How secure is your IT environment?
Evaluate your security posture free of charge by answering 25 questions.
1. Can collaborators access the company network without any restrictions using their own device (smartphone, computer...)?
Our advice: Set restrictions on access to the company network. For example, it is not necessary for your collaborator to be able to log in outside office hours (unless he or she is in a different time zone). Also make it compulsory to use a VPN and ban the use of unsecured Wi-Fi connections, such as those available in cafés.
2. Can collaborators use their company devices (smartphone, computer, etc.) on the company network without any restrictions?
Our advice: Set restrictions on access. The use of a secure login process remains important: security with a password for a desktop computer, and with 2FA (two-factor authentication) for a smartphone or a laptop. If you work with Microsoft 365, you should assign roles to your collaborators in order to determine which documents certain categories of collaborators have access to.
3. Are your collaborators' mobile devices (smartphones, tablets) managed via a device management system?
Our advice: A device management system is mainly used by larger companies, but it is also recommended for SMEs. Your IT department can use this software to monitor, manage and secure your collaborators' mobile devices. Mobile Device Management (MDM) is just one facet of Enterprise Mobility Management (EMM), which not only concerns the devices themselves but also the management of applications and content. This software also helps you work securely with mobile devices.
4. Can your company devices be managed remotely? (e.g. to delete a laptop or a smartphone)
Our advice: When a (company) device is stolen or lost, and it is not adequately secured with a passcode, the thief or finder has access to your business data. If the OS of the device does not allow remote management, make sure to install additional software that does. This will allow you to remotely delete a Windows laptop, an iPhone, an iPad, or an Android device.
5. Are all the company devices equipped with antivirus software?
Our advice: Antivirus software is still an important part of your security. A single absent-minded collaborator who clicks on an infected link is enough to cause a lot of misery! The Windows operating system comes with a built-in antivirus software tool, but most (paying) antivirus programs still provide greater security. Make sure that the antivirus software is updated automatically!
6. Do you disable automatic updates on your company devices, in order to first make sure that they do not conflict with your business applications?
Our advice: Enable automatic updates on all laptops and desktop computers of your IT infrastructure. Some smartphones and tablets can no longer be updated, either because the manufacturer does not roll out new updates, or because the devices are so old that it is no longer possible to update them. Do not let the situation get out of hand. Instead, invest in a new device, because a hack or data leak could cost you a lot more!
7. Are the hard disks of the business devices encrypted?
Our advice: An encrypted hard drive makes it more difficult for strangers to access your files. Encrypting your data for the first time will take some time, but after that you will be able to work on your files without any loss of performance. Encryption is particularly recommended for mobile devices, to prevent your data from falling into the wrong hands.
8. Do you let your employees decide if they want to lock their device automatically or not?
Our advice: Of course, it is easier for your collaborators not to have to log in to their desktop or mobile device every time after a period of inactivity. But it is also much more dangerous for your company data. You should therefore adopt a lock policy. Require your collaborators to lock their mobile, which can then only be unlocked by means of a passcode, facial recognition or other biometric data. For both desktops and laptops, you can set the lock via Group Policy (Windows 10 or Mac).
9. Are there specific rules around passwords within your company? (e.g. length, special characters, change every now and then, etc.)
Our advice: Require your collaborators to use a strong password. Use a minimum of 8 characters, but more is even better. Also require at least one special character, the use of mixed upper and lower case letters, and a number. It is no longer recommended to require your collaborators to regularly change passwords. Because this might entice them to use the same password for different services.
10. Do you allow your collaborators to use a password manager or not?
Our advice:The stronger the password, the harder it is for your collaborator to remember it - and the quicker he will start cutting corners. This is where a password manager comes in handy: your collaborator will only need to remember one strong password for the tool to retrieve the necessary passwords for the various accounts from its database. Password managers are available as add-ons for browsers and as apps for mobile devices. Requiring a password manager is a wise decision.
11. Can your employees log in to crucial sites without using two-factor authentication?
Our advice: Two-factor authentication (2FA) adds an extra step to the login process. In addition to the username and password, a unique, temporary code is also created and sent to your collaborator via SMS or app. Be sure to use 2FA when logging in to crucial sites, and encourage your collaborators to use it wherever it is offered (social media, e-mail, etc.)
12. Do your employees use SSO (single-sign-on) or Microsoft Hello to log in?
Our advice: SSO and Windows Hello are alternative solutions to let your staff log in. With an SSO solution, your collaborator only has to log in once to the software itself, after which the software automatically fills in all the login credentials for the various services that your collaborator will subsequently open. As for Microsoft Hello, it is a specific protocol for Windows devices, whereby the login process involves biometric data (facial recognition, fingerprint) or other types of data (PIN code, security key, password, password with image). The great advantage of SSO, Microsoft Hello and password managers is that they prevent password fatigue.
13. Is access to company data restricted on the basis of compliance rules? (Your collaborators must e.g. use a VPN connection to connect to the company network from their home)
Our advice: Develop a clear policy explaining the rules your employees must follow to log in to the company network, and make clear agreements on teleworking. The use of a VPN (a secure tunnel between the home computer and the company network) is recommended, and logging in from an unsecured Wi-Fi connection, for example, can be prohibited.
14. Is there a clear framework as to who has admin rights and who does not? (For example, regarding access to the Git server, the issues tracker or the cloud environment).
