In today’s modern day and age, it is crucial for companies to take their Information Technology systems seriously to avoid the possibility of cyber-attacks and data breaches. A great way for companies to ensure their Security remains up to date and compliant is to perform regular IT Security Audits.
What is an IT Security Audit?
To begin defining an IT Security Audit, we can examine theformal definition of an Audit as provided by the Institute of Internal Auditors: “independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
An Information Technology Security audit is a comprehensive review of your company’s entire IT infrastructure. This includes a full review of your IT systems, management, applications, and data uses amongst other processes. The purpose of this audit is to evaluate the overall safety of your network. A good comprehensive audit would suggest improvements and identify any weaknesses in your system, to ensure greatest operating efficiency and cybersecurity.
What are the Benefits of IT Security Audits?
Companies should perform regular IT Security Audits to determine if their infrastructure properly is able to secure the company’s data and assets. There are many benefits to performing these audits regularly:
Reducing Expenses – IT Audits can help you uncover which services you no longer need as well as outdated software and help your company save money in the long run.
Ensuring Compliance – Regular IT Audits will also ensure that your company’s Information Technology platform and systems are up to date with your country’s standards. This will help avoid any legal disputes and fines down the line.
Verify Security Effectiveness – Certified IT auditors will use various tests to verify how effective your current cybersecurity processes are.
Improve Communication within the Company – Regular IT audits can enhance the communication between different departments with the Information Technology department.
Types of IT Security Audits
There are four main types of security tests in an IT audit. These include: Vulnerability Tests, Penetration Tests, Risk Assessments as well as Compliance Audits.
Vulnerability tests are performed to identify any loopholes or risks in your IT system’s design, to reduce risk. Penetration tests are used to stimulate disruptive conditions and break into your system, such as sending email links with malware. These are great for improving employee security training and testing antivirus software. Next, Risk Assessments are used to identify and eliminate risks associated with using your company’s IT systems. When risks are identified, the next step for companies is to determine what investments should be made to eliminate those risks. Lastly, Compliance Audits ensure that your company’s IT systems adhere to the legal standards in your country or industry.
Colin Knox describes his entrepreneurial journey so far in two words: Crazy and stupid. But the founder of two highly successful businesses: XCEL Professional Services and Passportal also acknowledged the creative part of his journey as well.
Knox, after spending a little over a year at SolarWinds MSP which acquired Passportal, is at it again with a new company called Gradient MSP. This time, Knox will be using his talents to help the MSP and vendor communities better understand themselves. The goal is to lead both communities into building profitable monthly recurring revenue streams.
The spark for Gradient MSP came while he was reading Start with Why: How Great Leaders Inspire Everyone to Take Action by Simon Sinek. “This book spoke to me,” he added. While reading the book, Knox began to envision how he could solve more MSP industry problems by helping the community compete on a level-playing field. Knox also realized the industry is a two-way street and will have Gradient MSP work with vendors as well to “level them up” to better understand MSPs.
Currently, Gradient MSP is working on its offering; planned for launch sometime in this year.
During the Jolera Interview Series, Knox talked about how he started as an entrepreneur by catching insects as a kid and putting them into his own “Bug Zoo”. As crazy as this sounds, neighborhood kids paid Knox to see his collection. And, from there it sparked a lifelong passion to create things that others can enjoy.
“I thought it was cool. People paid me to see my bugs. It comes down to creating something that others can enjoy and make their lives easier. I think the most rewarding thing for me is when I hear stories about how things I have created that has impacted others. This is what drives me to keep going and try new things,” he said.
Knox’ biggest claim to fame is Passportal, a password security and documentation management solution that he sold to SolarWinds MSP in 2019.
“We created Passportal at a time when many MSPs were embarking on trying to find a solution. We’d gone out and looked high and low and found a ton of enterprise or consumer grade products, but none that were suited for the mid-tier,” he said.
After posting several queries on platforms such as LinkedIn, to find out what others were using to solve and manage passwords without any luck, Knox decided to build it on his own. Passportal came at a time when several MSPs had no answer for challenging issues such as compliance audits or even simple matters as a password change when an employee leaves the organization.
Then those LinkedIn queries turned into several replies for other interested parties wanting to know if Knox and XCEL found anything. Knox saw opportunity and created Passportal in 2011. And, with zero marketing effort got more than 300 MSPs to use it almost instantly. At the time of the SolarWinds MSP acquisition more than 2,000 MSPs were using Passportal worldwide.
Knox credits entrepreneurs such as Robert Herjavec of Dragon’s Den fame and Apple co-founder Steve Jobs for his inspiration as an entrepreneur. Knox said without having read Herjavec’s book Driven: How to Succeed in Business and In Life he would never have started XCEL. “Herjavec’s story showed me that I could build an IT business in Canada.”
