Security audits are carried out for a variety of purposes. Regular or annual audits are a requirement of various legislation, including GDPR. It is important that these audits are independent.
A risk audit may also be used to determine whether the organisation is getting value for money from their cybersecurity investments and whether money could be better spent on different areas of risk.
An independent audit may also help increase the sale price of a business by providing reassurance that there are no unknown liabilities due to undetected cyberattacks.
Board directors may also request a security audit as part of their due diligence responsibilities.
It is hard to know whether investment in cybersecurity is warranted or effective without detailed and current information about threats, risks, costs and the performance of your current defences, strategies and policies. The cyber threat landscape and its legal challenges are constantly evolving, with fines of up to 4% of global turnover in each separate privacy jurisdiction, the threat of class action lawsuits and the increasing risk of executives being sued personally.
KITS can offer a standards-based management decision support solution using current and maintained threat, risk and cost data with an easy-to-use management dashboard and reports. Adapt the model data to suit your own business and applications. Test ‘what if’ cases easily to check alternatives. Ensure that your cybersecurity investments are productive, proportionate and can be defended to regulators and in court.
One of the most important things to have in cybersecurity is an independent external audit of your cybersecurity measures. Indeed, GDPR compliance requires an independent audit. The pre-aquisition audit is different, but just as essential. In mergers and acquisitions the purchaser will apply a discount for unknown risks. Recently in several acquisitions, like Marriott's acquisition of Starwood Hotels, the acquired company was subsequently found to have suffered an undetected breach. The consequence of this was a massive £18.4M regulatory fine for the acquirer, Marriott as well as the costs of remediation, with class action lawsuits outstanding.
A company up for sale can realise a much higher valuation with an independent audit to prove that it has not been the victim of a breach and that its IT security precautions are adequate.
KITS can use its tools and technologies to detect breaches in organisations and remediate if discovered, helping to maximise the valuation achieved.