Most companies view an IT audit as an expense, but experts say in reality, it helps companies to save money – especially if it’s conducted at the right time.
An IT audit is a possibility to obtain an external view of the information system in current use. “Agreements about IT security can be made, but the audit reflects how well participants have understood them,” said Alexela's IT development director Tanel Viin on the Äripäev radio broadcast “Kasvukursil”.
“At the same time, it should never be seen as an inspection that should be feared,” he said.
Grant Thornton Baltic’s IT director Arko Kurg said that it is becoming increasingly important to check whether employees are following secure procedure when working on computers. “The possibility of working remotely is a new one, but it has to be secure,” he said.
Data architecture audits are also a growing trend. “Finding an auditor is quite complicated, as it is impossible to find data analysts and even harder to find people to perform verification,” said Grant Thornton Baltic’s head of data protection and cyber security, Maili Torma.
Preventing the worst
Experts say that audits are initially an expense, but help to save much more than the amount spent on it. “Frequently, people come to us with a very specific issue, such as when an incident has already occurred. The average incident costs the company close to 100,000 euros,” said Torma in emphasizing the importance of prevention.
Torma said the most frequent attack involves phishing. “People click on links they shouldn’t. The problem isn’t just in the tech but the link between the computer and the chair – the human,” she said. “This shows that often companies fail to provide needed training to their staff,” she said.
Torma said security holes may occur at rapidly growing companies. “If a company goes from having 10 people to 300, and the development team also sees a tenfold increase, errors start to be introduced,” she said. “A project starts out tiny and no one imagines it could become something big.”
One of the biggest assets of an audit is that it allows executives to get the truth about the actual situation. “Going down a checklist of questions from the auditor, risk locations and risk magnitude can be identified,” said Torma. “Usually, I go down the items on the checklist before the auditor’s visit, which allows me to get on the same page and start addressing the problem,” added Viin.
Torma emphasizes that the realization of IT risks also means the realization of risks for the company. “Risk mitigation measures are necessary for faster response,” she said. The expert said even a moderate risk is acceptable as long as the person knows what action to take if the risk becomes realized. “The auditor helps manage these risks.”
Grant Thornton head of IT Kurg noted that auditors provide transparency in regard to risks.
“A company is only as strong as its weakest link.” Alexela’s Viin added: “For me, an audit tells me precisely what to keep in focus at the management level.”
Torma cited the example of an audit also allowing a company to prepare better for the coronavirus crisis. “In the spring, there were many examples of companies who discovered that they hadn’t given thought to having enough laptops and secure VPN connections, but suddenly they needed to have their employees work remotely.” An IT audit would have devoted attention to these matters ahead of time, she said.
The experts also said that during the coronavirus crisis when telework became seen as more essential, a Europol study found that the number of cyber crimes related to remote work increased by 90%. Here again, auditors help point out problem areas that criminals can exploit for their benefit.
In some cases, an IT audit is a requirement under law. For example, the Financial Supervision Authority has released a set of advisory guidelines on requirements for data security in its area of administration. “Without them, a tiny lender might not even think about verifying the security of their systems, but the Financial Supervision Authority’s guidelines push it in the right direction,” said Torma. Data security standards have also been established for government offices.
The EU’s General Data Protection Regulation forces companies to think about how much data they should collect and how to back it up. “The less data is gathered, the greater the peace of mind for a company. So companies are thinking about whether a given process actually obliges them to collect data,” Kurg said.