Our advice: Together with your HR and IT departments, establish a clear framework that defines which role and rights are assigned to each position. In Microsoft 365, you can define these roles with great precision. However, you can also create standard user accounts for these collaborators and urge them to only log in as admin for tasks that require this. This will reduce the risk of distraction errors.
15. Have you set alarms to notify you of anything unusual happening to the company data? (E.g. retrieving company data from an unknown location)
Our advice: This is an extra protection against data breaches, which makes it possible (thanks to the data traffic logs) to keep an eye on whether anything unusual is happening. In order to do this, you can use a software tool that automatically notifies you of this via an alert. With Microsoft 365, you can set up these alerts yourself in the Security & Compliance Center. Make sure, however, that you do not go too far in monitoring your collaborators - do not forget to respect their privacy!
16. Do you log important events regarding collaborators, such as when someone changes rights?
Our advice: Logs concerning rights management of a certain software application are usually created automatically in that application. They can be a useful tool when suspicious activity is detected. With Microsoft 365, you can simply retrieve those logs and sort them by date, person, etc.
17. Have you established a clear policy on how to restrict access when a colleague is dismissed (exit policy)?
Our advice: Establish a clear procedure, together with your HR department, as to what should happen when a collaborator resigns or is dismissed. The information must be relayed by the HR department in good time, and the measures taken by the IT department must be all-encompassing: removal of access to the company network, redistribution of tasks and documents on which the person was working, etc. You can also decide, for example, that the mailbox will continue to exist (with no access for the former employee, of course), turning it into a group box so that e-mails remain accessible.
18. Are you confident that your employees will find out for themselves about the dangers of opening attachments or clicking on links in suspicious e-mails?
Our advice: Keep your staff alert! Regularly organise workshops to discuss the latest threats. Go through a few recent security incidents that were reported in the world press, and in which, as so often, carelessness was the cause of the problem. And do not forget that the management of your company also needs to be regularly made aware of such issues!
19. Are your collaborators aware of the risks associated with social engineering or false invoices?
Our advice: Viruses and malware are not the only threats; phishing is also a common issue. Explain to your staff that discretion is very important, including on social networks. After all, hackers go there looking for personal data that will allow them to impersonate a friend or colleague with the aim of launching a targeted phishing attack (spear-phishing). Make sure your collaborators understand that if there is any doubt, they should give a phone call to the person who sent them an e-mail or a Whatsapp message. Did your employee suddenly receive a request to pay a supplier using a different bank account? There again, we advise you to call that company - not using the number mentioned on that invoice, but using the number provided in their own contact details.
20. Does your company consistently back up crucial data?
Our advice: Backups protect you against data loss and/or theft. Regular backups are therefore essential - but make sure to check the quality of the backups as well. The best approach is to consider a backup strategy for your company as a whole and automate it as much as possible so that any oversight cannot result in data loss. Did you choose to host your website or application with Combell? If so, Combell will take care of these backups for you. And you will be able to restore them via your control panel without any difficulty.
21. Do you keep backups in a secure location on your company premises?
Our advice: Do not keep the backups on your company premises. Because in the event of a disaster such as a fire, there is a good chance that your backup will also be lost. Offsite backups also protect you against cyberattacks, such as those involving ransomware. If your business operations are affected by hackers, an external backup is sometimes the only thing that can stay out of their clutches. A backup in the cloud is strongly recommended. Combell stores the backups on servers in a hypermodern data centre, which is highly secure, both physically and digitally.
22. Did you enable advanced security systems such as intrusion detection or event log managers with built-in data protection?
Our advice:If you want to be 100% sure that nothing wrong will happen, you should use advanced software or services that are designed to detect any potential threats in good time. An intrusion detection system (IDS) is a device or application that monitors the network to detect malicious activity or breaches of security policy. These breaches are then centralised via a security information and event management (SIEM) system. An Event Log Manager will then help you analyse the data collected by the SIEM.
23. Do you have a roadmap to respond to DDoS attacks, hackers or the failure of a business-critical server?
Our advice: Just like you have evacuation plans to be prepared for a fire in your company, you need to have a roadmap or action plan that clearly outlines how you should respond in the event of a digital disaster. Your own IT department plays a key role in this, as does the hosting provider that hosts your website or application. You should therefore make clear agreements: enquire what security measures that company takes, and what guarantees it can offer in a Service Level Agreement (SLA) to get your application or website back online as quickly as possible. Combell, for instance, guarantees 99.999% uptime as standard!
24. Are you counting on the filters in your employees' individual e-mail clients to work adequately without any e-mail security solutions at company level? (e.g. spam filtering)
Our advice: You can avoid a lot of hassle by filtering e-mail messages before they are delivered to your collaborators' mailboxes. Spam filters can be set at the level of the mail provider or adjusted in your collaborators' e-mail client. In Microsoft 365, you can configure the Exchange Online Protection anti-spam policy yourself in the Security & Compliance Center. Automatic spam blocking not only improves security, but it also boosts productivity!
25. Is the security of physical access to your corporate office with, for example, a badge system, alarm, etc. less important to you?
Our advice: Threats to the security of your company data are not limited to the digital environment with hackers or data leaks - your office also needs to be physically secure. Hackers can indeed cause a lot of damage to your equipment, but an alarm should at least deter them. Badge-based access control allows you to determine for each office or department in your building which staff members are allowed access. This helps keep unauthorised people out.
Would you like to make your IT environment more secure? Let's talk!
Leave us your details and we will contact you for a no-obligation consultation
0800-8-5678
Available now
sales@combell.com