Here is a list of fundamental IT and cybersecurity questions that all organizations should review to ensure they have the resources to be compliant with vendors, clients, and government agencies. This list is a summary from our internal standards, NIST, and IRS Safeguarding Taxpayer Data.
1. Does our organization provide regular cybersecurity training to all team members?
Threats are constantly evolving. Your cybersecurity plan needs to enable your team to identify and prevent breaches. Unfortunately, much of cyber crime is done through social engineering.
2. Do we have MFA (Multi-Factor Authentication) enabled on all our accounts?
Multi-factor authentication is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence to an authentication mechanism. This extremely helpful with expanding password security.
3. Do we have disk encryption on all computer hard drives that contain company data?
Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. In the case of a hardware being compromised, you greatly reduce the chances that someone will gain access to your data.
4. Do all employees in your organization use a corporate Password Management System such as 1Password, LastPass, or similar?
These types of a tools are the greatest things since slice bread. These tools not only increase your password security exponentially, it also is much more efficient for you team to share passwords and sensitive information.
5. Does our organization have written information security policies that all employees must adhere to?
Policies for who and when and how data is handle is extremely important to ensure data is not compromised and you can provide evidence that you are adhering to the best practices.
6. Are all company emails regularly backed up?
Most email providers (Gmail, Microsoft 365, etc) are very secure. However, there are certain situations that are out of your control that you could potentially loss all your emails (accidental deleting, malware, etc.)
7. How often are employees in our organization are required to change their passwords?
If you have an efficient MFA and Password Management system in place this is less important, but still relevant and some industries (HIPPA, etc) require a specific schedule for when passwords are changed.
8. Are all computers containing important data regularly backed up?
Thankfully, most of our data is moving to the cloud and redundant back-ups is a standard in most cloud-based storage. Nevertheless, many users accidentally or temporally store important data on their computers. Also, in the case of setting up a new computer, having a bare-metal back-up greatly decreases set-up time.
9. Do all computers in our organization have an antivirus installed?
A wise man once said, "The best antivirus is the one you use." - This is somewhat true but proves the point that you should have a consistent antivirus in place throughout your entire organization.
10. Does our organization carry cyber insurance?
Did you know that 43% of cyber attacks target small businesses? Cyber insurance can help fill the gap just in case.