Welcome To The IT Security Grader

Answer the following seven questions to get a clear picture of your company’s IT health.

These health survey questions will identify vulnerabilities in your security system and processes. Identifying the problems is always the first step in getting them resolved!

Part of our role as an IT Managed Service provider is to supply you with the information needed to make the best IT health choices for your company.



IT security is likely to become a bigger issue.

We see it the same way. Company data is more embedded in networks, people are using multiple devices, and data is now everywhere internally and externally.

The impact of IT security in your company is growing. Management of this is a must.

You have to make the right decisions to be secure but not overspend.

IT security is likely to become a smaller issue.

Market trends see it differently.  Your company data is more embedded in networks, people are using multiple devices, and data is now everywhere around the world.

The impact of IT security on the whole is growing. Management of this is a must. You have to make the right decisions to be secure but not overspend. 



Yes, backups are enough.
     

Backup is not enough to prevent data loss

For many businesses, their primary asset is their intellectual property stored in their files, emails and IT systems. It is the responsibility of the business to manage the risks associated with this data. Backups are the most obvious solution to help reduce risk and prevent data loss. However many companies often misunderstand the risks with a backup and recovery process that is not well thought out. Many current backup technologies are designed for saving the raw files, folders and data and in case of data loss, managing the restoration process. However in the last few years, IT infrastructure has become more complex. Many systems are now interrelated or integrated with one another to gain efficiencies in productivity, reporting etc. Many fail to realise that simply restoring the raw data may not allow the IT systems and business to continue its operations. The integrations that are relied upon may no longer work as the configurations may not been specifically documented or backed up.

Challenge/Threat

Even with best efforts to systemise a backup process, the possibility of data loss remains high when true, real world restoration tests cannot be completed. The solution is to undertake comprehensive data loss and recovery tests periodically to make sure in any case of data loss, the data can be recovered fully without any issue.

Action Item

Regular Data Recovery Tests solve this problem. They test the current state of recovery readiness, the effectiveness of the data recovery and they help ensure the timeliness of the recovery is in line with business requirements. It also aids in meeting internal & external compliance requirements.

No, backups are not enough.

You are correct!  Backup is insufficient to prevent data loss.

 For many businesses, their primary asset is their intellectual property stored in their files, emails and IT systems. It is the responsibility of the business to manage the risks associated with this data. Backups are the most obvious solution to help reduce risk and prevent data loss. However many companies often misunderstand the risks with a backup and recovery process that is not well thought out. Many current backup technologies are designed for saving the raw files, folders and data and in case of data loss, managing the restoration process. However in the last few years, IT infrastructure has become more complex. Many systems are now interrelated or integrated with one another to gain efficiencies in productivity, reporting etc. Many fail to realise that simply restoring the raw data may not allow the IT systems and business to continue its operations. The integrations that are replied upon may no longer work as the configurations may not been specifically documented or backed up.

    

Challenge/Threat

          

Even with best efforts to systemise a backup process, the possibility of data loss remains high when true, real world restoration tests cannot be completed. The solution is to undertake comprehensive data loss and recovery tests periodically to make sure in any case of data loss, the data can be recovered fully without any issue.

    

Action Item

     

Regular Data Recovery Tests solve this problem. They test the current state of recovery readiness, the effectiveness of the data recovery and they help ensure the timeliness of the recovery is in line with business requirements. It also aids in meeting internal & external compliance requirements.



Yes, we have a current, disaster recovery plan that we review and test regularly.

Good Job!

Having a 360 degree all updated Disaster Recovery Plan is not for the shelf, we all know it!  We hope you will never need it.

We don’t believe that we have enough risk exposure to need a disaster recovery plan at the moment.

Disaster Recovery Plan

There is no question your company is wired with technology in a big way. This is a good thing because of fast communication, efficient workflow, better collaboration, and so on.  We have to be aware that the technology around us is very fragile. Many systems, devices, and networks work together with changing environment components.

