How to Conduct a Free Cybersecurity Assessment (Guidelines for Non-Techies)

How to Conduct a Free Cybersecurity Assessment (Guidelines for Non-Techies)

img-jed-fearon

Jed Fearon

Solution Advisor, 17+ years of experience in MSP Solution Development, Sales and Marketing Communications

Stronger cybersecurity starts with better administration.

You don’t have to be a CTO, a vCIO, a vCISO, or a network engineer to lower your cybersecurity risk. Are you a proactive, attentive administrator with good follow-through? Congratulations! You’re the perfect person for the job.

This brief tutorial examines three scenarios where security gaps are likely to materialize and what you can do to enhance your organization’s cyber resilience.

Getting this right has two spillover effects: improving workforce morale and elevating marketability.

Good news: logging into servers is not required. All of the information is relatively easy to collect as long as it exists.

#1 - Incomplete Documentation

I’ve been in the MSP business since 2003, and I’m not exaggerating when I say 80% of the SMBs I’ve encountered have gaps with basic information about their information systems.

While many organizations have IT product and service contracts, invoices, and vendor contacts, they’re never consolidated, organized, and easy to access. The same is true of IT roadmaps, network diagrams, IT proposals, and directories of assets/warranties.

If you don’t have all or most of these exhibits IT Documentation Checklist, or only have a few that aren’t up to date, you’re not operating from a single source of truth. There’s no system in place.

Without a foundation for analysis, it’s impossible to pursue a continuous program of cyber protection that covers people, processes, and technology.

A weakness in one area creates openings for system compromises, performance deficits, data loss, PR disasters, and legal blowback.

Learn More: Cyber Security & Compliance Solutions, Cybersecurity Projects

#2 - Your Team Uses Personal Assets For Remote Work

In the spirit of where there’s smoke, there’s fire, companies who allow their employees to conduct corporate business on personal machines may not be following, promoting, or enforcing a current Acceptable Use Policy (AUP).

Home computers are notoriously exposed to keylogger software, malware, spyware, and viruses that are easily transported to your corporate network via email and personal cloud storage accounts. Even worse, these machines are typically accessed by multiple family members, including children, who are easy targets for phishing schemes.

Do you have employees with home office machines? Are you 100% sure these devices have the same security tools as your corporate workstations? A “yes” and “no” response should be a cause for concern.

Learn More: 13 Cybersecurity Truths to Live By

#3 - Only One Person Owns IT

I cringe every time I talk to an SMB who has one person in charge of IT - either managing it in-house or functioning as the sole contact with the MSP and other technology providers.

Both scenarios present a single point of failure with devastating implications for uptime, financial performance, and disaster recovery/business continuity.

Even if you have comprehensive documentation and a strictly enforced AUP, all of this flies out the window if something happens to the person in charge.

Dynamic cybersecurity, a bi-product of strategically informed IT system design, is a team sport. You should engage leadership across every division or functional area to reduce risk, solicit input, and implement solutions that not only protect your business but also incorporate new technologies that make it easier for everyone to serve clients.

Learn More: IT Steering Committee

What’s Next?

If any of these examples created pause about cybersecurity gaps in your IT environment, I recommend you take immediate inventory with your team and your IT provider.

I also suggest you contact your insurance company and ask them to quote a cybersecurity policy. One look at the IT security questionnaire which appears on the application will reveal what is expected in today’s elevated risk environment.

Learn More: Cybersecurity Insurance Gaps

Finally, companies with documented proof of enhanced security and compliance stand out to security-minded prospects and partners.  This type of differentiation will automatically disqualify competitors who are simply winging it.

If you enjoyed this article, you might also like the related content in our free eBook.