Andrey Ivashin, CIO, Dyninno Group, tells us why you should ditch periodic security audits in 2024 and why relying on them can cause more harm than good.
As industries mature, they often excessively rely on established practices and standards. It is comforting to have industry-established practices to fall back on, even if they no longer serve a significant purpose. While wasting time and money on outdated practices may seem inconsequential, relying on customs of the past can cause real harm to your system and business.
Conducting periodic security audits of company systems is still a common practice. ‘Periodic’ may refer to audits conducted annually or perhaps quarterly. In my opinion, such audits can be both time-consuming and costly. Moreover, they can be harmful as they may create a false sense of security, even though the data, systems and the entire business might be actively exposed to dangerous vulnerabilities. So 2024 might be the year to ditch them for good. Here’s why:
Adapting to rapid changes
To illustrate the limitations of periodic audits, let’s consider our practices at Dyninno Group. Fast-changing conditions necessitate new methods: relying solely on an annual information security audit or focusing primarily on defence from external intrusions is insufficient. For instance, if an information security audit is conducted once a year, information about vulnerabilities may be received too late, allowing intruders to exploit them at any time before the audit.
At Dyninno Group, we deploy changes to our applications multiple times a day. Each deployment can potentially introduce a new vulnerability. Developers, like anyone else, can make mistakes.
Vulnerabilities can be introduced at any time. For example, a developer might inadvertently expose an internal query to the public while changing the code of an application, leading to the exposure of sensitive data.
Given that we make changes to our applications daily and that each deployment could potentially lead to a security breach, constant monitoring is essential to promptly identify vulnerabilities.
Alarmingly, professional ‘Hacking-as-a-Service’ has become a low-cost and readily available service. Modern intruders do not even need to invest in expensive systems or have deep IT knowledge; they can simply inquire about such services on darknet markets. This accessibility has led to an increase in simple but massive cyberthreats that can harm both individuals and organisations. From our own experience at Dyninno Group, we encounter tens of thousands of cyberattack attempts on our systems daily.
We are working towards establishing practices of constant security monitoring to mitigate these risks. Scripts scan the code for potential vulnerabilities before deployment and additional scanning post-deployment checks for vulnerabilities.
While I question the efficacy of periodic audits in today’s fast-paced environment, they are still deemed necessary due to industry standards. Auditors are periodically invited to certify that the implemented practices are effective and secure.
A shift in focus
It would be more logical to audit an organisation’s protocols rather than the system itself. The system should be protected 24/7. Auditing protocols, instead of the system, would provide an additional layer of assurance that the organisation is taking necessary precautions.
Continuous 24/7 monitoring and scanning of resources are required to ensure immediate notification of any issues. Every layer of architecture must be secured and defended.
Our approach is based on a consistent monitoring system. We prefer to use a Security Information and Event Management (SIEM) system, which is designed to provide real-time analysis of security alerts generated by applications and network hardware and can detect any anomalies. The key is to immediately register all events involving the critical systems, including C-level devices such as laptops and mobile phones and to have protocols and processes in place to respond if anomalies are detected.
C-level executives are particularly attractive targets for hackers due to their access to multiple layers of confidential information, crucial systems, not to mention the financial resources of the company. In addition, a breach involving a C-level executive can severely damage the company’s reputation.
Choosing a reliable and large cloud provider with transparent data storage and security policies is also recommended and can help with data compliance as well. Many countries are tightening legislation in the field of personal data processing (e.g., GDPR). Failure to comply can be the reason for expensive data breaches. Non-compliance can also lead to heavy fines, so it is vital for organisations to understand the data they store and take steps to protect it.
Another essential practice is to encrypt all critical and sensitive data you collect and store. Not even a single byte should remain unencrypted in a modern IT system. No system is invincible and information security for businesses lies in making the cost of hacking your system prohibitively high.
Lastly, we must not forget about backups. While it is a common practice, it is crucial to always check the availability of backup files. We use a special environment to validate each new backup we create.
In this digital age, staying ahead in cybersecurity is not just a technical requirement but a business imperative. By shifting from periodic audits to continuous monitoring, businesses can fortify their defences and ensure sustainable growth. In a world where cyberthreats evolve daily, it’s time businesses adapt with proactive, continuous monitoring. Don’t wait for the next audit; safeguard your assets now.