The failure of any or all IT systems impact the performance and continuity of the entire company. Therefore we have to identify what are the business processes and company deliverables most impacted by a potential failure. Knowing what can be at risk is one thing, being proactive and knowing what to do in case of failure is the other. 

How do you call your customers if their numbers are in the system which is down? How do you service the clients if the accounting system is down? How do you communicate with other branches or remote employees if the email is down?

Challenge/Threat

Do you have mandatory fire drills to escape the building as soon as possible? Are you prepared if you or your team need to work from home or another premises?

 A Disaster Recovery Plan can help you and your staff act as fast as possible to get back on track, restore data, and get everything up and running again. It also helps the employees to identify failures, and moreover, how to substitute processes until the entire system is back up.  Create a disaster recovery plan and educate all your staff on it.

     

Low Hanging Fruit Action Item

          

The Disaster Recovery Plan project solves this problem. The goal is to let the key stakeholders understand the effects of IT on the main company workflows and processes, so that IT services can best be implemented to ensure the necessary business continuity. We can help create a disaster recovery plan for your IT systems to ensure you are prepared and your business can continue operations and maintain its competiveness in a disaster. 



Yes, every device that is used, whether personal or company-owned is secure.

Great Job!

         

It’s important to control and audit this with some frequency.  If you haven’t done that in quite a while, it may be time to review.

We don’t secure the personal devices of our employees for them.

Personal Mobile Device Security

          

In many cases employees are using both personal and company devices for their work. Many of these devices are portable: notebooks, tablets and smartphones. These devices often contain very sensitive company data. Typically the most important and sensitive data is related to your clients:  contracts, prices, account numbers, projects, and so on. There are ways to protect devices and the statistics are 10-15% of these devices are lost or stolen every year.

    

There's no shortage of problems created in the loss or theft of a mobile device. Data on hard drives and memory cards can be captured even when there is password protection in the operating system. The email server data is right there in the settings menu on the smartphones. The file server and cloud application passwords are often saved in the browser which also can be easily captured.

        

Challenge/Threat

          

Users can be educated for obvious and non-obvious threats and basic device protection strategies. Hard drives can be encrypted and the mobile devices can be forced to be password protected with the ability to be remotely managed and erased.

            

The goal is to make sure company data will not be breached by losing portable and mobile devices.

     

Action Item

          

A Personal Mobile Device Security Project solves this problem. Hard drives in laptops/tablets should use encryption. Mobile devices are password protected and data security policies are implemented, tested and enforced.



Yes, we have implemented protocols and IT strategies to mitigate this risk.
     

Good Job!

     

Most people neglect IT security. Security is not about buying expensive solutions, it’s about being smart.

     

Many do not know that the best practice is a focused effort on protecting sensitive data.

No, we don’t have anything formal in place and use consumer anti-virus programs.

Risk Management Audit

          

Many companies manage all kinds of data - client related, internal, government, or employee related. Much of the data you are managing can be sensitive, classified, or non-disclosure. You have responsibilities for managing such data. If your employees or your third parties mismanage the information, your business could find itself in a difficult situation. 

         

You have contracts and agreements that fall under non-disclosure agreements. An employee can easily break it by sending it to a wrong email address. You have salary, commissions, healthcare information and agreements with employees. There are many ways people can breach this intentionally or unintentionally and cause legal issues in the company. Pricing sheets, client lists, internal calculations, vendor information and business processes are all very critical documents that need to be protected to keep the competitive edge.

    

 Challenge/Threat

          

If we are able to identify sensitive or classified information, we are able to create a strategy to protect them efficiently. If not, either we have to protect everything (which is ineffective), or have holes in our system and take a huge business risk.

         

 After creating the strategy, we can break it down to smaller projects:  protecting emails, file systems, creating access control, and so on.

    

Action Item

          

A Risk Management Audit solves this problem. The goal is to make sure you and your company understand the basic IT related risks, and have common ground on what data is sensitive, what you need to protect better, and what needs to have regulated access.



There is a software package that we use for passwords.

