How to perform a cyber security audit at your business

David West 02-Dec-2021 11:00:00
Using modern technologies at work. Close-up of young businessman typing something while sitting at the desk in creative office

Whatever your background is in business or computing, most people can name some of the potential IT security risks that you face in your work.

Having spent the last 7 years working at Netitude I’ve seen first-hand the types of security threats that small and medium sized businesses face, as well as the consequences when a weakness is exploited. My current role focuses on auditing IT infrastructure with the aim of risk and threat reduction using our experience and knowledge to target the most common – and the more unexpected avenues of attack.

But as important as experience is, Cyber criminals are always trying to stay one step ahead and so it’s important to really take stock of where your vulnerabilities are and what you’re going to do in the event of a breach.

A recent study by cybersecurity company Carbon Black showed that 88% of UK companies have suffered a breach of some sort in the last 12 months and with one small business in the UK being hacked every 19 seconds there is no time like the present to strengthen your business immune system.

So where can we start? Let’s look at some of the first things you can do to tighten up your defences.

Perimeter firewall – Are they configured correctly?

Your firewall is the doorman of your network. If you’re visiting a website or downloading a file, you need to know that your firewall has already given it the all clear. But misconfigured firewalls are more common than you think and having performed countless audits for businesses looking to get a fresh set of eyes on their IT, I can’t tell you how often we see companies that have locked their front door but left their windows open, figuratively speaking.

Firewalls manage incoming and outgoing traffic. They offer gateway antivirus to scan packets, they block sites known to be on blacklists or hosting malicious content and they also act as the tool to allow your staff to access company files from home. You should be aware of who you’re letting in and what is being checked and ensure that any additional subscription services are active. With ransomware being one of the biggest threats to businesses, you also need to ensure that as well as stopping bad files coming in, that you’re not letting your good data out. Blocking outgoing ports can be as important as blocking incoming ports and taking this step can put you in a better position than the majority of other companies.

Email – How do you manage phishing attempts?

The marketing and research group Radicati estimate that the average worker will receive up to 80 emails a day by the end of 2021 and a survey by anti-virus giants Sophos shows that more than 1 in every 4000 emails in the UK is a phishing attempt. These two figures show that email is an enormous gateway for malicious actors and falling for a phishing email may be giving an unknown entity the credentials they need to access your most sensitive and business critical systems.

Whichever service you use for your email, it likely already filters some potentially malicious content but how much control does it give you? Reviewing what your email provider is doing to protect you will often reveal that you are in dire need of more than just blocking some newsletters and sales offers.

A third-party spam filter will give you or your IT provider the ability to tailor your filtering and ensure you are protected against viruses, links to insecure websites and attempts to impersonate your staff or your domain.

Another consideration for preventing incoming email threats is simply to make sure that scammers and attackers don’t know how to reach you. It doesn’t take long to find a website of a company that is showing you their team members, their job roles and… yes you guessed it, their email address.

Advertising your staff contact details in a public space tells potential attackers who the high value targets are. This makes social engineering attacks far more likely and gives attackers a head start. Googling your director or accountants email address might reveal some surprises but more importantly can give you a good opportunity to tidy up what information is publicly available.

Updates – What’s your patch update status?

Have you been asked by your IT company to make sure your PC is left on? If so, it’s probably because it’s patch day. Making sure your company devices are running (or even able to run) the newest versions and your network devices are on the latest firmware is an absolutely critical step in the fight against exposure. These security updates fix holes identified by the manufacturer as a critical risk. Every day that risk exists on your network is another 24 hours that someone is finding a way to exploit it. The recent “Print Nightmare” exploit saw Microsoft advise all users of Windows computers to disable the ability to print altogether until a patch was released – This vulnerability would allow malicious actors to run scripts without you knowing with effects from stealing data to remote control.

A review of your patch status should be an ongoing practice for any business and understanding what equipment is vulnerable needs to be at the forefront of your strategy.

BYOD – Does it causes more harm than good?

Bring your own device – Very few companies have a policy regarding staff bringing their own devices to work and many more allow staff to access their work email and data on personal mobile phones and laptops.

A personal device on a network is sure to raise some eyebrows here at Netitude and it’s an often-overlooked risk. Knowing where your data is held as well as where it’s going will make protecting it much easier, but a stolen personal device with company files on it is a security threat often ignored.

Not only is theft and loss a real risk to data, but you also have no control over the patching and security of personal devices, and we have seen personal devices be responsible for ransomware infections that cost days in recovery and years of damage in loss of data.

