Security incidents are definitely on the increase. It may not be something that’s directly affected your organization. However, ignoring the potential risk is analogous to sticking your head in the sand.
Ideally, at least annually, you should conduct a complete security audit to identify any risk areas and either knowingly accept the risk, or take appropriate steps to rectify the situation. Obviously, hiring an IT security specialist to locate vulnerabilities is best. However, if you cannot or won’t make that investment, here are some areas you can look at yourself.
- External Interactions – Identify exactly how your systems interact with any outside parties. For example, do you feed data to any other sources? Perhaps you pull data from external systems or websites that is stored internally. Do you provide remote computer access? External threats can also come from employee use of the internet (including social media) and emails.
- Internal Access – Not all threats come from the outside. What access do staff have to your systems? Are all system areas open or are they protected through staff security levels? Who sets these levels? How often are they checked? What password policies are in place? Is there any way that confidential data can be compromised?
- Boundary Security – Check your firewall, ports, and protocols to make sure that everything is secure. Hackers commonly scan networks for ports that have been inadvertently left open.
- Wireless Security – Today, most organizations provide wireless nets, wi-fi, perhaps Bluetooth, and so on.
- Device Security – With the proliferation of handheld devices, physical device security has become a much broader topic. How easy is it for staff to copy and remove information on USB flash drives, laptops, tablets, phones, etc? The reverse is also true. How easily can they infect your systems, often unintentionally, with a virus brought in on one of these devices?
- Application Security – Check all applications across your system. You may be surprised to find unknown applications on staff devices. How will you stop them installing software in the future? Are all the legitimate applications regularly patched to prevent security issues? Are anti-virus applications installed and up-to-date on all devices?
At this stage you’ll probably want to create at least two documents. Firstly, an overview Executive Summary for management will validate your work and provide costs and action items for any work still required. Secondly, put together a detailed Technical Specification covering all findings, network tables and diagrams, potential risks, and in-depth remediation procedures.
A security expert will typically go into much more detail than the items listed. They will usually have an in-depth checklist covering hundreds or even thousands of risks that they assess. However, creating your own checklist and completing it annually is at least a step in the right direction.