<img src="https://certify.alexametrics.com/atrk.gif?account=kla4t1zDGU20kU" style="display:none" height="1" width="1" alt="">
Contact us
Request demo →
Contact us
German website
search
close

Mandatory IT audits: risk scores don’t mean security

by Sebastiaan Bosman Blog 26 Aug 2021

More organisations in the Netherlands recognise the need for an active approach to stay in control over their attack surfaces in order to mitigate risks. Every organisation is able to create their own IT security governance and processes. Now, though, a new standard might be introduced in the form of an annual, mandatory IT audit. Is this a development helping businesses further? Or one that doesn’t really add anything other than paperwork?

A periodic IT check

The idea of having an external expert taking a look at your IT infrastructure and its security is not necessarily a bad thing. Having an extra pair of eyes to check for any risks couldn’t hurt. It is comparable to having your car checked once a year to make sure everything is still working within safe limits. Should anything be wrong, this audit will result in a score and determine what needs fixing.

And yet, that is where the comparison ends. You probably don’t check under your car to see if every bolt is still secured more often than the mechanic does. An organisation’s IT Security team does. They monitor the state of their digital assets continuously. And (almost) all organisations in every sector have outsourced parts of their IT infrastructure for expertise security services.

 

The dangers of a snap-shot audit

And that brings us to the biggest criticism on the topic. Not much might change to your car over a year, but your IT systems definitely will. New domains are created, certifications need to be updated, email traffic is monitored, attacks need to be prevented or handled… This can only be done effectively when environments are managed continuously. A once-a-year IT audit can be outdated the day after it is presented.

Now, an IT audit might force organisations to think about their security and incident response procedures and evaluate these more often than they might already do. It could help elevate low-mature organisations to a higher level of security or bring fundamental flaws in an organisation’s basic IT setup to light.

However, this again depends on the way such an audit is performed. Looking at the infrastructure from within the organisation is prone to result in blind spots. It’s like determining what’s wrong with the car’s engine by sitting in the driver’s seat. You need an outside-in perspective to notice the little details that might eventually lead to a bigger leak.

 

Risk scores don't reflect a high security

Relying on a periodic scoring card to assess the security of an organisation is not the way to stay in control over your complete attack surface. Your IT environment is constantly changing, growing, and shrinking. And though insurers might look at your audit score, hackers really don’t care whether you get a pass or not. It’s the littlest risks they are after, so they can systematically work their way into more important systems. A yearly audit won’t prevent that.

We probably haven’t seen the last of this discussion yet. Even if the intention of making more organisations cyber-secure if fair, the execution leaves more the be desired. As an essential part of the IT security process, we have created a post to help you set up a successful IT governance. Read it here.

Read Blog

 

Securing critical infrastructure: new regulations mandate control

The name itself says it already: organisations in the critical infrastructure are vital in the services they provide in society. Should something go wrong in their daily operations, it can have severe consequences and disrupt individual people and other companies. That doesn’t necessarily mean they are more often targeted in (cyber-)attacks, but it does pose an extra reason to prevent any successful attack. Such organisations have often been in charge of their own cybersecurity, guided by regulations. Now though, authorities in the EU are starting to intensify their watchful eyes with the RCE directive. What is the EU RCE? And how should critical infrastructure organisations prepare?

read more

Mandatory IT audits: risk scores don’t mean security

More organisations in the Netherlands recognise the need for an active approach to stay in control over their attack surfaces in order to mitigate risks. Every organisation is able to create their own IT security governance and processes. Now, though, a new standard might be introduced in the form of an annual, mandatory IT audit. Is this a development helping businesses further? Or one that doesn’t really add anything other than paperwork?

read more

Determining your cybersecurity maturity

How safe your organisation is from a cybersecurity point of view depends on a lot of factors. Not only should your private and confidential data be kept private and confidential through a plethora of technical defenses, there are also, among others, many processes such as for IT governance and incident response to consider. How your organisation deals with all these challenges determines its cybersecurity maturity. But why is determining this maturity level important?

read more

Do you have a question?

Our experts have the answers

Contact us