Cybersecurity Assessment Quiz

Is your organisation cyber resilient?

Take a 5-minute test to find out how well you are protected against attacks and other cybersecurity threats.

Bonus: Every answer is supplemented with an explanation from industry experts. Once you have completed the test, you will receive recommendations on how to improve the security of your business.

The test is based on the Threat Zone 2020 study.

Start the test

1 of 13

Who is responsible for cybersecurity in your organisation?

Security unit within the IT department

Fairly well! However, this solution has certain drawbacks. When security specialists are part of the IT department, security tasks may be less prioritised or underfunded.

Dedicated security department

This is an optimal approach, which ensures a high level of security, since your data is protected by professionals. Furthermore, you minimise the conflict of interests between the security and IT functions by dividing the responsibilities.

IT employees

This approach is inefficient and may have adverse impact on your business. IT employees generally lack cybersecurity knowledge and skills. You better have your data protected by security specialists.

CEO/Deputy CEO

Certainly, CEO should drive forward the development of cybersecurity in the organisation, however, in order to sustain the high level of protection, all security tasks should be assigned to a dedicated department.

Answer

Do you have the required documents in place (cybersecurity policy, security instructions for employees, system access rules, etc.)?

There must be something, I must check

This does not sound good! Your unawareness may indicate that security has not been addressed in your organisation. You should start with an audit.

Yes, the the IT department has a cybersecurity policy and instructions

Good! The next step is to conduct an audit. You need to understand which documents are implemented and which are missing. Non-compliance with the regulations and the absence of required documents may lead to fines or worse — security problems.

Yes, policies, processes, instructions and many other documents

Excellent! Detailed policies and procedures help to streamline and maintain robust security processes.

There are no documents

Beware! This means that your company has no structured security processes, which may lead to spontaneous decision-making. To avoid this, you should establish the required security policies and procedures in advance.

Answer

Does your company conduct regular security training for employees?

Yes, we conduct trainings and tests and distribute awareness emails

This is commendable. Criminals often take advantage of non-professionals lacking the basic understanding of cybersecurity. One phishing email may be enough to compromise the company’s network. If your employees are aware of the threat and are trained to distinguish phishing, the chances for a successful attack are reduced significantly.

Yes, we distribute awareness emails on a regular basis

Good start! This helps to mitigate the human factor and the risks associated with it. Regular exercises and tests are also recommended for skills training. According to our statistics, during the first phishing exercise in the organisation, every third employee would click on the malicious link. However, after a couple of years of regular simulations this number would drop to 1 in 28.

There might be something

You should place your focus on cybersecurity. Apparently, data protection is not a priority in your company.

Only on induction day for new employees

Your company appears to have no incident response process in place. First-day induction alone is not sufficient to ensure proper response to attacks such as ignoring phishing emails and reporting incidents to the security team. Regular staff training is essential in practising such skills.

Answer

Do you know what types of information are processed in your company?

All information in the company is confidential

If all information is protected as confidential, the company may incur extraneous expenses. The asset value should correlate with the cost of protection. A good practice would be to classify and prioritise the assets before selecting protection measures.

All information in the company is public

This is not possible. Most organisations are commercial structures that have a client base and access to this information should be restricted. Furthermore, access to the company’s secrets, technologies, know-how or certain documents must be limited to specific users.

Confidential (personal data, trade secrets) and public information

Perfect! This means that information in your organisation is classified. Grouping data by types and criticality levels ensures a structured approach to its protection and allows to minimise security costs.

Answer

What authentication methods are used in the most critical information system?

Computer login and password

Using the same account across a number of systems increases the attacker’s chances of gaining access to the infrastructure. Systems should be classified into critical and non-critical and have different passwords. It is recommended to use an additional authentication factor, e.g. fingerprint or SMS code.

Separate login and password

Fairly well! However, we would recommend using an additional authentication factor, e.g. SMS code, fingerprint or USB token with a user certificate. This will help to better protect your data.

This is the most secure solution. Multi-factor authentication reduces the risks of unauthorised access to business-critical systems both by internal and external intruders.

All systems have the same level of criticality

This indicates that the company systems are not classified. A corporate portal for instance cannot have the same level of criticality as a banking system. Critical systems require additional security measures.

Answer

Do you use data encryption?

We encrypt critical systems and data carriers

Perfect! You allocate resources efficiently and mitigate the risk of data compromise.

We assessed the risks and concluded that encryption is not necessary

Good approach! In certain cases, compensatory protection measures can be a better and less expensive solution. For instance, instead of encrypting data, you can transmit information on USB flash drives or to paper, restrict access to the server rooms and implement other information system access controls.

Encryption is only used in third-party transmissions

Good! However, this is only a partial solution to protecting data confidentiality. In addition to third-party transmissions, sensitive information should always be encrypted when transmitted within critical systems or on data carriers.

