the security experts deliberately probe into organization network in order to discover its weaknesses. This process sets a guideline to develop suitable countermeasures to prevent a genuine attack.
Penetration Testing is a process of identifying security vulnerabilities by evaluating the system or network with various malicious techniques. The main objective of pen-test is to determine how an attacker can gain access to assets that compromises the security of a system, files, logs, and data. Also, this test is done to check whether the applicable controls such as scope, methodology, and segmentation, required in PCI DSS (Payment Card Industry Data Security Standard) are at its place or not.
It is vital for any organization to identify the security flaws present in the network infrastructure. Using this information,organizations can take suitable countermeasures to address these flaws and close the doors for hackers to get into the system. User privacy and data security are one of the biggest concerns nowadays. It is a nightmare for a company to know that its data has been compromised and they may also face legal issues due to the loophole left in the software system. Hence, with the internal cyber security audit, every company analyzes its own system to identify and neutralize these flaws.
The scope of penetration testing includes people, process and technology that store, process and transmit sensitive data. In order to achieve this, three different types of penetration tests are conducted viz social engineering, application security testing, and physical penetration test. While conducting social engineering test, the auditors check whether the employees are aware of company security and standard policies. An example of these standards include not to mention any sensitive information over email or phone
communication or leaving such details on social media. In application
security testing, auditors use different software tools to verify if the system is exposed to security vulnerabilities or not. During the physical penetration test, strong physical security methods are implemented to protect the sensitive data.
A holistic audit is a 360-degree approach to cyber security, which ensures the safety of the network infrastructure in all aspects. The holistic approach includes human, environmental, logical and physical. While most internal cyber audit assessments focus mainly on the technical aspects such as vulnerability assessment and penetration testing or checklists, human errors and physical factors are just as important as technical aspects. By considering the company as an association of people and processes within a physical domain, it is easy to gain
a far more accurate perspective while devising company’s defensive
capability and resiliency. With that information in hand, a company is
positioned in a better place to create viable solutions.
Only by identifying and considering the impact of vulnerabilities in all these areas, the audit report is said to be complete. Companies that implement at least one of these factors in place are “significantly more likely” to have a vault to combat potential cyber threats. According to Protiviti, 91% of companies with a high level of board engagement in cyber risks have a cybersecurity risk strategy at its place when compared to 77% of other organizations. Similarly, 83% of companies that include cybersecurity risk in its annual audit plan have a specific cyber policy when compared to 53% of companies that do not have any internal cybersecurity audit in its annual audit plans.