Cyberattacks can affect anyone, and businesses are prime targets. 43% of online attacks are aimed at small businesses, with an average incident cost of $200,000.
Over the next five years, the overall impacts of cybercrime are expected to cost businesses a total of $5.2 trillion in value across lost revenue, damages, fees, and lost product.
Worse yet, these attacks happen more often than you might think. In one study, it was found that hacker attacks occur on a near-constant basis, at a rate of 39 seconds per attack across all internet users.
Cybersecurity needs to be a priority for any organization, whether it’s a business, public institution, or government entity. And as a best practice, your organization should take a methodical, step-by-step approach to assessing your company’s vulnerability.
In other words, a cyber security risk assessment checklist.
Cybercrime strikes fast. Companies often don’t realize they’re vulnerable until after the damage is done. And even after the threat is secured, locating the source of the attack can be a time-consuming process.
In other words, cybercrime isn’t slowing down – which is why businesses need a thorough approach to cybersecurity that covers all their bases. A good place to start is with an enterprise cyber security checklist. Below, we’ve listed items that should be included in your cybersecurity checklist.
19 Items That Need to Be On Your Cyber Security Audit Checklist
- Do you have a business continuity and disaster recovery plan that can be executed during or after an event?
You need a strategy to prevent downtime and minimize resource losses. Be advised, just “having” a plan or person responsible is not enough, an effective plan needs to be tested and improved regularly. It will require multiple iterations to get the plan to the point that it will work you really need it.
It’s essential that your cyber security risk assessment checklist includes this item, and that a full plan is in place, tested and verified regularly.
- Do you perform periodic security assessments to identify current and potential threat areas?
A regular security risk analysis needs to be conducted on a regular basis. Leveraging a standard like NIST 800-171 Cybersecurity framework is a great place to start. Some of the key points of an assessment should include:
- Access control
- Awareness and training
- Audit and accountability
- Configuration management
- Incident response
All of these areas and more will need to be assessed. As a best practice, it’s recommended to reach out to cybersecurity experts to perform the assessment.
- Are all users informed and trained on appropriate system usage?
Users are the weakest link of any cybersecurity chain. It’s essential for businesses to provide employees with regular training sessions that cover appropriate behavior.
This training needs to cover areas such as: safe internet usage practices, phishing awareness, appropriate passwords, data handling practices, bring-your-own-device (BYOD) best practices, and more.
Beyond training, testing your users is also critical to see how they really perform in the real world. Until this is done, you have no real idea how people are doing. And when you find they are not doing as well as you hoped, make sure you have a training follow up to close those gaps.
- Are policies defined, monitored and improved?
Do you have clear definitions for how company IT is to be used? What about best practices for security measures?
A company is liable for how their resources are used. Employees by default do not know all of the details of what is appropriate and what is not – even if it appears obvious to you. If employees use these resources in an inappropriate manner and the company has not defined usage policy and trained the employee, the company is liable for those actions. This is a liability that you need to close fast.
Usage policies are the tool to cover areas such as acceptable usage, email usage, guest access, confidential data, incident response plan and remote access.
- Do you test your users to make sure they know how to comply with policies?
It’s one thing to set policies for end user security, that is only part of it. To make sure your staff knows the policies you have to test them Run regular evaluations that test each user’s knowledge and skills to ensure they’re up to date with company policies.
Remember – Having policies is not enough, you need to train, test and follow up. See how strong your IT policies are with this IT policy self assessment.
Interested in learning more? Check out these blogs:
- Does leadership participate in security initiatives and directives?
Security isn’t just for lower level staff, it starts at the top. Leadership and executives need to be included in your security initiatives and have them take an active role in leading directives among other staff members.
Do not exclude leadership from the training and testing – they can make mistakes as well.
- Is the network monitored 24/7 to detect potential cyber security events?
There are two types of essential network monitoring, one is for uptime, performance and patching while the other is real time security.
This comprehensive approach looks at all systems and data points and can spot dangerous activity that is almost always missed on a system by system view. A security operations center (SOC) is watching 24*7 for any signs of inappropriate activity.
A Managed detection and response service proactively addresses security threats instead of passively waiting for a breach to be realized. This type of network security is often required based on the industry you are in.
- Do you perform audits of who has administrative access or enhanced rights on your systems?
So often, people have access beyond what they really require to do their jobs. Performing an audit of who has access to what is a critical point to secure your systems. A key way hackers get domain admin access is through normal users that have been granted super user level access.
While you are at it, make sure and look at your userlist. Often there are accounts of past employees that are still enabled on the system. Clean these old accounts out and secure your network.
- Have you identified the potential impacts of breaches?
