Just the other day, Protiviti released our 2015 IT Security and Privacy Survey, which once again highlights the need for continued vigilance on the cybersecurity front, even as it marked certain improvements from last year. Staying on topic, I want to share some additional hot issues that continue to crop up in conversations with our IT audit clients. Many of the people we speak with recognize the need to do something in these areas, or at least be aware of their existence, but many organizations continue to struggle with the action steps necessary to address them.
All organizations – regardless of size – should review and discuss the following points to ensure they are not only on the company radar, but that management and the board understand the risks to the organization and the actions available to mitigate them. These are comparatively simple, self-contained action items that can be initiated without the need for significant deliberation or resources.
- Detecting a potential breach – Companies should use advanced techniques to attempt to determine if they are already breached. Some examples of these techniques include deploying advanced threat detection tools at the Internet egress points to identify command and control communications and other suspicious activity; leveraging user behavior analytics (UBA) tools to detect potentially suspicious activity; and performing advanced log analysis to detect signs of a breach.
- Secure code review – A lot of vulnerabilities and issues are missed by not reviewing code properly. For example, we recently worked on an e-commerce site where the vulnerability scans showed no issues. On reviewing the code, we discovered that an attacker had modified the code to send credit card numbers to a malicious server, in addition to sending them to the bank. Without a code review, this would have gone undetected. To ensure thoroughness, companies also should evaluate their code review and SDLC processes (if they exist), to further defend against a breach.
- Phishing – A cybersecurity lab can phish 10,000 employees and collect key metrics, including statistics around how many employees opened the Trojan email, clicked on the link, supplied their credentials, etc. This exercise is highly successful and its results are almost always startling, generating a great dialog that resonates throughout the organization. Performing this analysis on a periodic basis can help measure the organization’s progress in education and awareness.
- Penetration tests – Organizations should perform a penetration test at least annually and cover both internal and external scopes. For many organizations, IT may already perform this task on a regular basis, which is best practice. Still, Internal Audit may want to ensure this exercise is complemented periodically by an independent penetration test.
Personally, I would love to see more organizations treat these items as standard must-do’s in their annual IT audits, to minimize the risk of being breached. To learn about the current state of IT security and other IT trends as reported in our latest survey, click here.