To receive email updates from us, please subscribe for updates by fill out this form. The only required field is your email address, however, we would love to have a name to call you by to make our interaction more personal. If you are willing to tell us your birthday it would allow us to wish you a happy birthday. We promise to use your contact very sparingly and only for the purpose stated. We are fully compliant with GDPR
Our privacy policy can be found here. In essence, it says that we never share your info with anyone, unless legally complied to do so. We only use it for the purposes you permit us to, and we delete it as soon as you ask. Meaning you subscribe to get updates and that is the only time we use it.
[hubspot portal=”144281002″ id=”98f65278-d6f8-48d2-b4a8-da967d167544″ type=”form”]
Here is a fun little quiz to help you gauge your security readiness. After reading each question, give yourself a score of 0-3 on how confident you are on that question. You’ll need something to note the score of each question and then add it all up. Self-grading at the bottom. As with most tests, low scores mean you’ve got some work to do.
THE Security Quiz
QUESTION 1: ASSET MANAGEMENT
How confident are you that you can answer all the following questions 100% accurately without prior notice in less than 15 minutes?
- Given a random IP on your network, specify what is it used for, what OS is it running, where it is located and who is responsible for it both financially and operationally (who paid for it, vs who patches and fixes it)
- Given a specific software package of a specific version (Office 97, Windows XP, Python 2.x, Adobe reader 11, Oracle WebLogic 10, etc.) list out all machines in your environment that have that package installed, along with who is operationally responsible.
- Given a specific machine, specify what services will be impacted by it being down and what machines/apps are dependent on this machine.
0 – Don’t understand the question
1 – Not at all confident
2 – Some confidence
3 – Very confident
QUESTION 2: IDENTITY AND ACCESS MANAGEMENT
How confident are you that you know exactly who has access to what, and that everyone still needs all that access?
0 – Don’t understand the question
1 – Not at all confident
2 – Some confidence
3 – Very confident
QUESTION 3: ACCESS POLICIES
How confident are you in your implementation of principle of least access?
0 – Don’t understand the question/not doing principle of least access
1 – Not at all confident
2 – Some confidence
3 – Very confident
QUESTION 4: SECURITY POLICIES
If you were to undergo an unannounced security audit how confident that you could produce documentation on all your security processes, change management, etc., to the satisfaction of the auditor on the spot?
0 – Don’t understand the question
1 – Not at all confident
2 – Some confidence
3 – Very confident
QUESTION 5: MULTI FACTOR AUTHENTICATION (MFA)
How confident are you that your MFA setup, policies, restrictions, etc., will stop a threat actor from compromising accounts?
0 – Don’t understand the question
1 – Not at all confident
2 – Some confidence
3 – Very confident
QUESTION 6: PASSWORD MANAGEMENT
How confident are you that passwords for your service account and standalone non-AD accounts are being handled securely? How confident are you that your employees are maintaining secure password management processes?
0 – Don’t understand the question
1 – Not at all confident
2 – Some confidence
3 – Very confident
QUESTION 7: DATA BACKUP
How confident are you that you can restore critical system with all its data in a timely manner that minimizes impact on the business? Confidence based on faith or hope does not count.
0 – Don’t understand the question
1 – Not at all confident
2 – Some confidence
3 – Very confident
QUESTION 8: CONFIDENTIALITY, INTEGRITY AND ACCESS (CIA TRIAD)
What is your confidence level that when it comes to your company’s non-public information, only those that are supposed to see it, can see it, when they need to see it, and that it maintains full integrity? Blind faith confidence and faith based on hope is the same as no confidence
0 – Don’t understand the question
1 – Not at all confident
2 – Some confidence
3 – Very confident
QUESTION 9: EVENT LOGGING
How confident are you that you will notice if a data leak is taking place, as in threat actor copying non-public information off-site, or other security incidents are taking place? Are you confident that after an incident you will have all the needed data to reconstruct what happened?
0 – Don’t understand the question
1 – Not at all confident
2 – Some confidence
3 – Very confident
QUESTION 10: VULNERABILITY MANAGEMENT
How confident are you that you know where all your security vulnerabilities are? Again, pure blind faith or confidence = no confidence.
0 – Don’t understand the question
1 – Not at all confident
2 – Some confidence
3 – Very confident
QUESTION 11: CHANGE MANAGEMENT
How confident are you that can detail out all the changes happening in your environment at any point in time?
0 – Don’t understand the question
1 – Not at all confident
2 – Some confidence
3 – Very confident
QUESTION 12: THIRD PARTY RISK MANAGEMENT
How confident are you that employees of your vendors aren’t your threat actors?
