Top 5 Security Audit Findings 2018
The UK Government’s National Security Strategy acknowledges cyber threats as one of the four major risks to national security and to UK businesses.
Despite this, in 2018 many organisations still don’t have basic cyber security measures in place, some organisations are starting from scratch and many don’t know where to start. In many cases organisations are blatantly negligent in their efforts to protect their own and their client’s data.
Below are the Top 5 security audit findings that Romano Security Consulting have encountered on a frequent basis during audits conducted over the last 12 months.
1. Inadequate staff training and awareness
Staff are not provided with adequate security training and there are a lack of staff security awareness communications and updates warning staff of the current threats. Staff are one of your biggest vulnerabilities, you can have all the greatest technical defences in the world but all this can often be bypassed with the click of a mouse.
2. Inadequate protection of data
It’s pretty incredible that some organisations don’t actually know what data they hold or where the data is stored, data is also stored on unsecure or unsuitable platforms, data is not encrypted in storage or transit, access controls are poor, staff are often unsure of how to handle different types of data, there are no data exfiltration controls, data isn’t securely disposed of, backups are not taken. GDPR who?
3. Inadequate incident management
Organisations have inadequate incident detection capabilities and they wouldn’t actually know if they did have somebody already extracting their data, most organisations don’t have a basic incident reporting process, staff are unsure of who to report incidents to and organisations don’t have basic incident response plans. It’s taken a long time for organisations to start to put business continuity plans in place, I only hope it doesn’t take as long for them to put incident response plans in place because at the moment cyber criminals must be having a field day.
4. Inadequate management of third party risk
Organisations don’t assess or address risks from third party suppliers, organisations don’t carry out regular audits on their third party suppliers, some suppliers have unlimited access to resources and data, suppliers employees are not security vetted, confidentiality and non-disclosure agreements are non-existent. Think of and treat third parties as an extension of your own business and don’t just transfer the risk to another business, own and take responsibility for third party risk.
5. Inadequate technical defences
Organisations have out of date or inadequate vulnerability patching, end of life hardware, poorly configured security hardware and anti-virus software, unsecure networks, don’t conduct penetration testing or vulnerability scans, there is inadequate network perimeter and device monitoring. Don’t use a lack of IT resources as an excuse when you’re paying your sales people huge amounts of money and reporting huge profits.
The list goes on and in our experience many organisations are still not getting these basics right, so where do you start?
Contact Romano Security Consulting today and let us help to put you on the right track to secure your organisation.
T: 01625 315 021