9 Tips On How To Do a Security Audit On Your Digital Assets
You wouldn’t believe how many people are still using ‘Password123’.
We sat down with Adrian Halliday, JTB’s Technical Director, to discuss how to do a security audit on your digital assets.
Just as important as securing your physical assets so that they don’t get stolen – data security (or web security) is much like an insurance policy. At a time where digital assets are at the core of business operations, ensuring their security should be every client’s priority.
From sensitive customer data to proprietary information, businesses rely on their digital assets for productivity, innovation, and growth. And yet on our front pages and screens, is the news of constant data breaches and hacks, making this a big conversation/topic of interest at JTB. More than ever before, there is a great chance of cyber threat, it’s just a matter of when.
A lot of our clients are Australian based, so mentioning names like Optus or Australia Post is sure to be triggering. And let’s not get started on Nigerian princes. Because of the prevalence of these online attacks, any business that has digital infrastructure of any kind – via web or an app that is customer facing, or internal infrastructure and systems – should be auditing their systems, so as to have a high level understanding of what data they’re storing and the risk profile, to protect digital assets.
When we talk about risk profile we’re talking about your industry’s landscape and where potential attacks could come from/biggest risks. Understanding where the vulnerabilities are means they can be easily mitigated via available technologies, so long as you have people who know how to use the tech properly.
When we talk to our clients about data security, we talk about the most important factor being the human factor – anecdotally speaking, a lot of breaches or attacks start with a human aspect. Take phishing, where people are thrown some bait (pardon the pun) via text or email, while hackers wait for someone to latch on. If you weren’t the prey of mysterious COVID era shipping links, then consider yourself lucky. We have countless examples of this happening in critical infrastructure around the world.
It’s also important to think about the scale of these systems. What is the fallout if your system or website goes down for 1 minute/1 hour/24 hours – how much business are you losing, how much faith are you losing from your customers? How many people go without your product or service that day? The consequences are not considered enough. It can often feel like a vague threat, but it’s our job to educate clients that it is better to be prepared for, if and when a cyber attack does happen.
We’ve seen websites be hacked when there are multiple service providers involved. E.g someone has developed the website, another is responsible for hosting, another security. And while you might think, “I’m just a small business, why would someone do that?” – it’s not always about the value of your data, or even a personal vendetta, it’s about utilising your infrastructure e.g. the server, to host assets that hackers are then monetising – for ad revenue, or to send out spam. Hackers can take over part of a server in secret and hide their tracks, in order to use your hardware as long as possible without being noticed, and use your server to send out thousands of phishing emails a day.
This form of breach – getting into data without ‘officially’ hacking (the cliche of sitting in a dark room with a console) and instead getting someone to give away their personal information (username and password etc.) is one that comprises a system without the business or individual realising. Unfortunately, it’s the most common attack, and time poor/senior people are the most open to these kind of data breaches. These could be your customers/clients. The biggest breaches are where usernames, emails, and passwords become available for purchase – essentially becoming a phonebook for hackers, to use the username/password combo, in the hopes it is also being used across banking or other sensitive information.
At JTB, we can’t stress how important data is – and how much more thinking should apply to what data is being captured- particularly for smaller businesses or companies that have lead capture forms or enquiry forms.
Act first, think later is the standard approach to capturing personal data. Making it functional and getting leads, without thinking about security. But not only can consumer sentiment be damaged, the legal implications of not confirming to regulatory standards for data privacy and security means you’re exposing yourself to potential lawsuits and negative commercial effects e.g. reimbursement or loss of customers due to data breach.
Every business should be thinking about the following:
Any data which can be tracked to an individual identity is called PII – personally identifiable information. These different data types can carry low and high risks, and it’s important for businesses to consolidate where that data is stored and how secure it is – while not having it stored in too many places, as this makes it more available to attack points.
There are many vulnerabilities of a tech stack – so we need to look at solutions from the ground up. A Tech Stack starts at the server level, including what systems and software its running, then include for example, the CMS application, then finally the code running on that platform. An open source platform like WordPress isn’t inherently insecure, however can be made insecure if incorrectly implemented or maintained, E.g. insecure code or plugins customised by developers or purchased off the shelf. Ensuring your system is regularly maintained from the server up will ensure that newly discovered security vulnerabilities are patched as soon as possible to minimise risk.
It’s crucial to ensure that all users, internal or external, and collaborators/customers, should have the most secure access to systems possible. Where possible users should be required to setup two-factor authentication for access to all critical systems. Both for internal and external stakeholders and customers, passwords should be securely managed via software such as One Password or Bitwarden. When onboarding new employees or sharing access to systems it is vital that passwords are shared securely via a password management platform or an expiring link – never as plain text in an email or instant message – or in the case they are shared insecurely, ensure that the temporary passwords are changed as soon as they’re accessed. This applies to internal and external stakeholders in case malicious parties gain access to email or messaging services and are then able to access passwords to critical systems.
We get it – data security can feel like a chore – it’s grudge work that few customers or staff want to get around. However when a team and customer base is educated, and potential security risks are known, doing this once and well, and establishing a maintenance program will save time and money in the long term. It is much better than having to deal with the blowout.
How to protect digital assets:
In Conclusion
Conducting a comprehensive security audit is essential for securing digital assets of any business against evolving cyber threats. The above tips are to help you identify vulnerabilities, strengthen security controls, and protect your digital infrastructure from potential breaches.
We’d love to learn more about your project, and how JTB as an agency can help with web application security and protecting digital assets.
for more information or reach out to arrange a chat.