Welcome to your one-stop checklist to measure the cyber security defences in your business. It’s simple:
✅ Tick the boxes for the security measures you already have in place.
💯 Get your score (over there➡️).
Anything that you haven’t ticked, use the dropdowns to learn more about so you can take the next steps to implement them in your organisation.
So, what are you waiting for? Start your journey to being cyber secure today.🔐
Anti Virus | +1
Anti virus is software that is designed to help detect, prevent and remove malware. A cloud controlled anti virus product should be implemented.
Cyber Essentials Certification | +2
Cyber Essentials is a yearly renewal certification managed by the National Cyber Security Centre.
Having a Cyber Essential certification shows your commitment to keeping your data, as well as supplier and customer data safe with essential security measures in place.
Cyber Essentials Plus | +2
Cyber Essentials Plus builds on the standard certification. Additional measures are required to pass and, most importantly, onsite testing will take place.
Cyber Awareness Training | +3
Giving your staff regular cyber security awareness training is an important part of your defence. Staff need to be kept up to date to allow them to understand modern cyber threats and how to prevent incidents.
No Personal Devices | +3
Personal devices, such as laptops or work stations, that access your system can cause security risks. All devices should be company owned and controlled. Mobiles are separate to this.
Incident Reporting | +3
Incident reporting mechanisms can give clarity on who to report breaches to and when. Make sure staff are aware of this and the information is easily accessible.
Penetration Testing | +3
Penetration testing checks for vulnerabilities and can verify if entry to your systems is possible. This is typically carried out by an external company who will test your systems, as well as your employees by means of phishing attempts.
A penetration test should be carried out on a yearly basis.
Application Whitelisting and RingFencing | +3
This is granular control of which applications can run and the data they can access.
Whitelisting allows you to approve or deny which applications can be used by the organisation. However, even approved apps can transmit a virus.
This is where RingFencing comes in. It stops any applications from making any changes to your systems.
Cloud Controlled Network | +3
Modern firewalls, switches and wireless devices should be controlled via a cloud service. This gives automatic security updates and peace of mind.
Domain Name System (DNS) Filtering | +3
DNS filtering is also known as web filtering. It is a valuable tool in the protection of your business and staff when browsing the web.
It protects you from potentially malicious websites and can apply controls to which sites can be accessed by employees.
Domain-based Message Authentication, Reporting and Conformance (DMARC) | +3
DMARC checks incoming emails and helps prevent hackers and other attackers from spoofing their organisation and domain.
Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) | +3
SPF and DKIM records to help with sender verification.
SPF allows email senders to define which IP addresses are allowed to send mail for a particular domain. DKIM provides an encryption key and digital signature that verifies that an email message was not forged or altered.
Security Operations Centre (SOC) | +3
SOC is when a third party manages reports from your key system and identifies attempts to gain access to your systems.
Cyber Insurance | +4
Cyber Insurance can assist in the event of an attack to help identify what happened, as well as helping you get back up and running.
Email Filtering | +4
Email filtering reduces SPAM, malware and blocks phishing and impersonation attempts.
We offer this through our partnership with Mimecast. Their cloud-based email security filtering removes risk by blocking 100% of known viruses and more than 99% of emails before they reach your network.
Their software also re-writes links and scans sites in real-time once the link has been clicked to ensure suspicious sites are blocked.
USB Control | +4
USB Control helps protect you from loss of company data and malicious USBs. You can opt to register specific USB sticks as safe or block them altogether.
Business Continuity Disaster Recovery (BCDR) Plan | +4
Do you have a plan in the event of a security breach or loss of data/network?
If not, you need to document your core systems and an itinerary of what needs to be restored first. Make sure this is accessible in the event of a breach.
Device Encryption | +4
Encrypting drives in machines gives you data protection in the event of loss or theft.
Vulnerability Scanning | +4
Vulnerability scans search for security weaknesses in your devices and networks that can be exploited by cyber-criminals.
The results of the scans can help you build on and maintain your cyber security measures. Regular internal and external vulnerability scanning should be carried out.
Endpoint Detection and Response (EDR) | +4
This is an advancement on standard anti virus. EDR gives a clearer picture of a breach and aids remediation.
Network Segmentation | +4
There has been a recent shift in ransomware attacks – from stealing data to disrupting operations. It’s critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised.
Multi-Factor Authentication (MFA) | +5
MFA is an authentication method that requires two or more verification factors. For example: when you login to your email account, you may type in a password, followed by a six-digit code from an MFA app.
Password Manager | +5
A password manager is a site or app which stores your passwords in one place. You will need to login to your password manager before using it. But this the only password you’ll need to remember.
A password manager gives your staff the ability to securely store and share passwords whilst retaining overall control.
Admin Access | +5
Only specified employees should have admin controls on your system, not all standard logins. Doing this reduces the risk from internal threats, intentional or not.
App Protection Policies | +5
App protection policies help to keep your data safe by blocking or monitoring the movement of workplace data in apps.
Policies can be applied to corporate and personal devices with apps installed that contain workplace data. This is because the data is protected within the app, rather than through device management solutions.
Conditional Access (Devices) | +5
Conditional Access implements a criteria which must be matched to grant access to data.
For example, a user trying to access data from a home IP address may be asked to enter an MFA code to open a document, whereas those on the office IP address will not.
Software as a Service (SaaS) Backup | +5
Your operating software, such as Microsoft 365, needs to be backed up to ensure you are protected and that you can restore your data in the event of a breach. Microsoft do not backup your data.
Air Gap for Your Backup | +5
Standard backups are now the target for ransomware, therefore, it’s important to protect them. An “air gapped” backup system is where there is an additional backup copy not attached to the live network.