IT security is a broad topic, and many businesses have a number of different measures in place to protect themselves as best they can against the wide variety of threats that they face online. If you had to audit or assess your or your companies current security position, where would you begin to look? How do you measure such a thing?

Being able to improve your security position first requires knowing where you are at right now. While there are formal frameworks and plans for auditing an IT environment, it is often very useful to have some rules of thumb to start off with, as these give you a good indication on how the rest of the environment looks.

So if you are looking at your IT systems and wondering how you would begin to assess it, here are five measures you can use. Rate your current setup against these, and you will have a pretty good picture of where things stand overall.

Do staff have Admin level privileges on their laptops?

If everyone in your business has Administrator privileges on their computer, they can install anything they want on their machines. If a laptop gets infected, then a hacker can also install anything they want, allowing them to probe further into your company network. Giving people Normal User rights is one of the fundamental things you can do to limit and prevent attacks on your business.

Further steps to take are encrypting the hard drive of the laptop, to prevent the loss of company data if the laptop is stolen, and keeping the anti-virus subscription up to date so it is aware of and can recognise the latest threats.

Do you run regular test restores of your backups?

Everybody takes backups, in the hope that they will never need them. It has been found though that up to 53% of backups fail when you go to restore them. This is not something you want to find out right in the middle of a crisis.

Have a schedule where every month you are restoring part of your backups, whether it be a database, some files, photos, etc, and test that you can access, open or read the data.

Do you have conduct security awareness training with your staff?

Your staff are your strongest security asset and your first pillar of defence against cyber attack. All the technology in the world cannot replace human intuition and instinct, once they know what to look out for. Providing regular security awareness training helps everyone understand what online risks the business faces, how to recognise threats such as phishing emails, and what actions to take. This sets the expectations for what the business requires for protecting data and assets, and supports staff in going about their daily business securely.

Do you have a plan for what to do when things go wrong?

Business Continuity and Disaster Recovery planning is essential in knowing what to do in the middle of an event. If you suffer a ransomware attack, or your servers and data gets wiped, or there is a major storm and power is down for a few days, planning in advance makes it much easier to handle and know what to do next.

What are the likely scenarios and threats your business faces? Who are your major service providers? What are the relevant contact details for them? Who needs to be consulted for each scenario? What process should be followed for dealing with each scenario?

Having a response and recovery plan minimises downtime and helps you get through the storm in a more orderly and controlled manner.

Do you have cyber insurance?

Even with the best efforts, it is never possible to be 100% secure against cyber attack. There is a lot you can do to protect yourself, but you cannot truly prevent an attack. There is always the possibility that a brand new vulnerability will be exposed tomorrow which affects you, and a hacker exploits it before you get to update. So everything we are doing in cyber security is to reduce the risk of attack, while realising that you can never truly eliminate it. This is known as residual risk, that is to say, the level of risk you are exposed to even after taking all steps you reasonably can take to protect yourself.

With residual risk, you can either accept it, or take out cyber insurance to cover yourself against the cost of something happening. Insurance companies will be interested to know what steps you have taken to protect yourself, and adjust the cost of the insurance accordingly, but it is a good idea to consider this if there are aspects of your business you are not able to secure sufficiently, or you are not comfortable with the level of residual risk which remains.