6 questions to ask before conducting an internal security audit
by Oliver Haslam
Hearing the words “security audit” can be daunting, whether you’re on top of your security game or not. It’s inherently unsettling to be told you’re doing something wrong, especially when that something is as important as business security.
But this is also why security audits are so important. If hearing that your company has a hole in its security — whether physical or process-driven — terrifies you, imagine how you’d feel if something catastrophic was to actually occur. Prevention is better than cure, and security audits are an important part of breach prevention. While you may need an external audit for regulatory reasons, that doesn’t mean internal security audits don’t have their merits. In fact, they can be downright invaluable.
Nobody knows your business like you do. That should mean that you know where you are vulnerable, where existing measures have become lax over time, and where complacency has become the enemy of the systems and processes that ought to keep everything safe.
Conducting an internal security audit can be a fantastic way to blow off the cobwebs and really get a feel for what’s working, and more importantly, what isn’t. The act of carrying one out needn’t be daunting, either.
Whether you’re just looking to improve on processes, or preparing for something more official like SOC2 certification, there are a few things to keep in mind for a successful internal security audit.
Make sure your internal auditor has sufficient access to people and systems for the duration of the audit. A person or team with complete oversight is essential for meaningful results here. Your auditor should be free of any biases to teams or individuals within the business. A full, honest and above-all unencumbered appraisal of your security depends upon it.
Without first knowing the full scope of the audit, the auditor faces an uphill struggle to find the boundaries in which they are expected to work. If the audit is intended to examine security processes relating to a particular branch of the business, this needs to be set out ahead of time. If the aim is to take a physical audit of a number of computers or other assets, this needs to be confirmed, too.
To be effective, you need to know what you are looking for, otherwise you risk missing it. A clear and structured list of the potential threats posed to your company, and any assets or processes outlined in the audit’s scope, allows the auditor to ensure they are looking in the right places. Those threats could be technological, such as threats to computer systems and infrastructure, or something much less high-tech, like inadequately trained users. If your company employs a Bring Your Own Device policy, this too is a key area where security can slip.
While employees may feel that audits are designed to trip them up, it’s important that all involved understand that audits are for the betterment of the company as a whole, as well as its employees. Nobody should feel afraid to speak the truth — it’s not about punishing people, but improving security in future.
Upon completion of an internal security audit, findings and improvements should be provided to a senior member of the company so that they can be digested and implemented. Carrying out an audit of any kind is useless if its findings are not acted upon. A follow-up audit is often essential to ensuring that the changes have been made successfully. Whether that takes the form of a repeat internal audit will depend on the company at hand, but an external audit at this point may have its merits — especially now the kinks have been ironed out ahead of time.
We have always lived by the fact that security is a process not a product, and that daily improvements and changes bring far stronger security over time. This thinking was confirmed when completing our own journey through SOC2 certification, security never ends. While it can be tempting to breathe a sigh of relief when an audit is done and dusted, security is an ongoing affair because mistakes will always happen and the bad guys will never stop trying to find their way in. To take security seriously is to be constantly vigilant. Audit, implement changes, and repeat.
Keeping on top of business security is vitally important regardless of industry, and making sure the correct tools are in place to ensure compliance can go a long way — whether those tools are security-focused software like 1Password Business, physical security like key cards, or just improved processes and checks.
Of course, you’re already ahead of the game if you’re using 1Password Business. If you’re not, then why not take the next step on your security pilgrimage by trying it out, free, for 30 days?