How Secure Is Your Organisation?

Does your organisation enforce multi-factor authentication (MFA) for all remote access and critical systems?

MFA significantly reduces the risk of account takeover attacks, which are responsible for over 80% of data breaches.

• A No MFA is in use anywhere.
• B MFA is used by some staff or for some systems only.
• C MFA is enforced for remote access and privileged accounts.
• D MFA is mandatory for all staff across all systems.

How does your organisation manage privileged administrator accounts?

Privileged Account Management (PAM) limits the blast radius if an administrator account is compromised.

• A Admins use their regular accounts with elevated rights.
• B Separate admin accounts exist but are not tightly controlled.
• C Admin accounts are dedicated and monitored.
• D Full PAM solution with session recording and just-in-time access.

How frequently does your organisation review and remove unnecessary user access rights?

Regular access reviews enforce least-privilege and reduce the exposure from dormant or ex-employee accounts.

• A Access is rarely reviewed or revoked.
• B Reviews happen annually or when issues arise.
• C Quarterly access reviews are conducted.
• D Continuous access certification with automated provisioning.

Does your organisation have a documented password policy that is actively enforced?

Strong password policies reduce the risk of brute-force and credential-stuffing attacks.

• A No formal password policy exists.
• B A policy exists on paper but enforcement is inconsistent.
• C Policy is enforced technically (length, complexity, expiry).
• D Policy aligns with NIST 800-63B including breached-password checking.

Does your organisation maintain and regularly update firewall rules to block unnecessary traffic?

Firewall hygiene is fundamental. Outdated rules can allow traffic to systems that should not be exposed.

• A No enterprise firewall is in place.
• B A firewall exists but rules are rarely reviewed.
• C Rules are reviewed annually and locked to least-access.
• D Automated rule management with quarterly audits and alerts.

How does your organisation segment its network to isolate sensitive systems?

Network segmentation limits lateral movement — an attacker who breaches one zone cannot easily reach others.

• A All devices share a flat, undivided network.
• B Basic separation (e.g. guest WiFi) but no formal segments.
• C Key environments (servers, users, IoT) are segmented.
• D Micro-segmentation with zero-trust network access (ZTNA).

Does your organisation use endpoint detection and response (EDR) or managed security tools?

Basic antivirus is no longer sufficient. EDR provides behavioural detection and response capabilities.

• A No endpoint protection beyond Windows Defender.
• B Traditional antivirus only.
• C EDR deployed on most endpoints.
• D EDR + managed detection (MDR/XDR) with 24/7 coverage.

Does your organisation classify and label sensitive data (e.g. personal, financial, confidential)?

You cannot protect what you have not identified. Data classification is the foundation of an effective data protection programme.

• A No data classification scheme exists.
• B Some data is informally categorised but not systematically.
• C A documented classification policy is applied to key data stores.
• D Automated classification with DLP enforcement across all channels.

Is sensitive data encrypted both at rest and in transit?

Encryption is your last line of defence if storage or communications are compromised.

• A Data is not encrypted at rest or in transit.
• B Some systems use HTTPS but disk encryption is inconsistent.
• C TLS enforced and full-disk encryption deployed on devices.
• D Encryption at rest, in transit, and in use, with key management.

Does your organisation test data backups to verify they can be successfully restored?

Untested backups often fail during ransomware recovery. Regular restore testing is essential.

• A Backups are taken but never tested.
• B Backups are tested occasionally or after incidents.
• C Quarterly restoration tests with documented results.
• D Automated restore verification with immutable offsite copy.

Does your organisation have a documented and tested incident response plan?

An untested plan is worse than no plan — you need to know it works before an incident occurs.

• A No incident response plan exists.
• B A plan exists but has never been exercised.
• C Plan is tested annually via tabletop exercises.
• D Regular red team exercises with post-incident review cycles.

How quickly can your organisation detect a significant security incident?

The average attacker dwell time is 16 days. Fast detection dramatically reduces damage.

• A Incidents are usually reported by external parties or users.
• B Detection typically takes days to weeks.
• C Most incidents detected within 24 hours via monitoring.
• D Near-real-time detection via SIEM/XDR with automated alerts.

How frequently does your organisation run phishing simulation tests?

Phishing is the primary initial attack vector. Regular simulations build genuine resilience.

• A No phishing simulations have been run.
• B Simulations run once a year or after an incident.
• C Quarterly simulations with targeted follow-up training.
• D Continuous phishing simulation with personalised learning paths.

Does your organisation provide role-specific cybersecurity training for executives and board members?

Executives are the highest-value target for spear-phishing and BEC attacks. Generic training is insufficient.

• A No specific training for executives.
• B Executives receive the same training as all staff.
• C Tailored executive briefings are held annually.
• D Ongoing executive cyber programme with board reporting.

Does your organisation assess the cybersecurity posture of suppliers before onboarding them?

Supply chain attacks have increased 742% since 2020. Vendor risk is now a primary attack surface.

• A No supplier security assessment is conducted.
• B A basic questionnaire is sent but rarely reviewed.
• C Documented vendor risk assessment for all critical suppliers.
• D Continuous supplier monitoring with contractual security requirements.

Are your third-party contracts reviewed to include cybersecurity obligations and breach notification requirements?

Contractual security requirements set enforceable expectations and protect your organisation legally.

• A Contracts do not address cybersecurity at all.
• B Some contracts have basic security clauses.
• C Standard security addenda applied to all critical vendor contracts.
• D Risk-tiered contracts with audit rights, SLAs, and liability clauses.

Does your organisation maintain an inventory of all cloud services (IaaS, PaaS, SaaS) in use?

Shadow IT is a major blind spot. You cannot secure cloud services you do not know about.

• A No cloud inventory exists; SaaS use is uncontrolled.
• B Approved platforms are known but shadow SaaS is not tracked.
• C Documented cloud inventory reviewed quarterly.
• D CASB or cloud governance tool with automated discovery.

Does your organisation have controls to prevent cloud misconfiguration (e.g. public S3 buckets, exposed APIs)?

Misconfiguration is the number one cause of cloud data breaches. Automated checking is essential.

• A No controls — configuration is managed manually by engineers.
• B Manual reviews occur occasionally.
• C Cloud Security Posture Management (CSPM) alerts are active.
• D Policy-as-code with automated remediation and drift detection.

Does your organisation have physical access controls to secure areas containing sensitive IT infrastructure?

Physical access to servers or network equipment bypasses most digital security controls.

• A Server rooms are accessible to all staff.
• B Locked rooms but key management is informal.
• C Badge access with access logs for server rooms.
• D Multi-factor physical access, CCTV, and quarterly access reviews.

Is there a clean desk and screen lock policy in place and actively enforced?

Visible documents and unlocked screens are common sources of data leakage in shared offices.

• A No clean desk or screen lock policy.
• B A policy exists but compliance is not monitored.
• C Policy is enforced with automated screen timeouts.
• D Regular walk-around audits with management visibility.