9 Tips On How To Do a Security Audit On Your Digital Assets

You wouldn’t believe how many people are still using ‘Password123’.
 
We sat down with Adrian Halliday, JTB’s Technical Director, to discuss how to do a security audit on your digital assets.
 
Just as important as securing your physical assets so that they don’t get stolen – data security (or web security) is much like an insurance policy. At a time where digital assets are at the core of business operations, ensuring their security should be every client’s priority.
 
From sensitive customer data to proprietary information, businesses rely on their digital assets for productivity, innovation, and growth. And yet on our front pages and screens, is the news of constant data breaches and hacks, making this a big conversation/topic of interest at JTB. More than ever before, there is a great chance of cyber threat, it’s just a matter of when.
 
A lot of our clients are Australian based, so mentioning names like Optus or Australia Post is sure to be triggering. And let’s not get started on Nigerian princes. Because of the prevalence of these online attacks, any business that has digital infrastructure of any kind – via web or an app that is customer facing, or internal infrastructure and systems – should be auditing their systems, so as to have a high level understanding of what data they’re storing and the risk profile, to protect digital assets.
 
When we talk about risk profile we’re talking about your industry’s landscape and where potential attacks could come from/biggest risks. Understanding where the vulnerabilities are means they can be easily mitigated via available technologies, so long as you have people who know how to use the tech properly.
 
When we talk to our clients about data security, we talk about the most important factor being the human factor – anecdotally speaking, a lot of breaches or attacks start with a human aspect. Take phishing, where people are thrown some bait (pardon the pun) via text or email, while hackers wait for someone to latch on. If you weren’t the prey of mysterious COVID era shipping links, then consider yourself lucky. We have countless examples of this happening in critical infrastructure around the world.
 
It’s also important to think about the scale of these systems. What is the fallout if your system or website goes down for 1 minute/1 hour/24 hours – how much business are you losing, how much faith are you losing from your customers? How many people go without your product or service that day? The consequences are not considered enough. It can often feel like a vague threat, but it’s our job to educate clients that it is better to be prepared for, if and when a cyber attack does happen.
 
We’ve seen websites be hacked when there are multiple service providers involved. E.g someone has developed the website, another is responsible for hosting, another security. And while you might think, “I’m just a small business, why would someone do that?” – it’s not always about the value of your data, or even a personal vendetta, it’s about utilising your infrastructure e.g. the server, to host assets that hackers are then monetising – for ad revenue, or to send out spam. Hackers can take over part of a server in secret and hide their tracks, in order to use your hardware as long as possible without being noticed, and use your server to send out thousands of phishing emails a day.
 
This form of breach – getting into data without ‘officially’ hacking (the cliche of sitting in a dark room with a console) and instead getting someone to give away their personal information (username and password etc.) is one that comprises a system without the business or individual realising. Unfortunately, it’s the most common attack, and time poor/senior people are the most open to these kind of data breaches. These could be your customers/clients. The biggest breaches are where usernames, emails, and passwords become available for purchase – essentially becoming a phonebook for hackers, to use the username/password combo, in the hopes it is also being used across banking or other sensitive information.
 
At JTB, we can’t stress how important data is – and how much more thinking should apply to what data is being captured- particularly for smaller businesses or companies that have lead capture forms or enquiry forms.
 
Act first, think later is the standard approach to capturing personal data. Making it functional and getting leads, without thinking about security. But not only can consumer sentiment be damaged, the legal implications of not confirming to regulatory standards for data privacy and security means you’re exposing yourself to potential lawsuits and negative commercial effects e.g. reimbursement or loss of customers due to data breach.
 

Every business should be thinking about the following:

1. Website security check: Conducting a full audit of all touch points and how they interact along the customer journey. How access to one system can lead into access to another. The ripple affect. Seperate your concerns: your most critical data vs data that doesn’t pose a huge risk if compromised.
   
2. What are you capturing, where are you storing it, and what steps to secure it are you taking?
3. What’s the worse case scenario? And what is your process once you’ve identified an attack. A security incident response plan is critical – who can assess, find the source of breach, mitigate in future and manage the fallout of the breach. Understand what the recovery plan/systems or strategies needed to be in place to respond to a breach – like bringing your website back online.

 
Any data which can be tracked to an individual identity is called PII – personally identifiable information. These different data types can carry low and high risks, and it’s important for businesses to consolidate where that data is stored and how secure it is – while not having it stored in too many places, as this makes it more available to attack points.
 
