FIVE STEPS TO STRONGER SECURITY

How to Conduct

Your Own Internal

Security Audit
Protect your business against
data breaches and other
cybersecurity threats.
This mini-guide explains why 01
Assess your assets



you should conduct an

internal security audit and 02

Identify threats



walks you through how to run

one for your business.

 03 Evaluate

current security



All in five steps. 04

Assign risk scores



05 Build your plan

 Intro

INTERNAL AUDIT EXTERNAL AUDIT

What’s the difference
between an internal Inexpensive for both small and large
businesses
Prohibitively expensive for smaller
businesses (hovering around $50k)

and external audit?

Less disruptive to internal workflows Requires coordination between
internal and external teams, which
Learn the pros and cons of each method in the can disrupt workflow

chart to the right.

Smaller, more nimble process that

gets done more quickly
May take a longer time to both find a
respected and affordable audit
Keep in mind that if you choose to do an internal
Can establish a consistent process partner and for the partner to
security audit, it’s important to learn the and baseline for future audits complete the audit
compliance requirements necessary to uphold
security protocols in your industry. Once familiar, Because of the high cost and time
Because of the low cost and
you’ll know what to keep an eye on—and you efficiency, can be done more requirement, cannot be done very
frequently frequently
can start on the first step of your internal audit.

May have a steeper learning curve May not be a consistent process if

for teams performing their first audit the audit partner changes

Process could be affected by Performed by trained, seasoned

internal biases when evaluating own professionals who have the
team’s performance appropriate tools and software

Not always compliant with legal No biases when evaluating current

requirements, such as the security standards
Gramm-Leach-Bliley Act

Compliant with legal requirements,

such as the Gramm-Leach-Bliley Act
 Step 1 | Assess your assets

Your first job as an auditor is to define the scope of your

audit by writing down a list of all your assets.

It’s unlikely that you’ll be able to audit all your assets—so the final part of this

step is determining which assets you’ll audit and which you won’t.

Here are some examples of assets:

Computer and tech Sensitive company and Important internal

equipment customer data documentation

 Step 2 | Identify threats

Next, look at the assets you plan to audit and list the
potential threats next to each one.

Here is a list of common threats to consider:

Level of employee diligence Phishing attacks Poor password habits

Your employees are your first line of defense—will Hackers and bad actors are increasingly turning Weak, stolen, or reused employee passwords are
they recognize suspicious activity (like phishing) to phishing scams to gain access to sensitive the #1 cause of data breaches. Find out why
and follow the security protocols laid out by your information. In 2020, 74% of U.S. organizations passwords are the weak link in your company
team? said they experienced a successful phishing security in our white paper “Password
attack. Management 101.”

Physical breach or natural disaster Malicious insiders DDoS attacks

While unlikely, the consequences of one or both It’s possible that someone within your business or A distributed denial-of-service (DDoS) attack is
of these things can be incredibly expensive. a third party with access to your data could steal what happens when multiple systems flood a
or misuse sensitive information. targeted system (typically a web server) and
overload it, thus rendering it useless.

BYOD (Bring your own device) Malware

The shift to remote and distributed work has also
created a rise in work done on personal devices
This accounts for a number of different threats,
like worms, Trojan horses, spyware, and includes
Threat noun /THret/

and vice versa. Unless your organization prohibits an increasingly popular threat: ransomware. Any activity, occasion, behavior, or
BYOD, you should assume employees have thing that can cost your business a
access to company accounts on personal phones significant amount of money
and computers. Any device that has access to
your systems needs to be accounted for, even if
it’s not owned by your business.
 Step 3 | Evaluate current security

It’s time for some honesty. Now that you have your list of

threats, you need to be candid about your company’s

ability to defend against them.

It is critical to evaluate your performance—and

the performance of your department at

large—with as much objectivity as possible.

For example, maybe your team is particularly good at monitoring your

network and detecting threats, but it’s been a while since you had a

training for your employees. You’ll want to consider how you can build a

strong culture of security among all your employees—not just in the IT

department.
 S tep 4 | Assign risk scores

Prioritizing the threats you’ve identified in this audit is

one of the most important steps—so how do you do it?

Assign risk scores and rank threats accordingly.

How to calculate a risk score Other factors to consider
A simple formula for determining risk considers three main factors: potential damage Current cybersecurity trends: What is the current
from an event, likelihood of that event, and current ability to handle that event method of choice for hackers? What threats are
(determined in step three). The average of these three factors will give you a risk score.
growing in popularity and which are becoming less
frequent? Learn cybersecurity predictions and
Below is an example that designates a score of 1-10 for each individual factor. You and observations from a white hat hacker herself.

your team can use as many or as few factors as you deem necessary—and add weight Industry-level trends: What types of breaches are
to them accordingly. the most prevalent in your industry?

Risk score formula Regulation and compliance: Are you a public or

private company? What kind of data do you handle?
Does your organization store and/or transmit sensitive
Potential damage + Event likelihood + urrent security a ilities /3 = Risk score financial or personal information? Who has access to
what systems? The answers to these questions will
C b

have implications on the risk score you are assigning

Example assessment: Hurricane hitting a company’s server center to certain threats and the value you are placing on
particular assets.
All the servers for the The location of the You don’t yet have a Total risk
business could lose servers hasn’t contingency plan for failing score
power experienced a huge servers
storm in four years Get news of the latest data breaches
10 + 3 + 8 /3 = 7 and learn how to respond today.
 Step 5 | Build your plan

And finally, for each threat on your prioritized list,

determine a corresponding action to take.

Eliminate the threat where you can, and mitigate and minimize everywhere else.

You can think of this as a to-do list for the coming weeks and months.

Not sure where to start?

Here are some common security solutions for you to consider.

Employee education and awareness Email protection Password safety and access management

More than 80% of all hacking-related data Phishing attacks are increasingly popular Invest in a business password manager to help

breaches involve the use of stolen credentials or nowadays—and they are becoming more difficult eliminate password reuse, enhance password

passwords. Employees are the weakest link in to identify. Once clicked, a phishing email gives a complexity, and enable secure password

your network security—run training for new and perpetrator several options for gaining access to sharing. As the admin, you can easily manage

seasoned employees to create awareness your data via software installation. Consider and monitor employee access. If your company

around security best practices, like how to spot spam filters and visibly tagging emails as internal uses single sign-on (SSO) for certain key

a phishing email. or external to your network. accounts, you can integrate your password

manager with your SSO provider for simple and

secure access.

Network monitoring Data backup Software updates

Consider network monitoring software to help Back up your data consistently to ensure that it’s To secure access points, it’s important for
alert you to any questionable activity or safe and separate in case of a malware attack or everyone on your network to have the latest

unknown access attempts. Software systems, a physical attack to your primary servers. software. You can enforce software updates

like Darktrace, offer 24/7 protection and use manually, or you can use a tool like Duo to keep

artificial intelligence to help identify your sensitive accounts locked to employees

cybercrimes before they occur—though these whose software isn’t up to date.

systems are typically on the expensive side.

 Congrats. You just completed your first
Security audit?

internal security audit.

Check.
This should be used as a baseline for future

audits, so you can measure your improvements

(or areas that need improvement) over time.

Creating an atmosphere of security awareness

starts with you. And conducting a security

audit was a crucial first step.

Ready to start implementing better

security with a password manager?

Read “A Practical Guide to Cybersecurity with

a Password Manager” to learn how to prevent

risks and take more proactive measures.

Read the guide →