Cyber security posture self-assessment tool

Your company uses a Single-sign-on (SSO) for employee log-in.

Your company uses both password and multi-factor authentication (MFA) authentication measures for employee log-in.

Your company uses biometric authentication for employee log-in.

Your company has integrated two levels of authentication measures for employee log-in.

You company has integrated three levels of authentication measures for employee log-in.

Your company uses no authentication measures for log-in or password security. There is nothing deterring a hacker from hijacking your log-in, account, or computer network.

Insights and steps moving forward:

Implementing strong authentication measures for employees’ digital resources is crucial for maintaining a secure work environment for your organization.

Here are some steps you can take:

• Multi-factor authentication (MFA): Enable MFA for all employee accounts. MFA requires that extra step beyond a complex password. You can make a cybercriminal’s job a little more difficult through a fingerprint, SMS code, or a hardware token. This extra layer of security will help deter unauthorized individuals from gaining access.
• Role-based access control (RBAC): Implement RBAC to ensure that employees have access only to the resources they need to perform their duties. Assign specific roles and permissions based on job responsibilities, limiting access to sensitive data and systems to only authorized personnel.
• Regular security audits: Conduct regular audits to assess the effectiveness of authentication measures and identify any vulnerabilities. Penetration testing, vulnerability assessments, and security audits can help uncover weaknesses in the system and allow for prompt remediation.
• Security updates and patches: Keep all systems, software, and applications up to date with the latest security patches. Vulnerabilities in software can be exploited by attackers to bypass authentication measures, so prompt patching is essential to support a secure environment.

You protect your remote workforce with a cloud-based next-generation virtual firewall.

You protect your remote workforce with DNS security.

You protect your remote workforce with Cloud-based Endpoint Security Software.

You protect your remote workforce with two levels of security.

You protect your remote workforce with three levels of security.

Insights and steps moving forward:

• Establish a robust cybersecurity policy: Create a comprehensive policy that outlines the expectations, responsibilities, and best practices for your remote workforce regarding cybersecurity. Clearly communicate this policy to all employees and ensure their understanding.
• Provide secure remote access: Set up a secure virtual private network (VPN) to encrypt the communication between remote employees and your internal network. This helps protect sensitive data from interception or unauthorized access.
• Deploy robust endpoint protection: Use reputable antivirus and anti-malware software on all remote devices. This helps detect and prevent malicious software or unauthorized access attempts.
• Have a security incident response plan: Develop a comprehensive incident response plan that outlines the steps to be taken in case of a cybersecurity incident. This should include communication protocols, escalation procedures, and steps for mitigating the impact of an incident.

You have a dedicated security incident response team in place to handle any data or security breaches.

You have a network and security monitoring system in place to respond to security incidents.

You have a next –generation intrusion and detection in place to respond to security incidents.

You have multi-layered cybersecurity protections in place to respond to security incidents.

You have two layers of security measures in case of data or security breaches.

You have three layers of security measures in case of data or security breaches.

You have four layers of security measures in case of data or security breaches.

You have zero layers of security measures in case of data or security breaches.

Insights and steps moving forward:

To ensure preventive measures are in place to respond to security incidents, including data breaches or other security breaches, you can follow these steps:

• Risk Assessment: Conduct a comprehensive risk assessment to identify potential vulnerabilities and threats to your organization's security. This assessment should cover various aspects such as physical security, network infrastructure, data storage, and employee practices.
• Security Policies and Procedures: Develop and implement robust security policies and procedures that address potential risks and define guidelines for data protection, access control, incident response, and employee responsibilities. These policies should align with industry best practices and legal/regulatory requirements specific to your organization.
• Regular Security Audits and Assessments: Conduct periodic security audits and assessments to evaluate the effectiveness of your security measures. Find any gaps or weaknesses and take corrective actions accordingly. Engage third-party security experts if needed to perform independent audits or penetration tests.
• Continuous Improvement: Security is an ongoing process, so continuously review and improve your security measures. Stay updated with the latest security threats and industry best practices. Regularly assess and update your security policies, procedures, and technologies to address emerging risks.