As for Jobs, several of his career case studies gave Knox the confidence to know that a small, gritty team can be world class and create solutions that can be used by the masses.
Also, during the Jolera Interview Series, Knox described what his experience was like starting Gradient MSP during a worldwide pandemic as well as what entrepreneurs can learn from failure.
For many small or medium sized businesses, as well as emerging start-ups that do not have the capacity to manage their own Information Technology Infrastructure, a Managed Service Provider is a great solution. An MSP (Managed Service Provider) is a third-party company that remotely manages a company’s IT infrastructures and performs day-to-day management services. With so many MSPs globally available today, it is important for a business to first consider some critical questions before choosing the right MSP to partner with.
1. At what point should your services be managed by an MSP rather than in-house?
The first step is to determine what services are actually worth managing by a third-party. If a company has less than ten computer users, it may actually be more cost-effective to do all services in-house. However, if a company is scaling and has over two hundred end users and is still in the process of growing, most services should be managed by an MSP to enhance productivity and cost-effectiveness for the business.
2. What competitive advantage does the MSP offer?
What differentiates the Managed Service Provider that you are considering? Is it their extremely well reviewed customer service and 24-hour support, or the low cost? Or is the MSP more costly but more committed to the latest technological upgrades and constant improvement? Companies should determine what is most important to them at their stage of growth and choose an MSP according to that specific competitive advantage.
3. Does the MSP offer after-hours or onsite support in the case of an emergency?
Depending on where your company is located globally, natural disasters could be a serious risk for your IT infrastructure. Your company could also be a victim of a data breach. No matter what the worst-case scenario is for your business, it is a huge bonus for the Managed Service Provider to offer immediate and onsite support at all times in case of any emergencies. If your company is in an area more at risk of a natural disaster, it is important to determine which providers include on-site support as some only offer remote guidance.
4. Does the MSP offer an all-inclusive support plan?
An All-Inclusive support plan works out to the benefit of both parties; the MSP and the company using their services. A flat-fee arrangement motivates the MSP to perform quickly, whereas an hourly billing service may not be ideal for a starting company strapped for cash.
Make sure you are fully aware of what is included in the all-inclusive service plan. Some examples of services to look for include:
Choosing a Managed Service Provider is an exciting step to take, but one not to take lightly. The right provider can tremendously help your business improve technological efficiency. It is important for any company no matter how small or big to do proper research and consider the above essentials to make an informed decision.
Imagine the following worst-case scenario: your company has taken the right steps to protect its employees, customers and data from cyber-attacks, and yet a ransomware attack still occurred. Now what? It happens; no company is fully safe from today’s rising cases of cyber-attacks and data breaches. Even with the most secure platforms, hackers may find discerning ways to infiltrate the system. How a company reacts in the first few hours and days following a cyber-attack is crucial.
First Step: Recognizing the signs of a data breach
Employees must be educated and empowered to immediately inform their IT department if they suspect a ransomware attack has occurred. Employees may feel guilty and embarrassed if they believe they are at fault of letting a data breach happen. However, if the threat is not addressed immediately, the consequences could be more severe. The best way to damage control is to respond to a security threat immediately. Signs of a data breach include but are not limited to:
Locked accounts or changed user credentials
Missing funds or assets
New suspicious or unknown files
Reduced Internet speed.
Next: Determine and isolate the systems impacted.
Early on, only a few computers may be affected in the attack. In this case, it is crucial to disconnect the affected hardware from the system. The network should then be taken entirely offline. If the network cannot be taken offline, all devices should be powered down. It is important to however note that in that case you may lose some evidence of the attack which would be beneficial for the authorities. Best course of action is therefore to take the entire network offline at the switch level. Once damage control is done, the company may begin restoring critically important systems based on priority level.
Final Steps: Engage the right stakeholders
Depending on where your company is located, you may want to contact the FBI or the police once the first step is complete and the affected systems are isolated. It is important for your IT department to identify what information the hackers may have infiltrated for the authorities to try to salvage the situation accordingly. If the hackers ask for a ransom, do not attempt paying them right away but rather let the professionals handle it. Majority of the time, even if a ransom is paid, data has already been stolen or compromised. The next relevant stakeholders to contact would include managed security service providers, your cyber insurance company, and the board of directors and other developmental leaders.
Lastly, your company will need to find a proper way to disclose its data breach to either the public or simply just the affected customers; this will depend on the impact of the attack and how many potential customers’ data was affected. Your communication department can handle this appropriately. Customers whose data has been compromised need to be informed right away. Although loss of trust from customers is a serious consequence of ransomware attacks, if handled appropriately, it is possible for a business to rebuild itself and regain trust from the public.