Yes, we encrypt all data, which is a safer approach

This data protection method is far from efficient. Developing a robust security strategy requires the understanding of which data must be protected. This will help to allocate the resources properly.

Answer

How do you control office entrances and exits?

We have a staff access control system, and visitors are escorted by employees

Good solution! However, these measures may be insufficient. You might not be able to keep track of the guest’s movements in the office. Records and oversight of visitors helps to prevent unauthorised access to the company’s premises, thus, protecting your assets.

We have security guards, but no access cards

In this case, you cannot track people’s movements in the office. Security guards can only visually identify a person at the access point. Criminals can easily gain access to the company’s premises and stay there unnoticed.

Employees use personal access cards, visitors are granted access upon request

This is the best practice. You get complete oversight of all movements in the office and would be able to quickly spot a trespasser.

Answer

Have you ever had any information leaks, system compromises or malware infections?

More than once

Your protection measures are apparently insufficient. You should start with a security audit and afterwards implement a robust security system step by step.

Only once

We hope that you have learnt from this experience and fixed the gaps. The company’s security should be based on several pillars, including pre-emptive measures, security event analysis and effective incident response.

There have been some, but they were promptly resolved

Good to hear you can cope with attacks, but these problems are indicative of weak defences. You should consider realigning your approach to security and building a more effective security system.

Not a single attempted attack

This is hardly possible! You must be unaware of the attempts. If you implement basic security systems, they will detect indicators of past attempted attacks on your organisation.

No, but we have detected attempted break-ins

This means that you have adequate security defences at all levels — from pre-emptive measures and security event analysis to effective incident response.

Answer

Do you conduct security testing of newly developed or updated information systems?

Yes, our security team conducts separate tests

Perfect! When you focus on both security aspects and system functionality, you thereby reduce the number of vulnerabilities that can be exploited by criminals to infiltrate your corporate network.

Yes, this is the responsibility of IT department

It is good you conduct testing. However, the exercise will be more efficient if carried out by security professionals. They use special tools that enable higher quality testing.

We check the code for errors

Generally this is done by the developers themselves. They can test the system for critical errors and conduct a high-level review, but usually such checks do not cover security aspects.

We only test the functionality

This is how you check if the system meets business objectives, but the level of protection is not tested. You should have dedicated resources to address security needs.

Answer

Do you subject your contractors and partners to security checks?

Our agreements contain confidentiality provisions

It is good that you have the requirements specified in agreements, however this may be insufficient. Before dealing with a contractor, you should gain the understanding of their security management system. You can request security accreditation and certificates of conformity or third-party audit results.

Yes, we take into account the results of security audits and incorporate security provisions into agreements

Great approach. Defining the security requirements to your contractors and periodic control minimise the risk of attacks on the supply chain, where criminals first hack the least protected company and gain access through its infrastructure to the partners’ systems.

We conduct due diligence

Chances are high that the contractor who has passed due diligence has security systems in place. However, due diligence is usually focused on economic security — there is no guarantee that you will be protected against cyber threats while dealing with this company.

We only deal with known contractors

This approach cannot protect the company against potential threats. No matter how much you trust the contractor, this does not guarantee security. If your contractors have security vulnerabilities, they become your vulnerabilities too.

Answer

How do you handle security incidents?

On an ad-hoc basis

Apparently, there is no structured incident management system in your organisation. This may have an adverse impact on the security of your business.

We have a dedicated incident response team

Perfect solution! A dedicated incident management team helps to significantly mitigate the consequences of attacks.

They are handled by security specialists

This is a good solution, however, you better have a dedicated team to monitor incidents and develop response actions. You can also outsource this function to get a high-quality service at a possibly lower cost.

We outsource the Security Operations Centre (SOC) services

Mature approach! Outsourcing SOC services allows to quickly and effectively detect threats and repel attacks. Besides that, you do not have to make large investments into incident response systems and hire expensive professionals.

We have instructions for IT specialists

IT specialists can monitor and manage incidents fairly well based on instructions. However, these activities will be much more efficient when carried out by a dedicated security team.

Answer

How do you handle emergencies and infrastructure failures?

We have detailed action plans that are regularly reviewed and tested

You have everything under control! In case of emergency all organisational units will be able to take weighed and timely decisions and adapt the key business processes to the changed environment.

We have internal instructions, but have not used them yet

Good that you have an emergency or contingency plan. However, you should keep in mind that these documents should be tested and updated on a regular basis.

On an ad-hoc basis, with all concerned units involved

Apparently, your organisation has no anti-crisis strategy in place. An unforeseen event may lead to disruption of business processes and other adverse implications. You should develop a detailed emergency plan. For instance, you need to understand what technical capabilities are required for uninterrupted operation of business systems and their protection, how to secure remote access to corporate systems, build partner relationship in the new conditions, etc.

