The Assessment

CyberSafe Assessment is a free tool to help you find cybersecurity vulnerabilities in your business. You will get real personalized results with tools and suggestions for strengthening security in your business.

ASSESSMENT

SECTION 1

SECTION 2

SECTION 3

Section 1: Identifying

1.

My business can identify what type of confidential data (Identification numbers, address, credit card numbers, social security, etc.) is stored in my business?

Tip:

The first step to secure your data is knowing what cybercriminals want. Personal information is protected by law and can cause financial hardships on your business if it’s ever breached. Sensitive information you need to protect includes identification numbers, address, credit card numbers, social security, etc.

2.

Employees have been trained to identify security risks such as phishing emails, infected devices, spyware, etc.

Tip:

It is not uncommon for an employee to click on a link, or download an attachment they believe is harmless, only to discover they have been infected with a virus or something worse. The CyberSafe program has a quiz available to all small business owners with social engineering training. It is completely free and will issue your employees a certificate of completion.

3.

Employees have been trained in procedures to take when they identify a security risk or data breach

Tip:

One of the common origin causes of data breaches in small businesses are employees. But they can also be the front line of defense when it comes to protecting client information. Train your employees about overall security policy, more importantly, help them understand the security measures of the business. Set up a confidentiality agreement for your employees to sign, and state clearly the consequences of violating the agreement.

4.

My employees have been trained to keep software up to date?

Tip:

Updates can be a huge pain, but they are necessary. Updates contain critical security patches that will protect your computer from latest discovered threats. Without these updates, it can put your data and computer at risk. It is best to set computers to automatic updates.

5.

My business has a list to identify all devices in the organization?

Tip:

It is essential to identify devices that you utilize in your business . Each device you own is a security risk due to fact that they can connect to the internet and interact with other devices. Having a list of all your devices will help you identify the possible port of business data breach.

6.

My business has identified non-essential applications and removed them from business devices.

Tip:

Non-essential applications or programs consume your computer resources. These application or programs can take up your computer storage, increase how long your pc takes to boot, waste RAM, etc. More importantly, they can be platforms for malware to penetrate your computer or network. Therefore, it is always a good idea to remove non-essential applications.

Section 2: Protecting

1.

All staff members have their own logins for computers

Tip:

Having different logins for each employee will restrict employees from snooping around unauthorized sensitive data.

2.

Employees passwords are at least 8 characters long, with upper case letters, lower-case letters, numbers, and symbols.

Tip:

Strong passwords are the most common defense against unauthorized access. A strong password should be a mix of upper and lowercase letters, numbers, and special characters. Make sure to use different passwords for different account. If possible, use 2 factor authentication.

3.

Business computers time-out after a duration of inactivity?

Tip:

It is important for computers to “time-out” or “sleep” after a duration of inactivity, because this time period leaves the computer open for anyone to see. That means anyone can come and snoop around confidential data.

4.

My business has software in place to block unauthorized access.

Tip:

Firewall software helps protect against unauthorized incoming and outgoing data. But it will only safeguard the computer where it’s installed. Make sure your firewall settings are on at all times. You can change the settings on your firewall to get more security.

5.

All staff members change passwords periodically.

Tip:

Strong passwords are the easiest thing you can do to strengthen your security. Make sure to change them at least every 60-90 days.

6.

Employees can access company files remotely?

Tip:

Try to avoid having employees access company files remotely especial if it is protected personal information. This will lower the risk of losing business data due to employee carelessness. It could be the case that employees decide to access these files over wifi or they are accessing them from a shared computer. Both of these methods

7.

Employees use public Wi-Fi on business devices when traveling.

Tip:

Letting employees use public Wi-Fi can be a great risk for any business. When your employee connects to an open WI-FI network like Starbucks, the network is generally unencrypted. You can tell its open network because there is no password when connecting. Therefore, your unencrypted network traffic is visible to everyone in range. Cybercriminals can see what unencrypted web pages you are visiting and even what you are typing!

8.

Employees use business devices for personal use?

Tip:

Letting employees use business devices for personal use can lead to a number of consequences such as data leakage, lost devices, and bigger malware threats. Additionally, do not let employees connect personal devices to the main business Wi-Fi, for personal devices usually lack adequate protection from snooping. Employee's personal device can let cybercriminals in while connected to business Wi-Fi.

9.

Employees have software to send confidential data safely when traveling.

Tip:

If your employee is going to have to use public WI-FI make sure to provide them with tools to navigate safely through public Wi-Fi. One tool that you can provide them with is a VPN.

10.

My employees send confidential data over text or email on public Wi-Fi?

Tip:

If your employee is going to send confidential data over text or email on public Wi-Fi, use an encrypting text application to send over sensitive data. Best practice, however, is not to use public Wi-Fi to send sensitive data if possible.

11.

My business changes default passwords for all business devices and software.

Tip:

Factory default software often include simple and publicly documented passwords. It is a common technique for attackers to use default passwords to log in devices, so an attacker with knowledge of these passwords can access the network with root or administrative privileges. Therefore, make sure to change all your default passwords right after first use.

12.

My business encrypts sensitive business information?

Tip:

Encryption makes it more difficult for criminals to interpret personal client information if your device or files are ever stolen.

13.

My business has anti-virus software for all business devices?