Outlining a policy on these devices and providing company mobiles for email use can reduce a very unexpected but very real threat to your cyber security.

Not sure where to start with a BYOD policy? Take a look at our guide “Is BYOD putting your business at risk?” for advice on how to put together a policy.

Is BYOD putting your business at risk? Check out our policy guide

Endpoint security – What else can you do?

So, by now, your workstations should be fully up to date and no longer susceptible to the latest known vulnerabilities, right? Although an incredibly important step, Endpoint security doesn’t stop at patching and updates.

Your network firewall is doing everything it can to prevent malicious content coming into your network and staff are no longer allowed to bring in their personal computers – But what about data that isn’t trying to get in through your firewall, but through your front door?

Managed anti-virus, local workstation policies and software firewalls are your next line of defence. External drives or other USB devices might be lurking on your network containing already infected data and you need to be sure that it isn’t going to make it onto your computers.

Our audits reveal some interesting lapses in company security so here are some tips for spreading that protective blanket to every corner:

  1. Managed Anti-Virus
    Ensure that not only do all your workstations have a third-party antivirus solution in place, but that you have the means to know that it’s running, up to date and running weekly scans. You should also make sure on-demand scanning and external device scanning is configured to prevent any nasty surprises.
  2. Software firewall
    Much like your network firewall, your operating systems software firewall is also responsible for managing incoming and outgoing connections to your computers. From applications to network devices – access is dependent on the rules you’ve set up so ensuring the firewall is enabled and configured correctly is a key step. Finding a way to keep on top of this for a large number of endpoints is going to cut down on risk, time and worry.
  3. Preventative policy
    Both servers and cloud directory services such as Microsoft Azure allow you to manage local device settings for an entire organisation. Prevent certain file types from running, or blocking applications being run from common locations can stop ransomware and cryptolockeer viruses in their tracks.

Backup – Is your data backup working?

When did you last check that your backups work? Do you know how often they run? Do you know how long it takes to restore your most valuable data?

Media Research group TDG found that 60% of companies that lose their data go out of business within 6 months. This makes old data as valuable as current data and understanding how it is managed and monitored may be a critical lifeline in the event of a serious security breach.

Ensuring you have encrypted local copies and offsite replication is going to cover the bases in the event your file server succumbs to ransomware and may save more than just lost time in the long run.

Wetware - Consider your staff

So, you have a well configured firewall, 100% patch status and a remote management tool to report in real time the status of your security pain points. So, what’s next? Your staff.

If phishing emails or malicious URLs do make it through all your defence areas, the final protection comes from staff awareness and training. When was the last time you held a cyber security training session to teach users how to spot dodgy links or make them aware of where they should and shouldn’t get downloading information?

Cyber Security organisation KnowB4 say that 91% of successful data breaches are from phishing attacks and offer free training services. Here are some quick and easy ways to spot a fake email:

  • Grammar and spelling – Is the email address riddled with mistakes? This might not be a case of bad autocorrect, but more likely a badly written template used by cyber criminals. With many of the common sources of attacks being non-English speaking countries it can be as simple as some uncrossed T’s and undotted I’s that alert you to foul play.
  • Look at the email address - As we now know scammers may already know the name of the person who manages your payroll, when the link to your payslip comes in next just take a look at the email address for example:

    “Bill Payer”

“Bill Payer”

  • Hyperlinks - Are you being asked to follow a link in the email? Before you click it, try hovering your mouse over it to reveal the true destination. If it says “Click here for Microsoft” and the target of the link is not you may want to raise it with your IT team.

For more tips on how to recognise phishing attempts, check out our blog “How to spot a Phishing email”.

Set standards

Now with well trained staff and great equipment setting standards for how you use your equipment, how you check your policies and how you implement changes will be the glue that holds this all together.

A well-documented and well communicated set of standards will ensure your goals are not only achievable but aligned across the business. These standards should cover all the areas of risks mentioned and also into the future to plan for what you might be able to do to react appropriately to breaches as well as what to continue to do to prevent them in the first place.

So, you can see a consistent, managed, and multi-pronged attack is the best line of defence against a growing industry of fraud, theft and infiltration. Regular checks and a record of failures and successes will ensure an evolution in your security and best practice and allow a much smoother adoption of newer security standards as the landscape continues to change.

Our team of alignment managers know where to look and are constantly improving our best practice for security and threat aversion so if you aren’t sure, you have your bases covered, why not speak to an expert to help you implement your new security standards?

Need some advice, or want to talk about your options? Book a call with Adam