Answer

Have you identified the applicable cybersecurity law?

Yes, and we have partially fulfilled the requirements

Good! This means that your company understands the legal environment governing its operations. You need to complete the process and regularly monitor the changes in the legislation and technical requirements.

Yes, and we have fulfilled all of the requirements

Very good! You need to closely monitor the changes in the cybersecurity legislation. The stability and market positions of your company depend on its ability to comply with legal requirements.

Not yet

You should focus on legal compliance in the field of cybersecurity. Failure to comply with legal requirements leads to heavy regulatory fines, loss of market positions and security issues.

Yes, but decided to accept the risks

Cybersecurity legislation is a risk not to be taken lightly. Compliance procedures help to avoid potential security problems. Besides, companies may be sanctioned for non-compliance with their operations suspended.

Answer

See the results

Results

You should take a serious approach to security and implement urgent measures to improve your cyber resilience.
Your company has a low level of cyber resilience: there is a lot to be done to protect your business against security risks.
You have evidently taken steps to address security needs of your organisation, however these measures are insufficient — please refer to the recommendations from our experts.
You apparently take care of cybersecurity at your organisation. However, there is still some room for improvement.
Your organisation has a high level of cyber resilience, keep up the good work! However, an independent expert assessment is always a worthwhile step.

Take the test again

12 steps to improve the cyber resilience of your organisation:

Read the recomendations

1. Create a dedicated security department.
This will help to define the responsibilities of the security and the IT teams and avoid conflict of interests.
2. Implement the required policies and procedures (cybersecurity policy, security instructions for employees, system access control rules, etc.).
This is necessary to streamline, maintain and improve security processes in your organisation.
3. Conduct regular security training for employees and test their knowledge.
Employee awareness reduces their vulnerability of social engineering, which is the most popular method used by attackers.
4. Classify information processed within the organisation by types and criticality levels.
This gives a structured approach to data protection and minimises security costs.
5. Use multi-factor authentication to secure access to critical systems.
This measure decreases the risk of unauthorised access by external and internal intruders.
6. Encrypt systems and digital carriers with critical data.
Encryption reduces the risk of unauthorised access to information.
7. Use an access control system to track employees and visitors across the company’s premises.
This helps to prevent criminals from accessing the premises and to easily track their location if this happens.
8. Conduct separate security testing when developing or incorporating new software into the company infrastructure.
Testing can be carried out by your in-house security specialists or independent experts. It is critical to focus on system or software security at the early development stages. This approach, known as ’security by design’, decreases the criminal’s chances for success and helps to build a holistic security framework in the organisation.
9. Define the security requirements for contractors and partner organisations.
In certain cases, criminals attack the least protected company first and use its infrastructure to gain access to partner systems (which is called ’attack on the supply chain’). Therefore, you should be aware of the current-state security in contractors’ organisations.
10. Ensure timely incident response — the best solution would be a dedicated security team.
SOC specialists will apply proper tools and verified methodologies. You can create an in-house centre or outsource professional services.
11. Develop continuity and recovery plans for emergency events.
When the strategy is planned in advance, all organisational units will be able to take quick and rational decisions in critical situations.
12. Determine the applicable law with respect to your company’s operations and ensure compliance with its requirements.
Failure to comply leads to severe regulatory fines, loss of market positions and even suspension of company operations.

Now you know the current state of security in your organisation.

Do you need to get a risk mitigation plan and identify priority areas?

Comprehensive cybersecurity audit will help to find the best solution. Please complete the form below for a consultation.

Apply for a cybersecurity audit.

Complete the form

Full name*

Corporate email*

Company*

Comment

I consent to my personal data being used in accordance with the Privacy Policy for the following:

to receive reference information and be available for contact by the company representatives

to receive informative messages from the company

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

1 of 13

Who is responsible for cybersecurity in your organisation?

2 of 13

Do you have the required documents in place (cybersecurity policy, security instructions for employees, system access rules, etc.)?

3 of 13

Does your company conduct regular security training for employees?

4 of 13

Do you know what types of information are processed in your company?

5 of 13

What authentication methods are used in the most critical information system?

6 of 13

Do you use data encryption?

7 of 13

How do you control office entrances and exits?

8 of 13

Have you ever had any information leaks, system compromises or malware infections?

9 of 13

Do you conduct security testing of newly developed or updated information systems?

10 of 13

Do you subject your contractors and partners to security checks?

11 of 13

How do you handle security incidents?

12 of 13

How do you handle emergencies and infrastructure failures?

13 of 13

Have you identified the applicable cybersecurity law?

Results

12 steps to improve the cyber resilience of your organisation:

Now you know the current state of security in your organisation.