There are many vulnerabilities of a tech stack – so we need to look at solutions from the ground up. A Tech Stack starts at the server level, including what systems and software its running, then include for example, the CMS application, then finally the code running on that platform. An open source platform like WordPress isn’t inherently insecure, however can be made insecure if incorrectly implemented or maintained, E.g. insecure code or plugins customised by developers or purchased off the shelf. Ensuring your system is regularly maintained from the server up will ensure that newly discovered security vulnerabilities are patched as soon as possible to minimise risk.
 
It’s crucial to ensure that all users, internal or external, and collaborators/customers, should have the most secure access to systems possible. Where possible users should be required to setup two-factor authentication for access to all critical systems. Both for internal and external stakeholders and customers, passwords should be securely managed via software such as One Password or Bitwarden. When onboarding new employees or sharing access to systems it is vital that passwords are shared securely via a password management platform or an expiring link – never as plain text in an email or instant message – or in the case they are shared insecurely, ensure that the temporary passwords are changed as soon as they’re accessed. This applies to internal and external stakeholders in case malicious parties gain access to email or messaging services and are then able to access passwords to critical systems.
 
We get it – data security can feel like a chore – it’s grudge work that few customers or staff want to get around. However when a team and customer base is educated, and potential security risks are known, doing this once and well, and establishing a maintenance program will save time and money in the long term. It is much better than having to deal with the blowout.
 

How to protect digital assets:

1. Establish Clear Objectives: Before getting into a security audit, it’s crucial to establish clear objectives and goals. Determine what specific aspects of your digital assets you want to assess, whether it’s network security, data encryption, access controls, or software vulnerabilities. Defining clear objectives will guide the audit process and ensure that all relevant areas are thoroughly evaluated.
   
2. Take Inventory of Digital Assets: Start by taking inventory of all your digital assets, including hardware, software, databases, websites, and cloud services. Documenting these assets will provide a comprehensive overview of your digital infrastructure and help identify potential security risks. Ensure that all assets are properly catalogued, including their respective owners and usage purposes.
   
3. Conduct Vulnerability Scans: Utilise automated vulnerability scanning tools to identify potential security weaknesses across your digital infrastructure. These tools can detect common vulnerabilities such as outdated software, misconfigured settings, weak passwords, and unpatched systems. Conducting regular vulnerability scans helps proactively identify and address security gaps before they can be exploited.
   
4. Review Access Controls: Review and evaluate access controls for your digital assets to ensure that only authorised individuals have access to sensitive information. Implement role-based access controls (RBAC) to limit access privileges based on job roles and responsibilities. Regularly review user accounts, permissions, and privileges to prevent unauthorised access and minimise insider threats.
   
5. Encrypt Sensitive Data: Encrypting sensitive data is essential to protect it from unauthorised access, whether it’s in transit or at rest. Implement strong encryption algorithms to secure sensitive information such as customer data, financial records, and intellectual property. Additionally, ensure that encryption keys are managed securely and regularly rotated to maintain data confidentiality.
   
6. Implement Multi-Factor Authentication (MFA): Strengthen access controls by implementing multi-factor authentication (MFA) for critical systems and applications. MFA adds an extra layer of security by requiring users to provide multiple forms of verification, such as a password combined with a one-time code sent to their mobile device. This significantly reduces the risk of unauthorised access, even if login credentials are compromised.
   
7. Perform Penetration Testing: Conduct regular penetration testing to simulate real-world cyber attacks and identify potential security vulnerabilities. Penetration testing involves ethical hackers attempting to exploit weaknesses in your digital infrastructure to gain unauthorised access or disrupt operations. By identifying and addressing vulnerabilities before they are exploited by malicious actors, penetration testing helps improve overall security posture.
   
8. Train Employees on Security Best Practices: Educate employees on security best practices and provide training on how to recognise and respond to security threats. Establish clear policies and procedures for handling sensitive information, using secure passwords, and reporting suspicious activities. Regular security awareness training helps employees to be proactive in protecting digital assets and mitigating security risks.
   
9. Stay Updated on Emerging Threats: Stay informed about emerging cyber threats and security trends to proactively adapt your security measures accordingly. Subscribe to security alerts, participate in industry forums, and engage with cybersecurity experts to stay ahead of evolving threats. By staying proactive, you can better protect your digital assets from emerging security risks.
   

In Conclusion

Conducting a comprehensive security audit is essential for securing digital assets of any business against evolving cyber threats. The above tips are to help you identify vulnerabilities, strengthen security controls, and protect your digital infrastructure from potential breaches.

We’d love to learn more about your project, and how JTB as an agency can help with web application security and protecting digital assets.

Contact us for more information or reach out [email protected] to arrange a chat.