If your current IT company does not score a “Yes” on every point in this quiz, they are NOT adequately protecting you. Don’t let them “convince” you otherwise and DO NOT give them a free pass on any one of these critical points.
Further, you must get verification on the items listed. Simply asking, “Do you have insurance to cover us if you make a mistake?” is good, but getting a copy of the policy or other verification is critical. When push comes to shove, they can deny they told you.
- Have they met with you recently – in the last 3 months – to specifically review and discuss what they are doing NOW to protect you? Have they told you about new and inexpensive tools such as Dark Web monitoring for your company’s credentials or advanced endpoint security to protect you from attacks that antivirus is unable to detect and prevent? If you are outsourcing your IT support, they should, at a MINIMUM, provide you with a quarterly review and report of what they’ve done – and are doing – to protect you AND to discuss new threats and areas you will need to address.
- Do they proactively monitor, patch, and update your computer network’s critical security settings daily? Weekly? At all? Are they reviewing your firewall’s event logs for suspicious activity? How do you know for sure? Are they providing ANY kind of verification to you or your team?
- Have they EVER urged you to talk to your insurance company to make sure you have the right kind of insurance to protect against fraud? Cyber liability?
- Do THEY have adequate insurance to cover YOU if they make a mistake and your network is compromised? Do you have a copy of THEIR CURRENT policy? Does it specifically cover YOU for losses and damages?
- Have you been fully and frankly briefed on what to do IF you get compromised? Have they provided you with a response plan? If not, WHY?
- Have they told you if they are outsourcing your support to a 3rd-party organization? DO YOU KNOW WHO HAS ACCESS TO YOUR PERSONAL COMPUTER AND NETWORK? If they are outsourcing, have they shown you what security controls they have in place to ensure a rogue technician, living in another country, would be prevented from using their free and full access to your network to do harm?
- Have they kept their technicians trained on new cyber security threats and technologies, rather than just winging it? Do they have at least ONE person on staff with CISSP (Certified Information Systems Security Professional) or CISM (Certified Information Security Manager) certification? Do they have anyone on staff experienced in conducting security risk assessments?
- Do they have a ransomware-proof backup system in place? One of the reasons the WannaCry virus was so devastating was that it was designed to find, corrupt, and lock BACKUP files as well. ASK THEM TO VERIFY THIS. You might *think* you have it because that’s what your IT vendor is telling you.
- Have they put in place a WRITTEN mobile and remote device security policy, and distributed it to you and your employees? Is the data encrypted on these devices? Do you have a remote “kill” switch that would wipe the data from a lost or stolen device, and is that data backed up so you CAN wipe the device and not lose files?
- Do they have controls in place to force your employees to use strong passwords? Do they require a monthly password update for all employees? If an employee is fired or quits, do they have a process in place to make sure ALL passwords are changed? Can you see it?
- Have they talked to you about replacing your old antivirus with advanced endpoint security? There has been considerable talk in the IT industry that antivirus is dead, unable to prevent the sophisticated attacks we’re seeing today.
- Have they discussed and/or implemented “multi-factor authentication” for access to highly sensitive data? Do you even know what that is? If not, you don’t have it.
- Have they recommended or conducted a comprehensive risk assessment every single year? Many insurance policies require it to cover you in the event of a breach. If you handle “sensitive data” such as medical records, credit card, and financial information, social security numbers, etc., you may be required by law to do this.
- Have they implemented web-filtering technology to prevent your employees from going to infected websites, or websites you DON’T want them accessing at work? Porn and adult content is still the #1 thing searched for online. This can expose you to sexual harassment and child pornography lawsuits, not to mention the distraction and time wasted on YOUR payroll, with YOUR company-owned equipment.
- Have they given you and your employees ANY kind of cyber security awareness training? Have they offered to help you create an AUP (acceptable use policy)? Employees accidentally clicking on a phishing e-mail, or downloading an infected file or malicious application is still the #1-way cybercriminals hack into systems. Training your employees FREQUENTLY is one of the most important protections you can put in place. Seriously.
- Have they properly configured your e-mail system to prevent the sending/receiving of confidential or protected data? Properly configured e-mail systems can automatically prevent e-mails containing specified data, like social security numbers, from being sent or received.
- Do they allow your employees to connect remotely using GoToMyPC, Log Me In, or TeamViewer? This is a sure sign to be concerned! Remote access should strictly be via a secure VPN (Virtual Private Network).
- Do they offer, or have they at least talked to you about, Dark Web/Deep Web ID monitoring? There are new tools available that monitor cybercrime websites and data for YOUR specific credentials being sold or traded. Once detected, it notifies you immediately so you can change your password and be on high alert.
A Preemptive Independent Risk Assessment: The ONLY Way You Can Be Sure
A Security Assessment is exactly what it sounds like – it’s a process to review, evaluate, and “stress test” your company’s network to uncover loopholes and vulnerabilities BEFORE a cyber-event happens.
Just like a cancer screening, a good assessment can catch problems while they’re small, which means they will be a LOT less expensive to fix, less disruptive to your organization, AND give you a better chance of surviving a cyber-attack.
An assessment should always be done by a qualified 3rd party, NOT your current IT team or company; fresh eyes see things hidden, even in plain sight, from those looking at it daily.
You want a qualified “Sherlock Holmes” investing on YOUR behalf who is not trying to cover up inadequacies or make excuses, bringing to you a confidential report you can use before others find dirty laundry and air it in harmful ways.
Our Cyber Security Risk Assessment Will Give You The Answers You Want, The Certainty You Need
This assessment will verify a qualified 3rd party on whether your current IT company is doing everything it should to keep your computer network not only up and running, but SAFE from cybercrime.
Here’s How It Works: One of my lead consultants and I will conduct a non-invasive, CONFIDENTIAL investigation of your computer network, backups, and security protocols. Your current IT company or guy DOES NOT NEED TO KNOW we are conducting this assessment. Your time investment is minimal: one hour for the initial meeting and one hour in the second meeting to go over our Report of Findings.
When this Risk Assessment is complete, you will know:
- If you and your employees’ login credentials are being sold on the Dark Web. We will run a scan on your company, right in front of you, in the privacy of your office if you prefer (results will NOT be e-mailed or otherwise shared with anyone but you). It’s RARE that we don’t find compromised credentials – and I can guarantee what we find will shock and alarm you.
- IF your IT systems and data are truly secured from hackers, cybercriminals, viruses, worms and even sabotage by rogue employees.
- IF your current backup would allow you to be back up and running again fast if ransomware locked all your files. In 99% of the computer networks we’ve reviewed over the years, the owners were shocked to learn the backup they had would NOT survive a ransomware attack.
- IF employees truly know how to spot a phishing e-mail. We will put them to the test. We’ve never seen a company pass 100%. Not once.
If we DO find problems…overlooked security loopholes, inadequate backups, credentials that have been compromised, out-of-date firewall and antivirus software and (often) active malware…on one or more of the PCs in your office, we will propose an Action Plan to remediate the situation that you can have us implement for you if you choose.
Again, I want to stress that EVERYTHING WE DISCUSS AND DISCOVER WILL BE STRICTLY CONFIDENTIAL.