CyberRisk_Property What is your position in the company? CEO / Owner CFO / Finance Director CIO / IT Director / CTO / Technical Director Risk / Compliance / CISO / Security Officer What is your business turnover? 0 - £100,000 £100,001 - £500,000 £500,001 - £1,000,000 > £1,000,001 What types of IT do you use to run your business? Inhouse IT only. Cloud IT only. Hybrid IT Hint Are your Business Software and Anti-Virus definitions automatically updated to the latest release? 1. Yes, our Business Software and Anti-Virus definitions are updated/patched automatically. 2. As part of our processes, our Business Software and Anti-Virus definitions are updated at least every couple of months. 3. We update and patch our Business Software and Anti-Virus when we can. 4. We don't have a process for updating and patching our Business Software and Anti-Virus. 5. We don’t have Anti-virus installed on all our PCs. Hint Are Firewalls in place to protect your infrastructure? 1. Yes, firewalls are in place and firewall logs and definitions are regularly checked. 2. Yes, firewalls are in place but no process to check logs and definitions. 3. We don’t have firewalls. Has your business ever had a Security Risk or Vulnerability Assessment? 1. Yes, but not in the last 12 months 2. Yes regularly, at least yearly 3. No, never Hint Has your business ever been disrupted by a Security Incident? 1. No known incident in the last five years 2. No more than one incident in the last five years causing business disruption 3. Multiple incidents in the last five years causing business disruption Hint What is the business consequence of losing access to your data and/or systems? 1. Limited or no revenue impact during outage 2. Significant revenue impact during outage (but business continues) 3. My business virtually stops during outage Hint Do you have a documented Disaster Recovery (DR) strategy in place that has been rehearsed at least once in the last 24 months? 1. No comprehensive DR strategy, but we do have offsite and offnet, tested backups. 2. Yes, documented DR strategy, rehearsed once. 3. Yes, documented DR strategy, rehearsed regularly. 4. No DR strategy in place and no backup process/mechanisms, but data distributed over several systems (BYOD) Hint What is the consequence of internal data and systems being exposed to a third party? 1. We do not hold any internal, staff or customer data or run systems that would cause business or disclosure issues if being exposed. 2. We hold business confidential and/or PII data that will cause mayor embarrassment and possibly fines if lost to a third party. Hint Do you know where all copies of your critical data are stored? 1. Yes, the business has controlled, encrypted storage of all critical data 2. Yes, central storage but not encrypted 3. I am not sure exactly where all my critical data is stored 4. I am not sure where it is and staff frequently store critical data on their home and mobile systems Hint What if your Web-site were inaccessible by partners or customers? 1. Our Web-site is for informative purpose only, so no business impact. 2. Our Web-site has no monetary transactions, but more than a thousand hits per week. 3. Our business is Web-site centric and we would lose most our revenue if the Web-site were down. 4. We don't have a web site Hint What would the consequence be of your Web-site being de-faced or altered in a negative way? 1. We don’t have much traffic on our web-site, so not sure anyone would notice. 2. A lot of our business goes through our Web-site (> 1000 hits per week), this would be embarrassing and disruptive to our business 3. We are a charity or political organisation, our web site represents our ethic and political views and having it altered would have a major negative impact. 4. We don't have a web site Hint What if someone forged an email to look exactly like it came from your Finance Director, to Accounts Payable, with instructions to make an online transfer to an external account? 1. Our procedures would verify through other means that the source was authentic so no action would be taken 2. Only digitally signed emails or messages from an authorised person can authorize a payment 3. We have no process for Accounts Payable to authenticate emails from CxOs. Hint Name Business Name Email Address Time's up