You use a Next-Generation Firewall, an advanced level of network protection beyond traditional firewalls.

You use an Intrusion Prevention System (IPS).

You use email encryption, an important security measure to protect the confidentiality of sensitive information transmitted via email.

You use WPA3 (Wi-Fi Protected Access 3), the latest generation of Wi-Fi security protocols.

You use a Virtual Private Network (VPN), a robust security measure for protecting communications with both internal and external entities.

You use two network security controls.

You use three network security controls.

You use four network security controls.

You use five network security controls.

You don’t use any network security controls.

Insights and steps moving forward:

To determine if proper network security controls, including firewalls, intrusion prevention systems, and encryption, have been implemented, you can follow these steps:

• Identify Responsible Parties: Decide who handles implementing and supporting network security controls within the organization. This may include the IT department, network administrators, or dedicated security personnel.
• Assess Firewall Configuration: Evaluate the firewall configurations to ensure they align with industry best practices. Verify that access control lists (ACLs) are properly configured, unnecessary ports are closed, and proper rules are in place to block unauthorized traffic.
• Document Findings and Recommendations: Document your findings from the assessment and any recommendations for improvement. Provide clear and actionable suggestions to enhance network security controls, if necessary.
• Implement Remediation Actions: Work with the responsible parties to address any identified gaps or weaknesses in network security controls. Implement the recommended changes and improvements based on the findings of the assessment.

You have a formal process in place for managing vulnerabilities. This is crucial for maintaining the security of your systems and data.

You don’t have a clear process in place to manage unforeseen vulnerabilities.

Insights and steps moving forward:

If your organization doesn’t have a formal process in place for managing vulnerabilities, including vulnerability scanning, patching, and remediation, here’s some tips to consider moving forward:

• Establish a Vulnerability Management Program: Start by developing a comprehensive vulnerability management program that outlines the process and procedures for finding, assessing, and addressing vulnerabilities within the organization's infrastructure. This program should align with industry best practices and regulatory requirements.
• Conduct a Vulnerability Assessment: Perform a thorough vulnerability assessment to show potential weaknesses and vulnerabilities in the organization's systems, networks, and applications. This can be done using automated vulnerability scanning tools or by engaging a third-party security firm to conduct a comprehensive assessment.
• Prioritize Vulnerabilities: Once vulnerabilities have been found, prioritize them based on their severity and potential impact on the organization's operations. This can be done by considering factors such as the Common Vulnerability Scoring System (CVSS) score, the potential for exploitation, and the relevance to the organization's specific environment.
• Remediation Planning: Create a plan for remediating named vulnerabilities based on their priority. This plan should outline the steps needed to address each vulnerability, including assigning responsibilities, setting deadlines, and distributing resources as needed.

You use Next-Generation, Cloud-based endpoint protection software.

You use Private server-based Endpoint Protection Software.

You use Antivirus Software.

You use an Embedded Firewall Software.

You use two endpoint protection software options.

You use three endpoint protection software options.

You use four endpoint protection software options.

You don’t use any endpoint protection.

Insights and steps moving forward:

To ensure comprehensive protection against unforeseen viruses or malware, here next steps to take on endpoint protection software:

• Assess the current situation: Begin by evaluating the existing computers within your network to decide whether they have endpoint protection software installed. This can be done by reviewing the inventory or conducting an audit.
• Identify the requirements: Understand the specific requirements and features you look for in an endpoint protection solution. Consider factors such as real-time scanning, malware detection and removal, firewall protection, behavior monitoring, automatic updates, and central management capabilities.
• Research endpoint protection solutions: Conduct thorough research to find reputable and effective endpoint protection software options. Look for solutions that have a proven record of accomplishment in detecting and mitigating malware, and that offer regular updates to stay ahead of emerging threats.
• Evaluate compatibility: Ensure that the chosen endpoint protection software is compatible with your existing computer systems, operating systems, and any other security software or tools in use. Compatibility is crucial to ensure proper functioning and avoid conflicts between different security solutions.
• Select a solution: Based on your research and compatibility requirements, select an endpoint protection software that best meets your needs. Consider factors such as the vendor's reputation, customer reviews, cost, and the level of technical support available.

