IT security audit – If things are going so well, why are they so bad?
Today, an IT security audit has become an indispensable element of the strategy of every company, regardless of its size or industry. New legislate requirements, the constantly growing number of cyberattacks and the increasingly advanced technology used to carry them out make these audits crucial for protecting resources and data from potential threats.
What is an IT security audit?
An audit is a comprehensive assessment and analysis of IT system architecture in terms of potential threats and weaknesses. It includes a review of security policies, risk management procedures and the application of technical protection measures. The goal is to identify and neutralize threats appearing at critical points that could be used as an attack vector.
It is important to remember that an IT security audit is a complex process. The Deming Cycle (PDCA) within ISMS (Information Security Management System), which we discussed in the context of ISO27001 standards, shows that an audit is part of a larger process that should be repeated cyclically. Conducting it requires both in-depth technical knowledge and an understanding of the business context of the company’s operations.
An auditor must have knowledge of all components of a company’s IT infrastructure, including hardware, software, and networks. This allows for the effective identification of potential weaknesses. A mere inventory of IT safeguards is not enough – the auditor must also understand the interconnections between individual elements.
An audit also requires a review of policies and procedures related to cybersecurity. This is a review not only in terms of their effectiveness but also their compliance with best practices and legal regulations, such as GDPR or NIS2.
The auditor assesses which areas are most vulnerable to attacks and prioritizes the actions recommended to counter that risk.
Penetration tests and regular vulnerability scanning are helpful in performing cyclical audits. This helps not only to identify new problems but also to verify if previously identified gaps have been effectively patched.
An IT security audit should conclude with a detailed report that not only points out problems but also contains recommendations for further action. The report should be understandable not only to IT specialists but also to non-technical individuals in company management.
IT security audit in NIS2
The new NIS2 Directive introduces stricter requirements for critical and important sectors, increasing responsibility for the protection of systems and data. This means a clear indication of the necessity to conduct regular, rigorous audits.
The NIS2 Directive is an update and expansion of the original NIS (Network and Information Systems) Directive. It increases security and incident reporting requirements for critical entities and essential digital service providers. While it does not explicitly use the term “IT security audit” in every instance, it imposes obligations on organizations that effectively require procedures similar to audits.
An IT security audit is essential in processes specified in NIS2, such as:
- risk assessment and identification of remedial measures,
- incident management and ensuring business continuity,
- incident reporting,
- requirements for digital service providers.
Incorrect interpretations of rankings give a false sense of security
From time to time, the media showcase new cybersecurity rankings in which Poland holds high positions. In The Cyber Defense Index 2022/23, developed by MIT Technology Review, Poland ranked ahead of countries such as Japan, Switzerland, or China. This is good news, but before we assume we are safe, it is worth looking at what the ranking actually measures. This list evaluates countries based on their ability to defend against cyberattacks and their overall level of preparation and response to cyber incidents.
A high position shows that as a country, we are keeping pace with threats. At a time when the Minister of Digital Affairs points to a constantly growing number of attacks, the good preparation of our national services is certainly a reason to be pleased.
Unfortunately, this does not translate into effective business security, as shown by the 2024 Cisco Cybersecurity Readiness Index. To quote this source, only 1% of Polish companies achieved the highest rating – “Mature” – in the assessment of their level of protection against cyberattacks. Compared to other countries, 3% of organizations globally achieve this rating. The next level is “Progressive” (which in Polish is perhaps best reflected by the word zaawansowany). Polish companies were classified at this level in 11% of cases vs. 26% globally.If this is the case, threat awareness in business is unfortunately still very low. This, in turn, raises concerns that IT security audits are either not being carried out at all, or not in the proper way and with the recommended frequency. If they were, and if senior management were interested in their results, the situation would look more optimistic. One can, of course, debate what is considered “advanced” versus “mature” security, but the methodology is the same for all respondents. On the other hand, the same report also indicates a 91% increase in cybersecurity spending, which can be seen as a positive sign.
The importance of IT security audits cannot be underestimated. They are the foundation for maintaining business continuity and data security. The dynamic development of technology, used by both attackers and those defending your company’s IT ecosystem, should mean that the frequency of security status checks will increase, and their regularity must be strictly maintained.
Looking to enhance your cybersecurity?
Contact us!
Leave your details – we’ll call you back
Our specialist will get back to you no later than the next business day. You don’t have to fill in the message field, but a brief note about the topic you’re interested in will be a valuable hint for us.
