[Reading time: 2 minutes]
A couple of days ago, I mentioned the challenge of being held accountable for the cybersecurity of your organisation, even though you rely on others to manage it on your behalf.
How do you make sure they are not making a mess of it?
One way is to ensure you are receiving accurate data points on a regular basis.
These data points may reveal the true health of your security defences.
What data points should you collect?
There are hundreds of potential options.
But off the top of my head, here are a few:
- How many staff members have not received any cyber awareness training / refreshers in the last X months?
- How many accounts of staff leavers were not disabled within X days of their departure date?
- How many laptops are missing critical Windows updates more than X weeks after being released by Microsoft?
- How many laptops are missing important Windows updates more than Y weeks after being released by Microsoft?
- Repeat (4) and (5) for applications like Microsoft Office, Adobe, Zoom, all internet browsers, all remote access tools (e.g. TeamViewer), etc.
- How many systems are accessible over the internet with just a username and password?
In theory, a value greater than zero for any of these is a red flag.
In reality, there are many valid reasons why something may be non-zero at a particular point in time.
By getting these data points…
It enables you to ask informed questions.
And the people who manage cybersecurity on your behalf should be able to give you informed answers.
One final tip
They are slow to respond [OR] their answers are sketchy.
This is informing you that you have a problem.
A problem that you will be held accountable for.