Ideally, no breaches or cyber attacks will occur, but in reality you need to plan for breaches. You need to understand what the short- and long-term impacts it could have on your system.
How much money will you lose per hour of downtime? Which data points are vulnerable across different systems? You’ll need a thorough accounting of these possibilities for your security planning. Knowing what is more important to the company will help you prioritize your protection and actions should a breach occur.
- Do you keep up to date with the latest updates and software security patches?
Often security problems with software are discovered overtime and need to be patched. Unpatched software is a common attack point as it provides a predictable target to thieves. It is critical that software is updated and patched as threats are discovered to keep you as safe as possible. All systems that run software such as operating systems, applications, firewalls, hardware, etc. require patching.
Are your employees practicing cyber security best practices?
Take this free quiz to find out.
- Are you using any Nextgen firewalls?
Firewall technology has changed over the years to address the ever growing attacks and threats. Nextgen firewalls provide intrusion detection, deep-packet inspection, cloud-based threat intelligence, and application control. Many companies believe that they just need a firewall – you need a firewall that is up to today and tomorrow’s threats.
- Do you have a Nextgen antivirus solution and DNS level of security protection?
Many companies still have signature based antivirus software that does not detect zero-day threats. With custom tailored virus and malware options, it is easy to bypass these older antivirus softwares. Nextgen AV uses AI application inspection, manages scripts to prevent unauthorized execution, device control and prevents memory exploitation. Since it uses AI, you do not need to constantly download new signature files that can fail, take extra resources, slow performance and require additional management overhead.
DNS protection stops command and control attempts from criminals, controls DNS and IP layer redirections and provides an intelligent proxy service to steer users away from risky domains.
- Do you have a complex password protection policy, and is it followed?
Most companies use Microsoft Active Directory and have enabled a setting for strong passwords. Unfortunately that definition of strong password really is not strong. This video shows how 95% of companies that have Microsoft AD are at risk. (link –https://youtu.be/o923NwAADtc )
For maximum password protection, employees should be required to create unique robust passwords with minimum lengths and special characters alongside company-enforced policies such as mandatory resets. Using a password manager that can create extremely complex passwords and manage them for you at some point is probably your best bet. Here a certified ethical hacker shares ideas on how to improve your passwords. (Link – https://youtu.be/medjiHvgQOw )
Wonder how you are doing with passwords? – We have a free password security assessment at https://www.nens.com/password-assessment/ .
14. Do you leverage multi-factor authentication?
While we are on passwords – multi-factor authentication would eliminate 99% of password based breaches. It is the one simple thing you can do to improve your security https://youtu.be/Q0sml7tk1RQ . MFA is now easy to use and is strongly recommended as a solution you need to implement ASAP.
- Do you perform penetration tests/vulnerability scans on a regular basis?
If you are not testing your security, you are living on assumptions and really do not know the truth. The best way to test your security is with a real world penetration test of your systems. These should be performed regularly by a trained security vendor and the reports taken and reviewed.
Holes in protection need to be prioritized and a plan to address them put into action.
- How are confidential documents managed and handled?
Are your document handling procedures secure? Do you have clear policies on confidential data? Do you have compliance requirements set forth such as HIPAA or Sarbanes–Oxley?
Chances are, if you do have requirements you are more than aware of them, what you may not know is if you as a vendor of a client that does, what responsibilities you might have. Or if you are moving towards compliance you will need to have controls in place to control sensitive information.
- Do you require security standards from third-party vendors and anyone you interact with?
It’s not enough to guarantee compliance and security in your own organization. You need to engage with every partner, vendor, supplier, or company you interact with where data is touched to meet the same standards you have. You are responsible to make sure sensitive data that is given to you is cared for throughout your supply chain.
- Do you leverage outside resources with cyber security expertise or is it in-house?
Despite the complexity of business cybersecurity, many companies still opt to keep things in-house. These same internal IT staff have a large list of support requests that demand their attention and keeping up on emerging security threats is often neglected so they can help users with basic support needs.
Leveraging dedicated security providers offers a higher level of protection as they are focused on security and are not being distracted with user print and access support requests. It takes full time focus to keep up with cybersecurity needs. Half baked protection leaves you fully open.
A Professional Will Help With Your Audit Checklist
The above threat assessment checklist for cyber security provides an overview of some of the key areas that should be assessed.
Developing an IT security audit checklist is a good start but is only one piece of the bigger security picture. When you perform your audit using the checklist you will find areas that changes need to be made. You will then need to assess what it will take to improve those faults, prioritize them and create a plan to implement those improvements.
New England Network Solutions has years of experience developing these types of assessments and can work with you to bring your security to a new level. This is the easiest and fastest way to shore up your system and ensure that you’ll be protected.