We’re commonly asked about how a business can know if they’re meeting or exceeding the most common cybersecurity best-practices. We put together a list of questions that any business can answer that might help them understand whether or not their doing enough to protect their business from breaches, incidents, and end-user whoopsies:
1. Do all servers/computers have an active enterprise-grade antivirus/anti-malware software installed and running?
2. Do all user workstations/endpoints contain Mobile Device Management (MDM) to ensure that a baseline of technical security controls are applied (such as auto-updates to operating systems and applications, remote wipe/lockout capabilities, etc)?
3. Is your cloud email provider (M365/Google, etc) protected with email security filtering and Data Loss Prevention (DLP) controls to ensure sensitive data isn’t communicated via email?
4. Are all office networks protected with enterprise-grade firewalls that receive consistent updates and tuning for current threats?
5. Is MFA (multi-factor authentication) configured for all business web applications (i.e. email, Quickbooks, CRMs, etc)?
6. Do you utilize a set of strong operational security policies (i.e. Information Security Policy, Acceptable Use, Disaster Recovery, Incident Response, Business Continuity Planning, Data Destruction etc)?
7. If users sometimes work remotely, do you utilize a VPN for connectivity into your offices to ensure safe business communications from endpoints to the internet?
8. Are all business applications and access controls centrally managed/controlled to ensure access to all resources is removed when an employee leaves the company or changes roles?
9. Do you implement end-user cybersecurity training to ensure users understand and are trained on operational security best practices?
10. Do you have a vendor management program to ensure your sensitive data is handled safely by 3rd parties, as well as to vet new vendors to ensure they meet high privacy/security standards?
11. Are all important data sources being backed up using offline, air-gapped, or secure cloud storage?
12. If your business is required to meet a compliance framework, are you compliant and ensuring ongoing compliance at least quarterly? (Compliance frameworks may include GDPR, CCPA, SOC 2, HIPAA, CIS, ISO, etc.)
13. If you maintain a web presence, does your website/web-app go through quarterly penetration tests/scans to ensure that the site cannot be altered or breached?