Well done!  Having a password management tool can help the businesses manage all the HR based risks. We have all heard about the revenge of irritated people who had access and passwords to systems that were not disabled in time.

I don’t know. Everyone does their own passwords, I suppose.
    

 Password Management System Implementation

          

Every company relies on their IT and on the applications running on top of that. The system access is managed by usernames and passwords. As the complexity goes up, the number of devices and servers go up accordingly. The usernames and passwords are managed by service providers, internal resources and third party technicians in several companies. 

         

Too often these passwords and usernames are not at all protected. Vendors use different password combinations and IT service providers are using their internal documentation for handling the passwords.

          

Our employees are facing more challenges, because the number of systems they are using has increased dramatically. Think about the cloud services, banking information, local applications and network access. Every one of them needs a username and password.

       

Challenge/Threat

          

Changing service providers has a potential risk to breach critical information of your internal systems. Management of your critical passwords are not governed; you do not see who has access nor from where. Our users are managing way more passwords than they can handle. Eventually they are going to write them down and share them, which makes your systems totally vulnerable.

          

Overall, the company has no systems in place to be able to lock out any technical or non-technical resource from any type of system. Think about a layoff, or an event of a broken trust. The business has no control over the most critical assets: the information assets.

    

 Action Item

          

The Password Management Implementation project solves this problem. The goal is to make sure all the passwords in the organisation can be controlled by executives. That is why a password management system, which controls all the corporate-wide passwords from admin passwords to user and cloud-based applications is crucial. The project implements a Password Management system in your environment and creates the necessary company policies and education.



No, we have no way to test, measure, and quantify these.

Security Awareness

Cyber security is fast becoming the number one financial threat to businesses worldwide. It is a minefield that is very hard to stay on top of. With the advent of ransomware anyone can now become a cyber-criminal today through the numerous websites on the internet offering services that will implement a cyber-attack on one or multiple companies. Cyber criminals are continuously developing more cunning and devious methods to steal and hold to ransom any data they can at the expense of many businesses.

Challenge/Threat

End users are your last line of defence and as such your end users need to be aware of the latest scams or else many will fall victim. The new challenge for all business owner is to teach and train their end users how to navigate the roads of the cyber highways. The rules are very different than the physical highways we are used to and what’s worse the rules change all the time. It is your responsibility as a business owner to ensure your staff are aware of these threats so they can protect your company data from getting into the wrong hands. Another task to add to your every increasing to do list. How can you keep your staff up to date on and protect them against; the latest threats, spam emails, false sign in pages mimicking legitimate companies, smart phone viruses, hijacked webpages etc. – nowhere is safe?

Action Plan

A comprehensive and up-to-date continuous security awareness training (SAT) process solves this problem. The goal is to ensure that your end users are continuously tested, trained, educated and made aware of the latest security threats that can affect them and your business. Failure to do so can result in your business falling victim to a cyber or ransomware attack that can cost your company dearly in terms of downtime, productivity and customer service. Many businesses that have fallen victim in the past have had to close their doors. Let us take the burden of this task from your hands with our robust continuous security awareness training.

Yes, we have a way to test, measure, and quantify these, and we do so on a regular basis.

Wow – good work. Seldom do we see companies that take a proactive approach to testing and training their end users to keep them up to date with the latest cyber security attack methods. This is one of the most important security steps for your business. It is so critical to ensure your last line of defence is a robust one. More often than not having all the security systems of the day is all well and good but the fate of your business can lie in the hands of your employees. Continue to ensure you keep them up-to-date.

Receive Your Grade.


Your Score

Your Answers

Are you expecting IT security to become a bigger or a smaller issue for your company in the future?
Are complete data backups sufficient to prevent data loss and avoid resulting downtime?
Does your company have a formal disaster recovery plan?
Are all the mobile devices that you and your employees use secure?
Is all of your confidential, vital data completely secure from a cyber-intrusion?
How does your company store passwords?
Can you currently test and measure your security readiness and your business continuity preparedness?

Have Any Questions? Call or Email Us Today!