Category

Question

Comments

Employees

Are the information security policy and procedures monitored and tested? Are employees tested and instructed not to give out personal or business information to untrusted parties?

Policies do not prevent a loss or breach by themselves. They establish acceptable behavior and a support channel for help.

Employees

Is there annual training regarding computer usage, email usage, internet usage, data handling and disposal, cyber incident reporting and handling, and other cyber security best practices?

Culture isn’t established with boring videos. Talk about security regularly, particularly recent attacks or successful defenses.

Employees

Does organizational culture encourage and reward employees for reporting suspicious cyber behavior?

Reward, rather than shame. Ashamed employees will hide mistakes instead of report them.

Employees

Are employees required to use strong passwords or multifactor authentication on all devices and business applications?

It takes ~64 years to crack a password of 5 random words using today’s quantum computers (it’s a thing).

Employees

Do you randomly test employees to determine if they are susceptible to phishing scams?

If your IT staff can’t handle this task, there are a number of providers that will run a test for free.

Financials

Are two authorized signatures required to approve a funds transfer?

Impersonating two financial officers rather than one is not impossible, but significantly more difficult.

Financials

Is verification through phone call or address on file required for requested funds transfers?

Business email compromise (BEC) is rampant. Voice confirmation protects you from fraud.

Financials

Is there confirmation that the vendor is in fact owed such requested amounts?

Fake invoices are common. You may pay an attacker impersonating a supplier.

Financials

Do policies and procedures for approving funds include verification of any changes in vendor’s bank account through a call back to a telephone # on record or an email to an address on record of an authorized user?

Make this a standard with your key vendors and suppliers. If a partner in your value chain identifies a possible attack, set up a way to alert everyone in the chain.

Financials

Are funds transfer request policies and procedures consistent globally?

Differences between offices, warehouses, or state regulations create opportunity. Follow procedures consistently.

Financials

Have employees been made aware of the risks of fraudulently induced payment scams such as “CEO Fraud”, “Fake Presidents”, “Business Email Compromise” and fraudulent vendor invoices and vendor payment diversion?

Administrative staff are often targeted with fake requests that appear to be urgent or time sensitive. Allow them to verify the request quickly, e.g., SMS or safeword.

Technology

Are individual user accounts required for each employee or contractor?

Sharing user accounts and access makes auditing user history impossible. Proactively keep a few licenses open in case of a hiring wave or temporary license need.

Technology

Are anti-virus, anti-spyware and other anti-malware programs installed and updated daily?

Focus on Macs and Windows machines, although vendors offer mobile device security solutions as well as laptop and desktop solutions.

Technology

Are web browsers kept up to date by forcing the use of secure connections (HTTPS or VPN), by automatically clearing web browser history, cache etc., and by requiring the use of dedicated systems for highly sensitive business operations?

Attackers can use a phishing message to get you to download a browser plugin or extension that lets them hijack older browsers.

Technology

Are web and email filters enabled to block malware infected email, attachments within email, unapproved or inappropriate websites, and blacklisted websites?

In parallel with an acceptable use policy, actively suspicious sites and sites that create a hostile work environment.

Technology

Are full and incremental backups of important business information made weekly/daily?

The key here is to apply the same solution consistently, rather than spreading your data across the internet or applications, e.g., Drive, SharePoint, Dropbox, Box.

Technology

Is restoring from backup tested at least twice per year?

Make a plan. Test it. Share the results and make improvements.

Technology

Are you able to remotely wipe lost or stolen devices?

In parallel to a bring your own device policy (BYOD), select a tool that lets you delete email and business documents if a personal or business device is lost.

Technology

Is encryption used for sensitive business information, which includes the use of full disk encryption on all critical and end user systems, the use of encrypted emails when sending sensitive information, and the use of encrypted offline media when storing sensitive information?

If a laptop is stolen from the trunk of your car, what is lost? In financial services, the data on a laptop is worth approximately $500K. The actual laptop? $500.

Technology

Are employees blocked from connecting personal and untrusted storage devices (such as USB sticks) into work computers?

USB drives with malicious software may come home from a conference to your office. 

Technology

Are user’s access to data and information restricted? Are users with access to business information identified and controlled ?

Start with your financial systems and listing the people with access. Do they need it? Why? Start to clarify what tools are needed vs. tools that are optional for your employees. 

Protection and Architecture

Are wireless access points and networks secured by changing the default administrator password, and by enabling WPA-2?

Would you leave your front door open to the warehouse? Why would you let someone access your inventory or financial systems from the parking lot?