0 – Don’t understand the question
1 – Not at all confident
2 – Some confidence
3 – Very confident
SCORING
25-36: You’ve got all your ducks in a nice and orderly row, and you have a pretty good idea where each row is.
13-24: Your ducks are loosely grouped together, and you kind of know where most of the groups are.
0-12: Ducks??? I have ducks??? Where are my ducks???
Summary
In closing the point of this fun little test isn’t to shame or scare you, the point is to get you thinking about all the various aspect of cybersecurity that is needed to keep you safe.
If we can assist you in improving any of these factors please don’t hesitate to reach out and we would be more than happy to help.
Ideology
Cybersecurity is the practice of enabling businesses to produce and sell their particular products and services in the most secure way possible. Therefore, their role is to find the most secure way to do what the business needs to do and educate the business. Deciding what is and isn’t risky is not their role; therefore, they should never tell the business no. However, it is the role of the business senior management to set the risk appetite and tolerance and decide what risks they are willing to accept. Therefore, it is with this philosophy that we provide our services.
An analogy
Customer: I need to jump off a bridge that has a 300-meter fall
Security: Are we talking about bungee jumping?
Customer: No, I need to reach the ground.
Security: BASE jumping is probably your best bet; I recommend getting training first.
Values and believes
Our values are trustworthiness, professionalism, and security. We believe in focusing on your policies and procedures to maximize your effort and return on investment. Then, only invest in tools that can assist with those policies and procedures. In other words, each tool you have should have an obvious tie to a specific policy or procedure. This is what all our services are about. Here are some more details on our services. These aren’t distinct packages; they are more the type of things we do; we will mix and match these to suit your needs. Please contact us with questions or to book some time with us.
Designing a Vulnerability Management Program
A vulnerability management program is one of the cornerstones of a great cybersecurity program. Therefore, one of our services is to help you design a program custom-made for your business, mold tool requirements that help you with that program, and get those tools set up and maximize their usage. Similar to our philosophy above, a good vulnerability Management Program consists mostly of policies and procedures, with tools playing a support role only. Once your policies and procedures have been nailed down, we will work with you to compile tool selection requirements. Once the requirements are clear, we will help you work with vendors to select the right tool for your environment.
Establishing proper policies and procedures
Some think that all they have to do to be secure is to buy the right tool because a sales guy told them that it would make them safe, then buy another tool because that sales guy said it was better. Then they stand there with many tools and no idea how to use any of them. We believe buying a tool and looking for a problem to solve with it is very unproductive. Our advice is to start by creating sound policies and procedures and, from that, create requirements for tools to help you with your new policies and procedures. This way, you start by identifying a problem or a need and then find a tool to fulfill the need. With this approach, you won’t have all sorts of tools you don’t use. Therefore, this is the approach we always use. This service offering is similar to the one above, just a little more comprehensive.
Internal audits Services
If you are working towards a certification or simply maintaining one, you need to have an independent party review your setup and confirm that you are ready for the final review. Without that, you have very little chance of passing your certification audit. This is one of the core services we provide
End User Awareness Training
One thing you absolutely need to pay attention to is training your staff to be security conscious. This is one of the cornerstones of any decent security program, which is why many security frameworks and compliance requirements require this. There are two approaches to this:
- You can purchase a subscription to a video training service, which will check all the required boxes.
- Or you can bring an expert in for true in-person training.
There are pros and cons to each. The video training service makes getting everyone to complete and show compliance easier. It is often bite-sized and easier to fit into busy schedules. The problem is that there is a much greater chance that folks won’t get the material or, worse, will sleep through it.
On the other hand, in-person training, like the one we offer, is more engaging and more comprehensive and ensures everyone is learning the material. The problem is that scheduling can be challenging.
While we typically recommend in-person training for that personal touch, we realize it isn’t practical for everyone. Therefore, we can also put you in touch with some great video training solutions.
NIS2 or DORA Implementation or planning services
We can work with you to ensure you meet NIS2 or DORA government regulations. With the expansion in scope in NIS2, there is a long list of companies that are required to be compliant that weren’t before. Does your company fall under the expanded scope? You may not have the expertise in-house to understand, plan, and implement programs to become NIS2 or DORA compliant, so let us help you. We can provide as much or as little help here as you desire.
This service is a long-term engagement that we customize to your needs. This most often involves some mixture of the following:
- Being available for consultation regarding issues that pop up in the course of your day
- Make sure your policies and procedures are living documents that evolve with your business
- Help prioritize security issues where importance and priority aren’t clear.