You’ve incorporated a Virtual Firewall for your computer network.

You’ve incorporated Cloud-based Endpoint Protection for your computer network.

You’ve incorporated Zero-trust authentication for your computer network.

You’ve incorporated two types of online security for your computer network.

You’ve incorporated three types of online security for your computer network.

You aren’t currently using any online security for your computer network.

Insights and steps moving forward:

If you’re unsure what steps to take regarding if Cloud security is the right fit, here’s a few steps to help you on your way:

• Assess your current security measures: Start by evaluating the existing security measures in place for your organization's computer network. Identify the current technologies and protocols being utilized.
• Identify cloud service providers: Find which cloud service providers your organization is currently using or plans to use. This information is crucial as different cloud providers offer varying levels of built-in security features.
• Review cloud security offerings: Research the security features and capabilities offered by the cloud service providers you found. Explore their documentation, websites, or contact their sales or support teams for detailed information.
• Evaluate security controls: Assess the security controls provided by the cloud service providers. Look for features such as data encryption, access management, intrusion detection and prevention, network segmentation, identity and authentication management, and compliance certifications.

You’ve conducted security awareness training for your employees.

You’ve not conducted any security awareness training for your employees.

If You’re not aware of what security awareness training is or how it will help your company.

1. Assess your organization's current security awareness training status:
   • Determine if any previous security awareness training has been conducted.
   • Evaluate the effectiveness of the training, if any.
   • Identify any knowledge gaps or areas where improvement is needed.
2. Define training objectives and goals:
   • Clearly outline the point of the security awareness training program.
   • Set specific goals to measure the success of the training.
3. Define training objectives and goals:
   • Name the topics to be covered in the training, such as phishing attacks, password security, data protection, social engineering, etc.
   • Decide on the right format for the training (e.g., classroom sessions, online modules, workshops).
   • Create a timeline for the training program, considering the availability and schedules of employees.
4. Design training materials:
   • Prepare engaging and informative training materials that are easy to understand.
   • Include practical examples and real-life scenarios to make the training relevant to employees' work environments.
   • Utilize visual aids, interactive elements, and multimedia to enhance learning.
5. Implement the training:
   • Schedule training sessions according to the plan.
   • Supply the necessary resources, such as access to training materials or online platforms.
   • Conduct the training in a supportive and inclusive environment.

You have a clear measure in place to limit access to data and implement role-based access controls.

You have a clear incident response plan in place to respond effectively to anomalies and irregularities.

You regularly update software and security patches.

You’ve put into action two security measures to prevent unauthorized access to your systems and data.

You’ve implemented three layers of security measures to prevent unauthorized access to your systems and data.

You don’t have any measures in place to protect your systems and data from unauthorized access.

Insights and steps moving forward:

To prevent unauthorized access to our systems and data, here’s a few steps to help get you started:

• Conduct a Security Audit: Perform a thorough assessment of our current security measures, including network infrastructure, data storage, access controls, and authentication mechanisms. Identify any vulnerabilities or weaknesses that need to be addressed.
• Develop a Security Policy: Create a comprehensive security policy that outlines the rules, guidelines, and procedures for safeguarding our systems and data. This policy should cover areas such as password management, user access controls, data encryption, and incident response protocols.
• Regularly Back up Data: Implement regular data backup procedures to ensure that critical systems and data can be recovered in case of a security breach or system failure. Store backups securely and test the restoration process periodically to ensure data integrity and availability.
• Conduct Employee Training and Awareness Programs: Educate employees about the importance of security practices and the potential risks of unauthorized access. Regularly train employees on secure password management, phishing awareness, and social engineering techniques to foster a security-conscious culture within the organization.