Tip:

Antivirus software are important for your network security. They are one of the last line of defense if an unwanted attack gets through your network.

14.

My business has spy-ware detecting software for all business devices

Tip:

Spyware is usually installed without the user’s knowledge to track browsing activities. This type of software is usually installed when the users download a freeware or application. For that reason, it is best for the business to provide its employees with software that can scan spyware program. This will allow the user to know if that program or application is permitted to install or not. Some businesses even use it to track employees browsing habits.

15.

My business has anti-rootkit software?

Tip:

The most common way of infecting a system with rootkit is by exploiting existing software already running with the system, followed by subverting user's account control by getting users to click through it. The best way to safeguard against this is by doing all necessary updates. Do not open unknown email attachments from unknown sources, and be careful of what software you install by reading the end user license agreement. More importantly, do not plug in unknown devices into your computer before scanning it with the appropriate anti-virus software. More importantly enforce overall cybersecurity policies in your business.

16.

My business runs anti-virus on a set schedule to detect unknown risk.

Tip:

Employees usually do not run anti-virus software update on their own. The best practice is to set the anti-virus to automatic updates. Out-of-date antivirus software can have consequences to your security, for new updates release patches for new threats.

17.

My business backups data at least once a week.

Tip:

Backup data on a regular basis. This might give you a piece of mind if your data is stolen or compromised. Usually data should be backed up weekly, and if needed every night.

18.

My business has a copy backup of data in a remote location.

Tip:

Backup your data in a remote location in case all your computers or devices are ever compromised. This will allow you to keep the business running if all your systems or devices are all compromised on site.

Section 3: Responding

1.

My business has a list of legal entities to contact in the event of a cyber-attack.

Tip:

You should have a list ready to contact legal entities in the event of a cyberattack. Breach notifications are expected to be sent to customers as soon as possible according to the law. Delays will only cause your small business more money.

2.

My business has a detailed list of who operates what business devices.

Tip:

Lost devices are a major risk for any business. A missing phone, tablet, or laptop raises the possibility of an outsider accessing sensitive information about customers or employees. This information can sometimes be used against your business in court. Having a detailed list of who operates what device will help your business respond to the incident faster.

3.

My business has a detailed list of business software installed on devices.

Tip:

Having a detailed list on what software is installed on devices can help identify vulnerability points easier in the event of a breach.

4.

My business has a recovery plan in place in the event of a cyber-attack.

Tip:

Businesses create and manage large amounts of electronic data. This data is important and sometimes vital to continued operation of the business. The impact of data loss due to hacking, malware, employee error, hardware failure can be significant. A recovery plan will help your business restore its operations as quickly as possible. More importantly, it can reduce premiums on cyber risk insurance.

5.

My business has designated personal to manage recovery in the event of a cyber-attack.

Tip:

The majority business operation and records are usually on a computer nowadays. if the computer is breached, and leaking data, it is possible your business will be facing a class action lawsuit for failing to protect customer or employee data. Having someone to manage recovery will significantly help you reduce cost and keep business running. This can be or include an employee, lawyer, and third parties.

6.

My business can notify customers if their confidential information has been or might have been stolen as soon as possible to meet state regulations.

Tip:

It is the business obligation to notify customers if their confidential information has been or might have been stolen to meet state regulations. If your business does not have a contingency plan, it is more likely to result in higher cost of the incident.

7.

My business knows state regulations for protected data?

Tip:

Business owners should have basic knowledge of law and regulations regarding data protection, so to have a precautious plan setup. In reality businesses pay for lawsuits and many other costs when essential data is compromised, so it is better to protect it now then to pay thousands in damages later.

8.

My business knows that regular business liability insurance does not cover cyber-attacks.

Tip:

Cyber risk insurance is different from business liability insurance. Cyber risk insurance protects business against data breach. According to a recent study done by Ponemon Institute the average cost of a single stolen record is $250. That means if your cybercriminal accesses only 100 files of customer data, the cost to your small business is $25,000.

9.

My business has regulations in place to retrieve all sensitive data from employees leaving the business.

Tip:

Sometimes there are employees who have malicious intentions and steal sensitive information. Make sure of an official channel for employees to report suspicious behavior from coworkers. State your expectations in the employee handbook for best results.

10.

My business knows how to preserve files for further investigation in the event of a cyber-attack.

Tip:

Disgruntled employees can be the worst and do damage in a moment of rage. Make sure to retrieve and deactivate passwords and logins when an employee leaves. This way ex-employees cannot access to the business information of customers data to sell it to illegal parties. Your business will be held responsible if this is the case leading to data breach.

11.

My business knows how to preserve files for further investigation in the event of a cyber-attack.

Tip:

In the event of a breach your business will have to contact a forensic computer examiner. Make sure you know what steps to take to stop a hacker from compromising more files, and more importantly how to preserve those evidence for the forensic computer examiner. Your lawyer will need all the details to represent you in case of any lawsuits.

DEMOGRAPHICS SECTION

Demographic: The following questions will not impact your score, but will help us meet your business needs.

1.

How many employees does your business have?

2.

Which industry is your business in?

3.

How long has your business been opened?

4.

Has your business been harmed by a cyber-attack in the past?

5.

Any comments or suggestions?

Question 1 of 1
Question 1 of 1