Live Chat
Contact Us

When we say “IT security”, businesses run a mile - that just seems to be the way things work. Unfortunately, we know that, despite the heavy reliance placed upon technology in the digital age, safeguarding, protecting and developing your security efforts just seems like a step too far for a surprising number of businesses.

We were shocked at the findings of a recent Spiceworks survey, which revealed 62 per cent of IT professionals said their employer does not regularly carry out security audits. That translates to over half of businesses that are leaving themselves vulnerable to growing, and increasingly intelligent, threats. But why?

Whether it’s a lack of resourcing, limited knowledge or just general ignorance, we’re here to tell you that without regular security audits, your business could fail. So, here’s all the information you need on how to carry one out.

Where to begin?

The truth is, no business really enjoys having an audit. In fact, even the word itself draws images of surprise inspections, and ultimately being criticised for your exposed IT weaknesses. But if you fail to do your duty as an IT professional, it’s you in the firing line if your business falls victim to a cyber security breach. Therefore, if you are responsible for data security, you should insist on regular audits.

Many businesses, such as those in the finance industry, are required to have external auditors to certify compliance with regulations, but that does not mean that those where this is not a legal requirement can realistically escape them.

Therefore, you need to bring the auditors in - but choosing the right ones can be a challenge in itself.

Set clear objectives

Before you begin your search for an audit firm, you should have a set of clear objectives in place, asking yourself ‘What do I want to get out of the audit?’. These objectives should be incredibly detailed. If there is a security breach in the system that was outside the scope of the audit, it could mean you did a poor job of defining your objectives.

Hiring the auditor

For the sake of convenience, you could be tempted to rely on internal staff for your audit. However, we wouldn’t recommend it. Due to the complex nature of checking operating systems and applications are securely configured, it really does pay to take on an external party.

Technical audits identify risks to the technology platform by reviewing both the policies and procedures in place, as well as network and system configurations. This job alone is one for security professionals.

During the process or looking for an auditor, consider the following factors:

  • Look at their real credentials, and try not to be influenced by impressive looking qualifications. While they may lure customers in, certifications don’t necessarily guarantee technical competence. Ensure the auditor has actual work experience in this field.
  • Check their resume for security projects they have worked on. Don’t just restrict yourself to audits they have worked on. Check for references. Actual experience with implementing and supporting security technology is an attractive quality.
  • Do your research. Network with individuals and businesses that you know and trust within the industry. Ask them if they know about prospective auditing firms.
  • Find the right fit for you. Don’t worry about meeting with a few auditing firms. This process is about finding the right solution for your business needs.

Preparing for the audit

There is a certain degree of common sense at work when it comes to an auditor’s assumptions, such as the fact that they will require access to certain data or staff throughout the process. However, once they are on board, do not assume that they will receive copies of policies or system configuration data - this needs to be spelled out in writing beforehand, and agreed by both sides.

It is also advisable to involve the business and IT unit managers of the audited systems as early as possible throughout the process, in order to ensure it progresses as soon as possible.

There have been documented cases where respected auditing firms have requested copies of the system password and firewall configuration files to be emailed to them, but have been refused by the targeted organisations. This could have been avoided had the audited business been involved in the process from the start.

With this in mind, it is not surprising that the ground rules should be set well in advance.

  • Managers need to specify any restrictions - for example, time of day and testing methods - in order to limit the impact on production systems
  • Auditors should be asked to conform to your policy on handling sensitive information, and they must respect and follow any existing policies regarding the forbidding of certain methods of communication
  • Auditors should be given an indemnification statement, which authorises them to probe the network

Also involved in the preparation work is the need for you to provide the basic data and documentation required for the auditor to analyse the systems. While this can vary from business to business, and depending on the nature of the audit, it would typically include:

  • Copies of all relevant procedures and policies
  • A full list of operating systems
  • External security devices
  • A list of application software
  • Network topology, specifying target IP ranges

The process

By this point, it may go without saying that the entire auditing process, then subsequent testing, should come as part of an overall plan. For this reason, it is essential to ensure the auditor details this plan up front, and then follows through.

Again, this needs to be as detailed as possible, and the auditor should begin by reviewing all relevant policies to determine the acceptable risks. They should check for any unauthorised implementations, including unidentified wireless networks, or unsanctioned use of remote access technology. They should then confirm whether the environment matches management’s inventory.

Often, auditors utilise security checklists to review any known security issues and guidelines for particular platforms utilised within a business. However, these are no substitute for platform expertise.

The auditor will make use of a vulnerability scanner to check operating systems and application patch levels against a database of reported vulnerabilities. Obviously, it is important that the scanner’s database is current, and that it checks for vulnerabilities in each target system. Most scanners carry out this task to an acceptable level, but results may vary with different products, and in different environments.


So, once the audit has been carried out, it is your chance to take a look at the report and judge whether or not it was carried out to an acceptable standard. If the findings follow a standard checklist that could be applicable to any organisation, it is arguable that you did not get your money’s worth. While some commercial vulnerability scanners have thorough reporting mechanisms, the auditor should prove their worth by interpreting these results based on your environment.

Any analysis carried out should reflect your organisation’s risks. Unfortunately, tools lack analytical insight and often reveal false positives. It is the people, not the tools, that should audit your systems. Have your IT staff review the findings and testing methods to judge, and have them provide a written response.

The auditor’s analysis needs to follow an established criteria, which is applied to your specific business requirements. It is this that will help you to determine the action you implement as a result, therefore it needs to be as detailed as possible.

The report should outline:

  • What is the source of the threat? Is it from internal users or the public internet?
  • The probability that this could be exploited - have other websites suffered intrusions due to this type of exposure?
  • What is the likely impact of this exposure? What impact will this have on the bottom line?
  • Recommended actions to fix the problems
  • Any potential legal liability. Could your systems become a repository for contraband?
  • The risk of service interruption

There are occasions when auditors fail to identify any significant vulnerabilities. However, rather than attempt to inflate trivial concerns, auditors should outline their testing methods in detail, and acknowledge a good security set up. You could ask them to highlight any areas that could be of concern in the future, or suggest security enhancements.

A lot to consider

Yes, there is a lot to think about when it comes to a security audit. However, the benefits outweigh the effort considerably. Remember, the purpose of having an audit is to gain an accurate picture of your business’s security position, while providing recommendations for improving it.

By doing some vital homework - such as considering what you really want to find in an auditor - the exercise has numerous advantages, and by gaining the support of your own staff to support the process as it takes place, you can rest assured that vital company information is safeguarded.



Do you have a project that you would like to discuss?