In a separate post, we provided a basic overview of cybersecurity audits, from gathering information to following up on your discoveries. Perhaps you’ve looked at that post and found it to be quite straightforward—a lot of work, perhaps, but not difficult work.
And yet, over the past three decades, we at TMG have watched companies make the same mistakes over and over. Here are a few of the most common pitfalls experienced by companies that perform their own cybersecurity audits.
Poor Planning: Failing to carefully plan the audit can lead to incomplete or inaccurate results. It is important to establish clear objectives, define the scope of the audit, and identify the systems, applications, and processes that will be audited.
Lack of Technical Expertise: You’ve probably heard that acronym GIGO, which stands for “garbage in, garbage out.” For a truly comprehensive audit, the people conducting it need to truly understand what they are looking at—that means vulnerability assessments, penetration testing results, and on and on. It’s not uncommon for executives who aren’t themselves fluent with IT to rely on employees who, while perfectly well-intentioned, do not have the background they wish (or claim) they have.
Overdependence on Tools: With the spread of cybersecurity audits has come a matching spread in “vulnerability scanners” and other automated tools that claim to be able to do all the work for you with a few keystrokes. And there is no doubt that tools are an essential part of a thorough audit. Indeed, many aspects of systems analysis are best left to machines anyway. But automated tools are not the be-all end all; they need to be used wisely and in conjunction with the sort of high-level analysis that only humans can provide (at the moment, at least!).
Weak Risk Analysis: Failing to properly assess and prioritize risks can lead to a failure to address the most critical vulnerabilities. If you do an inadequate job of assessing your risk landscape, it’s only to be expected that you’ll do a poor job mitigating those risks.
Leaving People Out: Another common mistake is to only engage certain staff or certain business units while leaving out others. All stakeholders need to be brought in on this exercise, including but not limited to all IT staff and security personnel.
We know what you’re thinking: Well okay, but not Abby at the front desk, surely? But you know who is most likely to watch as a disgruntled employee walks out of your office with a strange laptop under his arm? That’s right, Abby at the front desk. Abby has her own role to play in the cybersecurity health of your firm, and she should be treated accordingly.
Staff Overwhelm: Life at your firm doesn’t stop just because you are doing an audit. That means all of your IT staff’s regular tasks need to continue and they need to cooperate fully with the audit. This can be rough on morale and lead to the taking of shortcuts that open you up to additional risk.
Lack of Follow-Up: Depending on the size of your company, a thorough cybersecurity audit can be a whole lot of work. It’s understandably tempting to wrap things up, sigh with relief, and toss your reports in some drawer where they never get looked at again. Do not make this mistake. Remember, cybersecurity is never, ever one-and-done.
How do you mitigate all these risks? The first step is to realize once and for all that you cannot do everything alone. You are going to need help. Help from your organization to support the effort. Help from your team to balance the load. And help from experts that are there to answer your call.
Remember – no war was ever won by one person alone. It “does take a village” to get it done and get it done right!