01

Do you have an IT Asset inventory?

If you don't know what you have, you can't protect it. Knowing what you have is critical in assessing inherent asset risk - risky vendors, who has admin access, what's the impact to your business if the asset is ransomed?

02

Do you run strong background checks on all new staff?

People are sadly our weakest link in Cyber Security. Knowing if your staff, or your IT provider's staff, have any Auscheck blocks or criminal history is important in identifying people risk.

03

Do you enforce a strict password and remote access policy?

Passwords can be easily compromised through social engineering, and phishing campaigns with malware can bypass passwords. Must your staff and your IT provider's staff use MFA and do you have a password policy setting complexity and frequency of changing passwords?

04

Do you backup your data, and test your backups?

Backups are critical when you have lost data or have ransomware. Without backups, you can't recover and your business can't continue. Does your IT provider provide you with regular backup reports, highlighting failures, and do you test your backups to verify you can recover from a cyber incident?

05

Do you regularly patch all your software and systems?

Hardware and Software vendors release patches to fix weaknesses in their products. Attackers know about these weaknesses and actively exploit them. It is critical that all your systems, on-prem and in the cloud, are regularly patched, including firewalls, servers, databases, applications, laptops, mobile phones. When was your last patch cycle report?

06

Do you have an Incident Response Plan?

62% of Australian SMBs report having been attacked. Many more have not reported, and many don't know they have malware in their systems waiting to be activated. Statistically the odds are against you if you have assets. It is important to have a plan to contain the attack, recover your systems and prevent a recurrence of the attack: merely restoring a backup that contains the vulnerability ensures the attack will happen again. When was your incident recovery plan independently reviewed?

07

Have you checked all your IT products for security risks?

You rely on technology - whether it is Microsoft Windows, Office 365, TeamViewer, Dell, Lenovo, HPE, Apple, Samsung. It's important to have a view of this technology stack and assess the risks of each vendor - some vendors don't adhere to standards (like ISO27001, SDLC, DevSecOps, SOC 2), don't build their software with security in mind, and create a risk that attackers exploit.

08

If you develop software, does your team adhere to cyber security best practices for DevOps?

This applies to businesses that develop software or have a 3rd party develop software for them. Do you developers adhere to standards like SDLC, DevSecOps, "Secure by Design," or are they "hacking it" to get product out the door as fast as possible, putting your clients and your business at risk?

09

Have you completed an Essential 8 Maturity Assessment?

Developed by the Australian Cyber Security Centre (ACSC) and Signals Directorate (ASD), the Essential 8 are deemed the 8 most basic and essential cyber security practices that all business should implement. If you have not conducted an independent maturity assessment, then you and your IT provider/MSP may be at risk. It's also important to perform these on a regular basis as staff change, applications and systems change. For some businesses an annual check is enough, for others with a large IT estate, maybe a quarterly check is needed.