Contact us
Request demo →
Contact us

Mandatory IT audits: risk scores don’t mean security

by Sebastiaan Bosman Blog 26 Aug 2021

More organisations in the Netherlands recognise the need for an active approach to stay in control over their attack surfaces in order to mitigate risks. Every organisation is able to create their own IT security governance and processes. Now, though, a new standard might be introduced in the form of an annual, mandatory IT audit. Is this a development helping businesses further? Or one that doesn’t really add anything other than paperwork?

A periodic IT check

The idea of having an external expert taking a look at your IT infrastructure and its security is not necessarily a bad thing. Having an extra pair of eyes to check for any risks couldn’t hurt. It is comparable to having your car checked once a year to make sure everything is still working within safe limits. Should anything be wrong, this audit will result in a score and determine what needs fixing.

And yet, that is where the comparison ends. You probably don’t check under your car to see if every bolt is still secured more often than the mechanic does. An organisation’s IT Security team does. They monitor the state of their digital assets continuously. And (almost) all organisations in every sector have outsourced parts of their IT infrastructure for expertise security services.


The dangers of a snap-shot audit

And that brings us to the biggest criticism on the topic. Not much might change to your car over a year, but your IT systems definitely will. New domains are created, certifications need to be updated, email traffic is monitored, attacks need to be prevented or handled… This can only be done effectively when environments are managed continuously. A once-a-year IT audit can be outdated the day after it is presented.

Now, an IT audit might force organisations to think about their security and incident response procedures and evaluate these more often than they might already do. It could help elevate low-mature organisations to a higher level of security or bring fundamental flaws in an organisation’s basic IT setup to light.

However, this again depends on the way such an audit is performed. Looking at the infrastructure from within the organisation is prone to result in blind spots. It’s like determining what’s wrong with the car’s engine by sitting in the driver’s seat. You need an outside-in perspective to notice the little details that might eventually lead to a bigger leak.


Risk scores don't reflect a high security

Relying on a periodic scoring card to assess the security of an organisation is not the way to stay in control over your complete attack surface. Your IT environment is constantly changing, growing, and shrinking. And though insurers might look at your audit score, hackers really don’t care whether you get a pass or not. It’s the littlest risks they are after, so they can systematically work their way into more important systems. A yearly audit won’t prevent that.

We probably haven’t seen the last of this discussion yet. Even if the intention of making more organisations cyber-secure if fair, the execution leaves more the be desired. As an essential part of the IT security process, we have created a post to help you set up a successful IT governance. Read it here.

Read Blog


Disinformation: a certainty in uncertain times

Since the beginning of the internet, we have seen a near, if not an exponential, surge of information sharing amongst users in cyberspace. Not long after, we saw how the emergence of social media ushered an access to public online platforms where other internet users worldwide could share, discuss, promote, and consume information, whether by deliberate choice or not.

read more

Threat Report: Remote vulnerability in Confluence, fixes available

On 2 June, 2022 a critical vulnerability was identified in Atlassian Confluence (CVE-2022-26134). The vulnerability in question relates to active exploitation of unauthenticated remote code execution in Confluence Data Center and Server; meaning that the vulnerability could lead to code being executed remotely.  

read more

Looking back on the 2021 vulnerability: Log4shell

In December 2021 a critical vulnerability surfaced named Log4shell within Log4j, a widely used logging tool for java applications. Log4j is used globally by computers running online services, which meant it impacted a multitude of people, organisations, and government organisations. Since then, multiple fixes have been implemented in the hope to avoid such an outbreak in the future.

read more

Do you have a question?

Our experts have the answers

Contact us