Cybersecurity Assessment

1. Does your company have a password policy? No, we don’t have a formal policy Yes, we have a verbal policy, recommending users change their passwords often Yes, we have software that requires users change passwords on a regular basis Yes, we use password policy based on NIST standards

Do not require password expiration
12 Character Minimum
Password History Remembered
Complexity Required
Admin required to unlock

2. Does your company require MFA (Multifactor Authentication)? No, we do not have that policy in place Yes, but only for all admin/privileged accounts Full MFA for any and all access

A any cloud access (QuickBooks, Salesforce, etc.)
Access to backups
For any remote access
Any critical information
Software or Hardware Authenticators NOT SMS (Text Messaging).
Now required by ALL Cyber Insurance Carriers.

3. Does your company restrict Local Admin Rights? No, everyone has local admin access, it’s easier Yes, we restrict rights to most employees, but certain key officers retain it Yes, we no one has local Admin rights for daily work

Prevents many types of malware and ransomware attacks from starting. We recommend separate local admin accounts that are used as needed. I.e., User_admin@abc.com and not giving local admin rights to accounts used daily

4. Does Your Company have a Backup and Disaster Recovery Plan? No, we do no have a formal plan No, we do no have a formal plan, but we do back up our computers on a regular basis Yes, we have a 3 point comprehensive plan, including:

Off-site backups of servers – prevent ransomware from encrypting backups
Backup of Office 365\Google accounts
- Both Microsoft and Google do not back up your account
- There is only 90 Days of Retention
Backup Sync of Local PCs with One Drive

5. Have You Installed an Email Security Gateway? We do not have an email security plan No, we do not have an email gateway, we use the filters in Outlook or Google Use the filters included in Office 365 Yes, we have a physical Email Gateway (most are SAAS)

Inspects email for malicious content before it reaches corporate systems
Scans all outbound mails

6. Does Your Company Use Computer Encryption at Rest? We do not encrypt our employee’s computers We use Bitlocker included with Windows 10/11 Professional Editions

7. Has Your Company Moved to Next-Generation Antivirus? We use the antivirus comes with the computers we buy We have an Antivirus license for our company We deploy net-gen Antivirus, behavior-based detection rather than virus definitions

8. Do You Implement Threat protection and content filtering? No, we do not have specific systems to prevent threats Office based only Web based content filtering. Yes, our systems prevent:

endpoints from opening malware-infected sites
viewing of inappropriate content

9. Does Your Company Provide Security Awareness Training to Employees? No, we do not have formal training programs Yes, we have reached out to our employees a number of times on the subject We have contracted automated on-demand training for all employees, that:

Reduces risks of cyber attacks
Creates a culture of security compliance
Includes automated reminder emails and reports of end-user participation
Required by most Cyber Insurance companies

10. Does Your Company Have an MDR (Managed Detection and Response Protocol? No, we do not have a proactive protocol to respond to threats in real time Yes, we rely on our IT vendor, but don’t have a formal program Yes, Our IT vendor’s Cybersecurity service plan provides:

Monitors Endpoints and Network
Monitoring Office 365/SALESFORCE/DROPBOX activity
The MAJORITY of breaches occur through email
Recommended by most Cyber Insurance companies

11. Does Your Company Regularly do Vulnerability Scanning? No, we do not have time to proactively look for vulnerabilities We rely on our IT vendor to make recommendations once per year Our IT Vendor provides a comprehensive plan to:

Monitors our networks, systems, and applications for security vulnerabilities
Monitors systems beyond standard computer/servers
- IP Cameras
- Payroll Time Clocks
- Industrial Equipment
Recommended by most Cyber Insurance Companies for office or warehouse-based organizations.

12. Does Your Organization Have a Cyber Incident Response Plan? No, we do not have a Cyber Incident Plan Yes, we rely on our IT vendor to help us when issues arise Yes, we have a written Cyber Incident Plan that covers all operational bases:

Detection, Reporting, and Analysis
Legal & Forensics
Containment, Eradication, and Recovery
Other Responses (i.e. Public Relations)
Post-Incident Review

Would you like a complementary call with a cybersecurity expert?