In November 2017, Forever 21, a Los Angeles based clothing retailer, announced that a potential data breach might have affected some of its customers. On investigating, they found that the “encryption and tokenization solution” implemented in 2015 might not have been working on some of the PoS machines.
Organizations are becoming vulnerable to cyber threats due to increased reliance on technological advances. These threats are not just restricted to the Financial and IT companies but extend to the other industries too. The Retail Industry, for example, has been targeted a lot as it is probably identified as a softer target as well as a richer source of consumer information. The Manufacturing Industry, with its assessment of industry 4.0 digital manufacturing and acceptance of sensor technology as well as other smart products has also been exposed to various cyber threats. Industry 4.0 is the fourth industrial revolution in manufacturing and industry and it is becoming increasingly familiar with automation, cloud, data exchanges and autonomous industrial techniques. Hence, it is critical to have sturdy cybersecurity programs in place and ensure that they are up-to-date and working well.
Why Auditing Cybersecurity Programs is Important?
Most of the companies across industries have well-established cybersecurity programs. Where these programs fall short is in their capability to review and audit security processes and ensuring that they are run at the appropriate intervals. For example, if the implemented security process has scheduled a monthly vulnerability scan, but the product updates are released twice a month, it may leave vulnerabilities wide-open or completely unrevealed. Breaches like these could go unnoticed for long periods of time; sometimes gaps are attended to only after a security breach has taken place. Because cyber threats progress at a rapid pace, it’s important to ensure that your cybersecurity measures are effective and up-to-date continually.
Read More: The role of internal audit in cybersecurity
In a typical “Three Lines of Defense” model, the responsibility of cybersecurity starts at the top level with the CIO/CISO along with the audit team finalizing the cybersecurity control framework and enforcing the security policies and procedures. This framework which might be drawn out for a 3 to 5 year period should be reviewed once in 6-12 months to ensure that the process is effective.
Snares often occur when monitoring and overlooking are not an ongoing part of a cybersecurity procedure. New threats and vulnerabilities continue to be introduced every other day. To mitigate the risks, many organizations form a cybersecurity committee which is often led by the CISO. The committee meets periodically with all the stakeholders to assess threats and vulnerabilities which could be added every time a third-party data storage is added, or a critical employee leaves/joins the company, or if new hardware, software or servers are added.
The second line of defense is tasked with assessing risks and exposures related to cybersecurity. They work closely with first and third line of defense to draw policies and create effective awareness about cybersecurity. They ensure that risk reporting and control is adequate and up-to-date by conducting quarterly/half yearly audits and management reviews. They also assess the relationship with vendors and must govern them by continuously monitoring their access to the company’s sensitive data. Auditing vendors on an annual basis and a monthly/quarterly reporting on key security metrics can ensure higher standards of cybersecurity.
The internal audit function acting as the third line of defense is responsible for auditing the cybersecurity risk mitigation across all facets of the organization. It usually includes quarterly/half yearly/annual review of user accesses, network design, vendor management, monitoring, cybersecurity awareness training conducted for employees, IT staff and vendors who work with the organization’s interfaces. This ensures better incident and breach preparedness. Practicing the table top drill with the individual teams every six months helps assess the effectiveness of the laid down process. The audit should be a planned activity with entry criteria, regular update and exit meetings and exact expectations of each stage being well defined.
Ensure Effective Auditing and Compliance with Seqrite
Seqrite offers a host of pro-active, active and re-active services to protect their clients against all cyber threats. Seqrite helps organizations proactively protect their IT assets and comply with all regulatory needs by performing timely and efficient audits on systems. Seqrite specializes in Technical, Compliance and Red Team audits and provides complete security management and consulting services to enterprises globally.
Infrastructure Security, Application Security, and Industrial Control System Security are the top three areas of Technical Audits offered by Seqrite. Compliance Audits include ISO27001, PCI DSS, HIPAA amongst many others while Red Team Audits include Readiness Assessment, Red Team Assessment, and War Games.
While it is essential to have corrective controls in place to deal with vulnerabilities, it is more important to ensure that corrective and preventive controls are up-to-date and operating effectively to mitigate an attack or a breach. Periodic audits, especially conducted by specialists like Seqrite, can ensure your cybersecurity program is always in the best shape.