How to Recover After Failing a Cybersecurity Audit

While it’s important to adhere to compliance regulations, blunders do happen. What does it mean when these blunders lead to you failing a cybersecurity audit, and how can you recover?

Consequences of Failing a Cybersecurity Audit

Failing a cybersecurity audit can mean several things.

First, there’s the up-front legal fines that come with falling on the wrong side of compliance. Here are a few illustrative examples.

• PCI DSS – The payment card industry will exact fines ranging from $5,000 to $100,000 (depending on the size and scope of your crime and company) every month until you get back in line.
• HIPAA – Civil monetary penalties for HIPAA violations range from as little as $100 to as much as $50,000 per violation, and an audit could turn up several of those.
• SOX – The stakes are high for failing to accurately report financial data, and almost make non-compliance the ‘last mistake you’ll ever make’ with fines as high as $5 million dollars and up to 20 years in prison. And that’s not even mentioning the additional SEC penalties (from $50k to $2.5 million a pop) and the potential to lose your stock exchange listing.

And, legal ramifications for state and government privacy violations can extend beyond fines alone. You can face time in prison for serious GDPR infringement. Those who fail to meet California’s CCPA standards are open to individual or class action lawsuits. And defense contractors who don’t stand up to Cybersecurity Maturity Model Certification (CMMC) requirements won’t be  eligible to bid for government contracts. Then, there’s the issue of compensation. The offending institute has to make things right by the customers it jeopardized by being non-compliant in the first place. For a bank, this might mean reissuing cards if financial information has been stolen. For others, it might mean offering free credit monitoring services for the next few years.

And let’s not forget all the clean-up costs of apologetic PR campaigns, brand re-imaging, and potential layoffs if the issue becomes public. Credibility loss is a silent killer, and while data breaches typically get all the press, compliance audits can get their share of attention when a company has to email all its customers notifying them that they’ve been the victim of unsafe security practices.

The Culprits Behind Compliance Violations

Compliance casualties can stem from a number of issues, including:

• Lack of access controls | Too many times, privileges and permissions are too loosely applied. Whether out of convenience, an exaggerated sense of trust, simple oversight, or the desire to remove friction from operations, this security blunder can have serious consequences. Verizon data reveals that business insiders account for 1 in 5 data breaches. A common culprit? “Privilege creep.”
• Inadequate expertise | We are (still) in the slump of a cybersecurity skills crisis, and security practitioners are being pulled a million places at once. Once specialists, this breed has now had to adapt to the constant lack by becoming a jack of all trades. While this has its upsides, it causes other areas to suffer; like when you fail your audit because you didn’t have a dedicated cloud security expert, data loss prevention guru, or compliance manager. If you don’t have it, outsource it. Fortra’s Managed Security Services can help.
• Insufficient security awareness education | Anyone can fall victim to a phishing attack. With spiffy new AI capabilities, getting duped just got that much easier. Even before this last year’s unprecedented wave of AI, Business Email Compromise losses rose by nearly 50% in two years, costing roughly $2.7 billion in adjusted losses. While you can’t fail an audit for being phished, it’s always a good time to ensure your employees are learning how to be more security savvy, be it through social engineering pen tests or additional training. That way, when new implementations come down the pike (Multi-factor Authentication (MFA), Secure File Transfer (SFT), Digital Rights Management (DRM)), they won’t balk at the changes.

Recovering from a Failure

Thankfully, one failed audit doesn’t have to determine everything. If your company is savvy, it can use it as a learning experience to improve. If done right, your efforts can even cast your organization in a better light than before.  Once issues come to a head in a compliance infraction (and subsequent audit red flag), the first step is to remediate the immediate problem by fixing any violations. That can look like:

• Patching vulnerabilities | If there’s a hole, patch it before it springs another. An important step here is to make sure it was done right – improperly patching a CVE could lead to newer – and worse – problems.
• Getting the latest versions | If an update was released with newer, safer features and you didn’t take the time to install it, it throws more egg on your face in an audit. Too much to keep track of? Automate patch management, updates, and even key rotation with the right IT operations automation solutions.
• Tightening access controls | If they let an attacker in the first time, they’ll do it every time after. One-time authentication is not enough for today’s sneaky threat actors. You need to validate at the door (think of letting someone into your house) to make sure only the right people have access. You’ll also need to continuously validate at every new entry point thereafter. The right IAM solution can even make this simple.
• Cracking down on password policies | You’d be surprised at how many of these bad boys sink ships. It’s one thing to have been breached fair and square by a high-powered password cracking agent. It’s another to have an auditor find out you didn’t have secure password policies in the first place – or, that they were never enforced.
• Creating new policies | Sometimes the right steps just weren’t in place the first time. The pandemic sent everyone running to the cloud so fast that we are still seeing old security gaps from when the right rules, container security, or API protections were not put in place the first time. Audits don’t have to be a Boogey Man; think of them as a voice of warning.

Next, validate your remediations by using tools or services to verify that all the fixes made were indeed successful. Handing off a list of compliance checkboxes to implement is one thing – verifying the team has committed the time and resources to completely follow through is another, especially if the failed audit didn’t “go public.” It’s easy to slip into old habits once the initial shock has worn off, and you don’t want to fail another.

Make sure the team has done their due diligence. Check for scripting typos and retest patches for compatibility. Go over your new changes to make sure their implementation didn’t cause any additional unforeseen problems. And if red teaming was part of the initial audit, put another red team on the job post-op to make sure all the initial problems are fixed and there aren’t any other ones the other team – with their particular skillset – left behind.

Allocate a special team for these double-checks or hire one out if you have to, as your SOC is still responsible for keeping up with the organization’s day-to-day security tasks and an additional remediation burden is just that.

Avoiding Failure with a Proactive Strategy

Failing compliance audits is often indicative of a broader need for re-evaluating processes. Consider adding or increasing your proactive security strategy with solutions that can be regularly implemented to check for security weaknesses so there are no surprises when an audit comes along.

Compliance should be perfunctory and redundant for companies with a robust proactive security posture. There should be nothing they’re checking for that you’re not checking for already, and there’s no better way to stay ahead of that security game than with a regimen of compliance-specific vulnerability scans and follow-up pen tests.

Fortra’s Frontline VM is the leading solution to ensure PCI DSS compliance. A SaaS security platform proprietary to Digital Defense, Inc., it simplifies vulnerability management and pen testing reporting and can also integrate a Payment Credential CVC site seal to show your organization’s ability to securely accept online payments.

Fortra’s Core Impact further locks down compliance with best-in-breed penetration testing solutions. This automated pen testing tool is intuitive and easy for practitioners of all backgrounds to use. Less experienced testers can carry out pen tests that utilize the latest exploits, and more advanced analysts can automate the more routine elements of a test. Ease of use is key to establishing a pen testing cadence that will be consistent enough to constantly keep you compliant.

No one’s above a mistake. Despite our best efforts, sometimes an error slips through. Well-prepared contingency plans aren’t “planning for failure”; they’re defense-in-depth posturing, business continuity planning, and the ultimate safety net so that when your organization falls, it can bounce back even better than before. However, there’s no need to wait until then.

With the right vulnerability scanning, penetration testing, and red teaming solutions and services in place, you can have an audit-proof posture now and stay current with any compliance requirements to come.