As news reports have indicated over the past year, data breaches and ransomware attacks have been on the rise amidst the global pandemic. A 300% increase in cybercrime can be attributed to the rise of online activity since the start of the Novel Covid-19 Virus as of early 2020. After a major cyberware attack on a U.S. pipeline occurred earlier this year, Chief Shelly Bruce, head of Canada’s Electronic Spy Agency, announced that businesses should take extra steps to protect themselves as well.
Data however suggests that Canadian companies are simply not spending enough on cybersecurity. Statistics Canada reported that Canadian businesses spentless than one percent of their total revenues on security measures and software. Around 20% of large Canadian businesses did not report any expenditure on Cybersecurity in 2019. Security measures simply do not appear to be the top priority for many large businesses and ironically, those are the businesses most at risk. Below are the ways that Canadians can begin protecting themselves against the rise of cybercrime.
1. Invest in a well-rounded cybersecurity infrastructure
Companies need to protect their systems from threats at all angles. A well-rounded system, such asSecure IT, offers a wide variety of services targeting security threats. The platform’s Security Information and Event Management analyzes multiple data streams from all of the company’s devices to detect potential threats. It includes cloud, software and hardware technology, a strong firewall, fully secured WiFi, advanced security analytics and correlation as well as live agent support at all hours.
2. Place a focus on cybersecurity training and awareness
Investing in a well-rounded IT cybersecurity software is only the first step. Companies need to establish a culture of security awareness in their workplace and place an emphasis on its importance. Some ways to do so would be discouraging password sharing, restricting network admin rights, and hosting monthly or weekly discussions on security. Businesses should educate workers on creating strong passwords, restrict certain websites and implement ways to test employees. Proactive monitoring must also be in place, to detect compromised and stolen employee data and credentials.
3. Invest in cybersecurity insurance
Even businesses with highly secured firewalls are still at risk of a data breach, as hackers are finding more and more ways to infiltrate companies’ systems. Losses from such data breaches can tremendously impact a company’s bottom line. Companies should therefore invest in a comprehensive cybersecurity insurance to mitigate the financial impact if a cyber-attack does occur.
The world is not as it used to be; in our new digital age hackers are becoming more persistent than ever before. And since companies are collecting more data than ever, a cyber-attack is bound to cause very serious consequences. These consequences not only include huge financial losses but more importantly a loss of trust from customers, and the public.
No companies are truly safe, and the only way to fight against the rise of cyber-attacks is through a multi-layered security system, a strong workplace culture and protection in the form of insurance if all else fails.
Ransomware attacks have been increasing globally over the years, and thousands of companies around the world have been affected as a result. Ransomware attacks, also known as Cyber-attacks, occur when a company’s online systems are hacked, taken over and locked unless a large ransom is paid.
Since the global pandemic has struck early last year, the FBI reported a 300% increase in cybercrime. This rise can be attributed to hackers taking advantage of increased online activity of knowledge employees while they are working from home. This current scenario represents a great opportunity for hackers. Remote workers have in fact accounted for a security breach in 20% of organizations. Phishing scams on the rise amongst the pandemic have included links asking for donations, as well as emails from professional-looking addresses luring individuals to open attachments which then implant malicious programs on the victim’s computer. Ransomware can also start through “drive-by” downloading, which happens when a user visits an infected website, and malware is downloaded into the user’s drive unknowingly.
The world’s largest ransomware attack to date has just recently occurred, and Canada was lucky to avoid any big hits. This month, Kaseya, a Florida-based Information Technology company, was hit with a ransomware attack that affected companies in 17 different countries, including the U.K., Sweden and Mexico. The company was hacked by a Russian-based gang who call themselves “REvil”, who somehow maneuvered their way into the IT company’s seemingly secure system. Experts said that this has been the most sophisticated cyber-attack the world has seen.
Kaseya’s customers include hundreds of businesses internationally that are too small to have their own IT department, hence they outsource their security systems from the technology provider. The impact of this unfortunate ransomware attack was felt globally. In Sweden, at least 800 Supermarkets that used Kaseya had to close their cash registers for three days. In New Zealand, many schools had to remain offline while their security systems was looked into.
However, the impact that may be felt on Canada’s economy isn’t fully known yet. V. Gupta, BDO partner and cybersecurity expert expressed concerns that “Kaseya provides a critical piece of infrastructure that a lot of organizations leverage, especially in Canada,” he said. “The number [affected] could certainly grow … the impact is still not fully known” The consequences of this attack could lead to large losses for the Canadian economy, specifically for small and medium-sized businesses who outsourced their IT software from Kaseya.
This is not going to be the last ransomware attack that affects the world globally. Companies now more than ever have the responsibility of taking extra precautionary measures when choosing to outsource any software. The Canadian government may start implementing regulations for any companies outsourcing such software to remain in full compliance and safety. In the meantime, Canadian companies need to take extra steps to educate employees on how to avoid these phishing scams.