How well are you and your employees informed about cyber security, hazards and data
breaches? Take the test below in the following technical areas to find the final risk score.
Employees take proper steps to safeguard the business against a
threat. Find how aware they are in the listed areas.
Do you only allow approved/trusted programs in your environment to prevent execution of
unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA)
Do you perform regular patching and updating of applications in your system? This includes, but is not
limited to, Microsoft Office, PDF readers, Java, Flash and Web Browsers.
Are Microsoft Office macro settings configured to block macros from the Internet, and only allow vetted
macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted
Do you conduct user application hardening such as configuring we browser to block Flash (ideally
it), ads and Java on the Internet. Also includes disabling unneeded features in Microsoft Office(e.g OLE),
web browsers and PDF viewers.
All software programs, computer devices and servers have their security requirements to limit cyber
security issues. What’s your score?
Are all administrative privileges restricted to operating systems and applications based on user duties
including revalidating the need for privileges?
Do you patch/mitigate computer operating systems (including network devices) with ‘extreme risk’
vulnerabilities within 48 hours. Including only using the latest operating system version?
Do you use multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all
users when they perform a privileged action or access an important (sensitive/high-availability) data
With the rise of mobile devices like laptops, smartphones, tablets, there has been a sharp increase in
data being lost or stolen. What safety measures are you taking against that?
Do you have daily backups of important new/changed data, software and configuration settings, stored
disconnected, retained for at least three months plus regularly test restoration?
Do you use an enterprise grade firewall with intrusion detection and prevention options enabled and
reporting of suspicious traffic?
Do endpoints have adequate antivirus and antimalware protection in place including conditional access for
remote/mobile users based on endpoint status?
Do you block insecure protocols (like IMAP/POP3) and use DMARC/DKIM/SPF records to minimise spam?
Are critical files at rest and in-motion encrypted including sensitive emails?
Do you conduct an annual security assessment and review applicable security policies?
Are mobile devices securely managed and controlled including keeping corporate data separate from
Do you conduct security awareness training with regular testing and include cybersecurity in your
Are logs across all devices collected and monitored to detect potential threats and attacks or malicious
or unusual behaviour within your network?
Do you have an up to date cyber insurance policy that has been assessed and vetted for your typical
industry security scenarios?