10 Questions To Start Focusing Your SMB On IT Security Best Practices

IT security concerns are a growing focus of many meetings we have with managers and business owners. The focus on IT security stems from two areas.  1) the constant drumbeat of news concerning hacks, databreaches and ransomware attacks. 2) questions and requirements regarding internal security practices are coming from insurance companies, banks and connected customers. Very quickly the need to be able to demonstrate that your organization’s internal security practices are up to par are becoming a requirement to do business.

For businesses that are finding themselves facing questions from customers and vendors we’ve put together a list of security questions that all businesses should review in detail with their IT service provider to begin to provide a strong baseline assessment to facilitate being able to confidently address their security concerns.

1. Operating System and Third Party Software Updates:
   • How are servers and desktops updated?
   • What types of updates are applied?
   • Are the updates tested first?
   • What is the current patch status of the environment?
2. Strong Password Policy:
   • Is there a complex password policy?
   • Is password reset required periodically?
3. Screen Lock:
   • Is automatic screen lock for devices that have been inactive for a few minutes required?
4. Equipment Disposal:
   • Is there a process in place to dispose of equipment securely?
   • Are hard drives wiped and shredded?
   • Are printer hard drives included?
5. Backup Data:
   • Is important data backed up?
   • What data is backed up and is that everything that is needed?
   • Is the backup offsite?
   • Is the backup encrypted?
   • Are the logs and physical backups reviewed and tested?
6. Administrator Privileges:
   • Who has administrator privileges?
   • Do they need the privilege and why?
   • Are users administrators on their workstations and not standard users? If so why?
7. Secure Data Send:
   • Do you send or transmit confidential information?
   • Does a customer require encrypted transmissions?
   • What tool(s) are you using to send confidential information?
     • Email?
     • File transfer?
8. VPN Connectivity:
   1. Are employees trained to connect to the company’s network securely?
   2. Do employees know to use the VPN when accessing public wifi networks or from customer sites?
   3. Do you have a VPN?
9. Mobile Device Protection:
   1. What protections are in place in case a mobile device is stolen or lost?
      1. Are mobile devices encrypted?
      2. Can mobile devices be wiped remotely?
10. Employee Education:
    1. Is security training given to employees?
    2. Is the training done once or yearly?

Cyber Security, IT protection, Protection