Receive our IT best practice health assessment

This short survey can be completed by anyone in your organisation that has a responsibility for IT – you don’t need to be a techie. It takes you through some key questions around IT practices which will help us to provide a report about your overall IT estate.

Once completed, we will run a report which we will send back to you via email. Of course this is based on your responses and ideally we would have an opportunity to carry out an in person IT audit. You may qualify for this to be done free of charge, please get in touch to find out more.

If you are unclear about the answer to any of these questions – or if you think that something is happening but realise you can’t actually be certain it is, it’s best to choose ‘unsure’ as an option. If you are unsure about how to answer any of the questions, feel free to call us on 01483 412 040 and we will be happy to talk you through the questions.

    IT best practice health assessment

    This short questionnaire aims to assist you in evaluating how your organisation performs against a range of identified good practice standards within the commercial use of technology. You do not need to be an IT expert in order to complete this assessment, but it's useful if you have some understanding of the policies you already have in place.

    Once you have pressed submit, we will analyse your answers and produce a report full of actionable insight and recommendations for improving IT health, resilience and security. One of our consultants will be in touch with your report within 24 hours.

    It will take about you 5 minutes to complete the questionnaire

    Your Progress:

    Do you have a strong password policy in place?

    Passwords are the first line of defence and the simplest protection for keeping user data safe. You need to ensure that end user passwords are controlled centrally, so that users are forced to use complex, unique passwords and to change them regularly. Humans will follow the path of least resistance, so simply telling them to do this is not enough, your password policy needs to be enforceable. To answer 'yes' to this question your password policy should be: Controlled centrally so users are enforced to comply, it should insist on complex passwords and should ensure that passwords expire after an agreed period of time.

    Are you using Multi Factor Authentication (MFA) for access to key systems, such as Office 365 and CRM databases?

    With more and more data stored in the cloud, in particular in Office365, organisations are using traditional security measures, such as VPNs, less frequently. If the only thing a cyber criminal needs in order to login as you, is your email and password, this is fairly easily cracked. With multi factor authentication (MFA) a user also needs a secondary device, normally a mobile phone authorised by your organisation, from which the user generates a one-time passcode which is needed in addition to the password. This has been proven to reduce successful account hacking by up to 99%.

    Are all your PC & laptop's hard drives encrypted?

    Whilst you may have a password policy in place, if a device is stolen, it's possible to circumvent that password by removing the hard drive and installing it in another device. If the hard drive itself is encrypted, this further protects all the data stored on the disk. Cybersecurity and data control are legislated under GDPR which became law on 25/05/2018. Under the law directors of the business are personally liable (with potential imprisonment) for any breaches. The significance of encryption is that should a machine be lost or stolen, the breach must be reported to the ICO with 72 hours of the loss becoming known; if the machine is encrypted then that is an end to the responsibility, however, if the machine was not encrypted then the loss also has to be reported to all of the companies contacts whose details may have been compromised, a step you don't have to take if the device was encrypted. The negative PR associated with having to notify all your contacts is possibly more damaging than the breach itself!

    Are all of your devices upgraded to the latest operating system?

    Old operating systems are an immediate risk to the security of your data, because they are no longer patched and updated by the manufacturer to protect you against the latest cyber threats. By now you should ensure that all Windows devices are using Windows 10 technology, and that all MAC devices are updated to Mac OS Catalina.

    Are you using a third party backup service to back up all of your data?

    Backup of data remains a mission critical activity, and this is just as important in cloud based networks as it is with traditional server based computing. Data gets lost or compromised for many different reasons. The most common data loss is accidental deletion, but increasingly cyber attacks work to encrypt data, with a ransom being demand for the safe decryption of data - the ability to quickly restore is much more cost effective. And of course hardware corruption, theft or destruction still happen too. Storing data in the cloud does not mean it's automatically exempt from the need for a third party backup! In the case of malicious data encryption for example, cloud stored data is just as much at risk of attack. Whether it's a traditional tape backup, or an online cloud solution, there should always be a second copy of your data, with an 'air gap' between the live data and the backup. It should cover email accounts, file storage be that on servers or in SharePoint or cloud stores, as well as CRM, HR and finance databases.

    Do you know how long it would take to restore key elements of your current system or data?

