When I work with companies, I’m still surprised to hear that their internal audit shop hasn’t begun auditing IT cloud security or social media as much as they should. Audit teams will say, “We haven’t really begun doing that yet.” Well, now is the time to seize the day and protect your assets (and mine).
So let’s get started. Below are top IT risks that consistently vex companies and checklists to combat those risks.
IT Risk: Brand Protection and Confidentiality Issues Created by Social Networking
Your company’s brand can take a nosedive in an instant due to bad social media. Once the problem is out on the internet, an article, post, update, or video can move at light speed.
The risks: Obviously, companies want to be proactive with providing good products and good customer service. Still, one viral video can severely tarnish a company’s reputation. Do companies have processes in place to assuage public discord should their company fall prey to social media? Poor brand management can equate to lost revenue, which makes everyone a little grumpy.
The IT checklist:
- Get onsite. Conduct field examinations and inspections of locations to identify the elements that impact a brand.
- Outline processes. When in the field, pay close attention to both customer-facing as well as back-office operations.
- Mimic the customer. If you work for a car company, visit the websites where you would find customer reviews. Find out the customer climate for the newest cars on the production line.
- Check for committees. Some companies have Brand Protection Committees or something similar whose sole purpose is to protect the company brand and respond to social media threats. Audit should make every effort to crosscheck with these groups for any risk-mitigating procedures in use.
IT Risk: Security and data loss caused by increasing number of mobile devices
Everyone uses mobile devices. An Asurion study found that Americans check their phones every 12 minutes, or 80 times a day on average. Within minutes of going to bed and waking, millions are checking their phones. Data breach via mobile devices should come as no surprise to auditors.
Moreover, business is becoming increasingly dependent on mobile devices. Research firm Gartner predicts “by 2021, 27% of corporate data traffic will bypass perimeter security... and flow directly from mobile and portable devices to the cloud.” Although mobile enables greater productivity and flexibility for the employee, the company must tackle the burgeoning IT risks that accompany mobile device use.
The risks: Where users find mobile easily accessible for work, mobile comes with a host of risks including the following:
- Lack of physical security controls
- Use of untrusted mobile devices
- Use of untrusted networks
- Use of apps created by unknown parties
- Interaction with other systems
- Mingling of personal and business data
- Use of untrusted content and use of location services
The IT checklist: When the mobile device is private to the user, audit must look to processes and procedures that should be in place to protect the company.
- Be proactive. Check to see that the company uses a mobile device strategy that aligns use with company objectives and outlines security standards (with penalties).
- Use frameworks. If you feel like reinventing the wheel, don’t. Make use of existing frameworks, including NIST and COBIT that provide a detailed framework of mobile device use in business. ISACA even provides a set of procedures for a Bring Your Own Device (BYOD) program.
IT Risk: Data Management and Other Issues Related to the Growing Population of Cloud Security
Cloud computing is here to stay. It’s great isn’t it? Seems so safe and warm fuzzy – especially when you’re uploading items to the cloud from the comfort of your own home and sitting in your pajamas.
But get your head out of the clouds. The computing cloud is not 100 percent secure, people. It’s accessible friendly to you... and your hackers.
The risks: Firms are selling cloud services with abandon, yet the risks are real. Top cloud risks include the following:
- Security risks in the technology itself
- Unauthorized access or leak of customer or proprietary information
- Inability to enforce a security policy in a cloud service-provider environment
- Delayed action in business continuity or disaster recovery
The IT checklist: When auditing cloud security, make sure your third-party service provider is fully tested. Remember, if the cloud fails, it’s your brand (not the third-party cloud provider’s brand) that suffers.
- Test more often. If you audit once every two years, try every year or semi-annually).
- Fully test disaster recovery and business continuity plans. Often, auditors check to see that a DRP or BCP is in place. However, the plan in place might not work. Fully test the plan in a mock disaster to see that the plan works.
- Refer to existing frameworks that include cloud security (NIST, COBIT).
- Recommend cloud services that are business-ready.
- Use either third-party or built-in tools to secure data access for Software as a Service (SaaS) apps and cloud services.
- Place a cloud access security broker (CASB) between cloud service providers and customers. CASB examples include a single sign-on into the cloud, device profiling, login, alerting, and malware detection or prevention.
When it comes to auditing IT, you can go the conservative route with compliance and policy checking or you can choose to conquer emerging risks to keep your company safe (and make audit interesting at the same time!).