How to Perform or Arrange an IT Security Audit

Conducting a security audit is a crucial first step to identifying vulnerabilities and reducing risk.

Small businesses often struggle with cybersecurity, both because they don't have advanced tools and because they don't think they're at particular risk. That 'false sense of security' is starting to slip, though: A recent National Cyber Security Alliance survey found that 88 percent of small organizations believe that they are at least a "somewhat likely" target for cybercriminals. 

Perhaps that wariness comes from experience. According to Accenture, 43 percent of cyberattacks are aimed at small businesses, and only 14 percent of small businesses are prepared to defend themselves. Separate from targeted attacks, there are many breaches that result from indiscriminate attacks, where criminals just 'spray' large swaths of domains or email addresses, hoping to score a hit.

Being prepared to face threats, including ransomware, data leaks, phishing, malware, insider attacks, and cyberattacks, is the best way to defend against them. Performing a security audit will help uncover weak points and help identify the necessary steps to protect your organization. 

Why conduct an audit?

Companies perform security audits to avoid data breaches, which can affect not only an organization's financial standing, but also its reputation. Audits can also:

  • Deliver better organizational knowledge, because understanding organizational vulnerabilities provides an understanding of where an organization needs to improve.

  • Help avoid regulatory issues. Failure to comply with statutes such as HIPAA in the healthcare sector or PCI DSS in the payment card industry can lead to data theft, resulting in hefty fines and penalties from oversight agencies. 

  • Limit downtime of customer-facing systems by identifying areas of poor performance. Pinpointing the weak links and repairing them before they break down is a helpful side benefit of audits.

  • Improve competitive position. Data loss includes the theft of trade secrets, software code, and anything that differentiates a business from its competitors. Losing proprietary information can mean loss of business that finds its way to other players. 

External or internal audit?

Audits pinpoint vulnerabilities — weaknesses that may result in unauthorized network access when exploited. 

An external audit is conducted by a professional firm. They will use different types of cybersecurity software, such as vulnerability scanners, in order to find gaps and security flaws.  External audits can be expensive, with costs ranging from $1,500 to $20,000, according to, depending on the number of servers, the company structure, the number of employees, accounts, and software. Many firms opt for external audits annually (rather than as an ongoing practice) to keep down costs. Some qualities to look for when arranging a security audit include: 

  • An auditor should have experience working with small companies, specifically. 

  • An auditor should be able to test for vulnerabilities beyond the basic 'black lists' of known exploits.  Those who can think like hackers can recognize weaknesses and find solutions quickly.

  • Auditors must explain and categorize risks for the IT professionals and business leaders of the organization.

  • Auditors should create an easy-to-follow action plan to help the organization react to and recover from incidents.

An internal audit is easier to manage and less expensive. Companies appoint a team to gather information and set their own benchmarks. 

Keeping it in-house

Ideally, internal audits should occur quarterly. Cyberthreats evolve constantly and quickly, so your security needs to keep pace. Here's what should be documented in an audit:

  1. Gather and review plans: Are they up-to-date, with roles and responsibilities clearly defined? Plans must reflect the current needs of the business. 

  2. Define your assets: List what is going to be included in the audit's scope, such as technology equipment, customer data, and other sensitive information. 

  3. Identify and account for potential threats: Vulnerabilities may emerge, for example, when the company adds third-party data storage, employees leave or join, or new hardware, software and servers are added. 

  4. Stay updated: Software-based vulnerabilities may be addressed with appropriate patch management, using automatic forced updates. This is a low-hanging fruit that can improve your posture immediately.

  5. Evaluate current protocols and develop new ones: Proper keycard access can prevent a disgruntled former employee crashing a computing system. Update security policies and physical locks, if needed. Technical areas to evaluate include: hardware, software, continuous data leak detection, encryption, two-factor authentication, intrusion detection mechanisms, and automatic updates.

  6. Spell out what happens when a threat is detected: Review plans to defend against identified threats. Engage all the organization's teams, not just IT, to discover where security training might be necessary.

  7. Quantify the risks: Determine how dangerous each identified threat is. Risk scores consider the potential damage from an event, the likelihood of that event, and the current ability to handle that event. Each factor is given a numeric value and the average of those factors determines the risk score.  

Smaller organizations may not have the resources to dedicate an IT team to perform audits, and there are many qualified third-party providers who can tackle the job. Companies are also turning to cybersecurity software to monitor risks continually and prevent breaches. 

Workable cybersecurity solutions exist for businesses of every size. Creating a culture of security awareness is critical to protecting your operation and your customers. Conducting a security audit is a crucial first step.