The role of an external IT security audit professional explained

Although Verizon is perhaps best associated with being a US wireless carrier, this is only one part of its business operations, which include the provision of IT security consultancy to major corporates.

According to van der Wal, who is based in Amsterdam, today's large corporates suffer from storing too much data, which in turn makes the problem of securing that data all the more difficult.

"When you had the floppy disk back in the 1980s, it was relatively easy to defend the data [electronically]", he said, but today, he added, the terabytes of data are very difficult to defend.

So what is the solution?

"My advice to corporates is to spring clean your data on a regular basis, which means you have less data to store and secure", he told Infosecurity.

Despite the best security defences, van der Wel and his team also advise companies to prepare for when an IT emergency, perhaps in the shape of a data breach, occurs.

But, he says, whilst a number of corporates do prepare for the worst, they still can hit problems when it comes to dealing with a data breach or similar IT disaster when it happens

Verizon Business, he explained, does offer this kind of consultancy, but he says, not all companies implement the advice, so he and his team are often called in to deal with problems as they happen.

"Our service is like life insurance", he said, adding that, whilst you may never need the insurance, it's good to have when you do.

Dealing with an IT disaster, he says, is all about forward planning – and even a little can go a long way.

"Many organisations have no idea of how a data breach can affect them, so the first step we ask them to complete is to draw up a network and IT infrastructure diagram. The situation is often made more complex because corporates often have operations in many different countries", he said.

Once the network and IT diagram has been drawn up, he says, he process of analysis can begin.

That's when the audit gets interesting, as van der Wel says that, in his experience, 85% of attacks on company IT resources that succeed involve low to moderate skills on the part of the hackers.

"Once we've worked with the client to draw up a network map on a white board, we can set up the process of reducing their risk profile. This involves redefining the data storage needs and reducing the level of access to that data where we think it advisable", he said.

"Often the security process is all about lowering user privileges on most of the accounts", he added.

Hackers, he went on to say, are changing their approach and focusing a lot of their efforts on larger SMEs, which often lack the in-house expertise to do their own security audits.

"We're also seeing an increase in the use of stolen credentials. Very few companies have procedures in place to handle data breaches, so the best approach to handle this is to install the security systems and then stage a mock attack", he said.

"From there, the process can move forward by developing an incident response plan, so if the worst does happen, the company is prepared", he added.

What’s hot on Infosecurity Magazine?