Stricter Regulations Impact Cybersecurity Audits

Last week, the Biden Administration released the National Cybersecurity Strategy to better accelerate efforts by the Federal Bureau of Investigation and the Department of Defense (DoD) to disrupt the activities of hackers and ransomware groups around the world.

According to the New York Times, for years, the government has pressed companies to voluntarily report intrusions in their systems and regularly patch their programs to fix newly discovered vulnerabilities. But the new National Cybersecurity Strategy concludes that such good-faith efforts are helpful but insufficient in a world of constant attempts by sophisticated hackers.

The National Cybersecurity Strategy, along with increased accountability from regulatory bodies, including the DoD, National Credit Union Association (NCUA), and the Federal Trade Commission (FTC), would force companies to implement minimum cybersecurity measures for critical infrastructure. The NCUA, for example, is already conducting stricter audits to ensure regulatory standards by covered entities are met. Effective February 1, 2023, NCUA Examiners will be auditing credit unions using its new Information Security Examination (ISE) procedures, to identify and address information and cybersecurity risks. Requirements are based on credit union size, risk, and level of assets. Those found out of compliance may be penalized and fined.

What is a Cybersecurity Audit?

• A cybersecurity audit involves a comprehensive analysis and review of the IT infrastructure of your business. 
• The purpose of a cybersecurity audit is to act as a checklist to validate your cyber policies and ensure there are control mechanisms in place to enforce them.
• It detects vulnerabilities and threats, displaying weak links, and high-risk practices.

There are thousands of questions you could ask your internal team or your vendors about security. Identifying the most important ones will help you use your resources more efficiently and determine when it’s necessary to perform a cybersecurity audit or a cybersecurity assessment. 

What is the difference between a Cybersecurity Audit and a Cybersecurity Assessment?
A cybersecurity audit and a cybersecurity assessment are formal processes, but there are some key distinctions between the two:

• An audit must be performed by an independent third-party organization. Typically, that third-party must be certified to perform an audit. You can use an internal audit team, but that team should act as an independent agency.
• Cybersecurity audits only show a snapshot of your network health, not insight into your ongoing cyber risk management.

What are the benefits of a cybersecurity audit?
A cybersecurity audit is used to find the presence of cybersecurity controls – such as firewalls and intrusion detection services, as well as physical security controls – and validate that they are working correctly and that compliance requirements are met.

Because an audit is conducted by an independent company, it provides customers and business partners with a level of assurance about an organization’s security posture

How are Cybersecurity audits like vehicle inspections?
Overall maintenance of a business’s cybersecurity program equates to maintenance of a motor vehicle. In this sense, regular cybersecurity assessments can be equated to regular service check-ups. Regular cybersecurity audits can be equated to regular vehicle inspections.

Just as a vehicle inspection may help prevent the check engine light from coming on when your car breaks down, a cybersecurity audit will help ensure you have the protections in place if, and when, your systems have a breakdown. And if the NYS DMV, for example, implemented new and/or stricter regulations for state inspections, drivers would ensure compliance with these new and/or stricter regulations, in order to pass inspection, correct?

As mentioned in March's BrainBytes, before you navigate the open road (internet) with your company, have your vehicle (cybersecurity program) inspected. Think of it as being a safe driver and not causing undue harm to those around you (customers, vendors). Identify problems before they occur, and stay safe and secure out there.