    Most organisations recognise the importance of backup, but in reality, it's the ability to restore data that is important when something has gone wrong. Your business continuity plan should include a statement from your Chief Executive to state how long it takes to restore key systems, and a confirmation that this time scale is acceptable to the organisation. Think about different parts of your system, for example CRM, Finance, Files & Folders. What is the impact of a restore that may take several days for example? If it takes 5 days to run a cloud restore of your finance system, that might be fine, unless that's at month or tax year end. What's an acceptable period of downtime for your organisation?

    Is someone responsible for ensuring all devices, including routers and firewalls, are updated with the latest patches and updates?

    Manufacturers release patches and updates regularly, in order to fix both performance issues, but also to patch against newly discovered security vulnerabilities. It's important to ensure that your organisation has someone responsible for regularly auditing all devices, that's PCs, laptops, tablets as well as networking equipment such as firewalls, routers and switches, to ensure that they are protected with the latest manufacturer update.

    Are you using a centrally managed antivirus/anti-malware tool, suitable for the commercial environment?

    Antivirus or anti-malware software has been around for as long as any of us can remember, but not all versions were created equally! This software is probably more important to your organisation than the lock on your front door - so don't use the cheapest option - you get what you pay for! As a minimum your antivirus software should be approved for use in a commercial environment and should be centrally managed - which means your IT administrator should have a central console that they can log in to which reports back on what devices are being used across the business, and checks that all are running the most recent release of the manufacturers software. it should never be left to end users to manage this themselves because we can guarantee, they will never do it regularly enough!

    Do you have a policy in place for managing mobile devices?

    In this 'software as a service' world, increasingly your company data is being accessed by your staff, from more devices than ever before. Whether you issue mobile devices to your colleagues or whether people are using their own, it's a given that people will be at the least, accessing emails and calendars via their smart phones, and many will also be accessing files and CRM data too. It's important that you have process for managing mobile devices which enables you to determine who can access what, the minimum security requirements of each device that accesses your data (e.g. does that phone have a six digit PIN and is it running an up to date operating system) and that enables you to restrict access and block access to data should an employee leave you, or lose their mobile device.

    Do you have a current register of all the places your data is stored?

    Under the requirements of GDPR, it is important that you maintain an accurate register of all your company data and that you know exactly how and where that data is stored. You should have a documented data asset register, thinking about email, file storage, CRM, HR and marketing data. Think not only about emails and files, but what tools your people are using to communicate and share data, be that messaging tools, conference services etc. You should be confident that all your third party suppliers are taking appropriate steps to store your data securely, you should also be confident that you know where that data is physically stored. You may outsource services to software companies but you cannot delegate your responsibilities under the data protection regulations, and the Information Commissioners Office can issue significant fines and penalties if you are found to be breaching good practice.

    Are you carrying out regular cyber security awareness training?

    IT security is 50% technology and 50% human factors! You need to train your staff to become your 'human firewall' ensuring they are vigilant to the type of attacks that exploit these human factors. The threat landscape is changing all the time, it's not enough to just run a 30 minute session as part of induction. Training needs to be current, regular and relevant.

    Are you carrying out test phishing exercises?

    Phishing emails are becoming more sophisticated and harder for a user to spot, resulting in an increase in successful cybersecurity breaches. The key to protecting your data is ensuring that your staff know how to spot a fraudulent email and how to keep your business safe. It's a great idea to carry out periodic tests, sending our spoof phishing emails and tracking who falls foul of the test so that you know where to focus on staff training.

    Do you have physical servers within your organisation?

    Are all your servers under a current manufacturers warranty?

    ramsac recommends that all ‘production environment’ servers are covered by a manufacturer’s warranty. If a server fails, multiple users would be affected so it’s important that a fix can be applied quickly. If a server is covered by a manufacturer warranty, the manufacturer is responsible for ensuring that replacement parts are available, normally within 4 working hours. We would therefore recommend that you look to either extend the warranty or consider replacing this server or migrating it on to different hardware.

    Do you have a properly configured Uninterruptible Power Supply (UPS)?

    A UPS is an external battery which is designed to protect sensitive network equipment from power faults. In the event of a power cut that lasts longer than the battery life, the idea of te UPS is that it recognises that it’s running out of battery, and it starts to gracefully shut down servers, in the order that is specified in the management console, to ensure that all servers are neatly closed before the battery power also fails.

    About you

    Please provide us information about you and your company so we know where to send the report.

    We will only use your information in regards to this enquiry