Cyber Security Assessment

This assessment will take approximately 15 minutes. It will help you identify areas of strengths and weaknesses in your current cybersecurity policies and procedures. At the end of the assessment you will receive your results via email, a grade, and have an opportunity to ask for further assistance.

To begin, have you identified the confidential data (credit card numbers, social security numbers, etc...) collected or stored on your servers/computers?(Required)

Yes

Have your employees been trained to identify phishing emails?(Required)

Yes, our employees are trained on identifying phishing emails and our business has a plan in place regarding how to address them

Yes, our employees are trained on identifying phishing emails

Our employees have some knowledge on phishing emails

No, our employees have not been trained to deal with phishing emails

How do you restrict employee access to confidential information stored on your servers/computers?(Required)

Only those who require access to the organization's data for their job functions and who have gotten approval to access the data may access the data

Only individuals who have gotten approval to access the data may access the data.

Only certain departments have access to the information.

Anyone currently employed by the organization has access to the information.

Anyone who has worked for the organization has access to the information.

How often does your business update the operating systems on devices that have access to confidential information?(Required)

The operating systems are kept up to date with patches as soon as they are administered.

The operating systems are updated regularly.

Will only update the operating systems when the old systems is no longer patched and supported by its developer.

Will only update the operating systems if all current business applications run on the newest version of the system

Never update the operating systems.

Have you identified all of the devices that store or have access to confidential information?(Required)

Yes

Do you remove non-essential applications from business hardware?(Required)

Yes

Does you business require the use of a Password Manager (Dashlane, Lastpass, etc.)?(Required)

Yes

How do you manage your employees' passwords?(Required)

All users have their own logins.

Some systems use a common login.

No logins in place/one shared login.

How complex are your passwords?(Required)

At least 8 characters, contain Upper-Case Letters, Lower-Case Letters, Numbers, and Symbols.

At least 8 characters, contain Upper-Case Letters, Lower-Case Letters, Numbers.

At least 8 characters, contain Upper-Case Letters, Lower-Case Letters.

At least 8 characters, contain only letters and numbers.

None of the above.

How often do you change your passwords?(Required)

More than twice a year.

Twice a year.

Once a year.

Never

Do your computers automatically time-out after a duration of inactivity?(Required)

Yes

How does your company utilize firewalls in order to block unauthorized access?(Required)

We have a separate firewall built within our company to protect our internal network structure.

We use an internal firewall installed on our Windows or Apple computers.

We do not use firewalls.

How often do you train your employees on the company's cybersecurity policy and procedure?(Required)

They are trained on hire and annually.

They are trained monthly.

They are trained as-needed.

They are never trained.

Do you allow your employees to access company files remotely?(Required)

No, we do NOT allow remote access of any files.

Yes, employees are trained on patching & password control for their systems.

Yes, employees use a VPN (Virtual Private Network) to connect securely.

Yes, employees do NOT access sensitive information over public WiFi connections.

None of the options apply.

Does your business have anti-virus software?(Required)

Yes, on all of our devices (desktop, laptops, tablets, phones, etc...)

Yes, but only on some of our devices.

No, our devices do not have antivirus software.

I do not know.

Does your business have anti-malware protection?(Required)

Yes, on all of our devices (desktop, laptops, tablets, phones, etc...)

Yes, but only on some of our devices.

No, our devices do not have anti-malware software.

I do not know.

Is your business up to date in order to detect viruses or malware?(Required)

Yes, our business is up to date.

No, we are not knowledgeable on how to do so.

No, we don't have the time to do so.

No, we don't have the resources to do so.

How often do you check your devices for any malware attacks?(Required)

Once a week

Once a month

Once a year

Never

How often do you backup your data?(Required)

Daily

Weekly

Monthly

I have never backed-up my system

I don't know

In the event of a cyber-attack, what response plan do you have in place? (Select all applicable responses)(Required)

Immediately back-up sensitive data.

Contact Response Team.

Preserve files for further investigation.

None of these apply.

If a breach has occurred in the past, have you made changes to your system to ensure that this same breach will not occur again?(Required)

Yes, the necessary changes have been made.

Changes have been made, but the cause has not been discovered.

A breach has not occurred in the past.

No changes have been made.

A good practice for when a cyber-attack does occur, is to have an individual or group of individuals assigned to not only control the attack, but also to discover how or where the attack occurred. Do you have an individual or group assigned to do that?(Required)

Yes, they are readily accessible and well-trained in this area.

Yes, however they are not readily accessible.

No, we would like to; however at this time we do not have an individual or group capable of carrying out these tasks.

No, we would establish this practice after an attack occurred.

Do you have easy access to contact information for the following resources that can help you recover? (Check all that apply)(Required)

A legal agency which specializes in cyber crime

Police or law enforcement agency

Internet service provider

Public relations agency

List of software/hardware vendors who supplied your systems/devices

None of the above

Do you have a detailed recovery plan that says what action you and your employees will take to bring your business back to normal following a cyber-attack?(Required)

We have a recovery plan in place that lists clear, comprehensive steps.

We have part of a recovery plan in place, but it may be short or vague.

We do not have a recovery plan in place.

Is there someone in your organization who is designated to manage recovery after a cyber-attack?(Required)

Yes

No, but our employees have been trained on the proper way to respond.

You should notify customers if their confidential information has been or might have been stolen. Does your business have a plan in place to notify customers if this occurs?(Required)

Yes, we can quickly notify our customers.

No, our business does not keep any permanent records of customer information.

Yes, but it might take some time to notify our customers

Yes, but we would have to figure out how to notify our customers.

No, we do not know how to notify our customers.

If you would like your results emailed to you enter your email address above. Information that you provide is highly confidential. We encourage you to print these results and request a meeting with a Nevada SBDC adviser to discuss methods to improve your small business cybersecurity. Visit our website: https://nevadasbdc.org to find the location closest to you, and register for an appointment.

Print PDF