Skip content

How to effectively conduct a cyber security audit

A cybersecurity audit conducted by Nettitude will provide your organisation with a high-level appraisal of your cybersecurity posture. You will receive a personalised report containing actionable advice and a clear set of guidelines to remediate any security threat or weaknesses identified. The audit will focus on your people, process, technology and policy.  

Why is cybersecurity so crucial to your business?

Cyber security has become a dominant threat facing today’s organisations, requiring an investment of both time and money to protect against increasingly sophisticated and widely available attack vectors.

The reality is any business operating from any location in the world, within any business sector, is a target for a cyber attack.0

Some cyber stats

Did you know?

  • A staggering 80% of businesses think they’ll experience a cyber-attack sometime this year (Capterra)
  • Sadly, 60% of small companies go out of business within six months of a cyber-attack (Inc)
  • Acts of malicious intent cause 48% of data security breaches. Human error or system failure accounts for the rest (Information Age)

Commenting on Cisco’s 2018 Cyber Security Report, John Stewart talks about the need to adopt a security strategy that embraces people, process, technology and policy, just like Nettitude does.   

“No single strategy, technological solution or approach will solve all of the challenges that our adversaries throw at us. It takes a comprehensive and unified approach across people, process, technology and policy.”

Security audits should be part of a wider assurance program. Nettitude’s cyber experts and award-winning security consultants recommend adopting a continuous cyber assurance improvement program, including regular reviews of the organisation’s cybersecurity controls.

Combined with routine penetration testing, vulnerability scanning, a comprehensive incident response plan, threat monitoring and security awareness training – ensure you always stay one step ahead of the criminals looking to compromise your company. 

Don’t ignore your inside threats! Employee security awareness is essential!

60% of all cyber attacks reported in 2016 came from insiders (IBM)

Through regular security awareness training and education, your employees become more aware and security savvy and less vulnerable to risks such as phishing campaigns. Nettitude has experienced security trainers and tailored programmes, to help you overcome what can be an organisation’s biggest weakness.

Top 3 cybersecurity myths resolved by a security audit

- Assuming systems are secure without evidence (myth)
- Regular in-depth audits can accurately determine security posture (True)

- Cyber security is the sole responsibility of the IT department (myth)
- Security is the responsibility of all employees (True)

- The IT team performs a cyber security audit (myth)
- In fact, this is a special audit that requires an independent cyber consultancy such as Nettitude to work with your internal teams (True)

What will a cyber security audit include?

  • The audit will assess the cyber maturity of your organisation’s four key areas: people, process, technology and policy
  • A security assessment will involve a minimum of one-day on-site at your organisation. However, because this is a tailored service, the scope of work will be bespoke to your needs

    Request a free consultation to find out what will be suitable for your company’s audit
  • The audit will usually be requested by a senior member of the IT team. However, key personnel such as HR, Legal and Operations, need to be aware of the audit and may be asked to provide information and access to systems ahead of the assessment
  • Here are the four critical stages involved in cyber security Each stage should be agreed upon by both parties (client and cyber security auditing company)
  1. Planning and preparation
  2. Audit objectives
  3. Perform the audit
  4. Audit report document
  • During the engagement, a security consultant will carry out a high-level cyber review of your organisation and its IT environment
  • The audit aims to determine the threats, vulnerabilities and risks within the business and externally. It will also assess the impact and probability of such risks manifesting across the organisation’s key areas of control

The scope of work in a security audit

The 11 key areas covered in a cyber security audit performed by Nettitude:

  1. Business continuity planning
  2. Critical cyber assets
  3. Cyber risk governance
  4. Cyber security controls both technical & physical
  5. Employee training & awareness
  6. Incident management
  7. Information Security Management System (ISMS)
  8. Legal, regulatory & contractual constraints
  9. Policies
  10. Risk register
  11. Roles & responsibilities

Reporting

Reporting our findings is the final stage of the audit process, and this is where working with an experienced cyber specialist such as Nettitude is key. 

Nettitude prides itself on the most comprehensive and useful reports in the industry. Every care and attention to detail is taken to ensure that with each engagement the report is both thorough, yet actionable.

Types of audit reporting

Nettitude produces a high-level management report and an in-depth technical review document for each engagement. These documents will highlight security vulnerabilities and identify areas for exploitation. The reports also provide guidance on remediation, with a focus on preventative countermeasures.

To gain access to anonymous management and technical reports related to your industry vertical, please email solutions@nettitude.com.

Audit debrief

Security audits can be complicated, however, at Nettitude we do not think that the reports, presentations, and debriefs also need to be.

Nettitude ensures that all audits have a full debrief at the end of the engagement. Followed by a presentation of critical and high-level vulnerabilities along with guidance on remediation and countermeasures.

Post audit guidance

Clients that engage with Nettitude for cyber security audits receive three months of complimentary access to its Security Support Centre (SOC).

The SOC team can provide a level of assurance through the remediation phase of the audit, ensuring that you can get all your vulnerabilities fixed in a time-sensitive manner.

When should a cyber security audit take place?

As well as a routine annual activity, a security audit can be initiated after a significant organisational event such as a:

  • Breach or incident
  • Merger or acquisition
  • Industry/competitor breach
  • Implementation of a new system/operation
  • Business growth
  • Changes to industry regulation

Are there any legal requirements or regulations that need to be adhered to for audits?

A security audit is a valuable baseline exercise for organisations assessing their compliance towards legal and regulatory compliance as well as security frameworks:

  • EU General Data Protection Regulation (GDPR)
  • NIST Cybersecurity Framework
  • ISO 27001
  • Cyber Essentials
  • National Cyber Security Centre (NCSC) - 10 Steps to Cyber Security

It is also a good measure of assurance around internally deployed security controls.

By conducting security audits your organisation is taking its responsibility to be cyber secure seriously, providing enhanced confidence with your key stakeholders (the board, employees, clients, investors) and new prospective clients.