In many companies, IT security lags behind the state of the art. Usually even by several years.

In our experience, one reason is that to users — including companies — are often simply sold alleged solutions without questions being answered or even being defined.

Unfortunately, this also applies to some external IT service providers who can sell their customers hardware and software packages without having to prove their relevance.

Usually they do not have to fear critical questions. We want to change that — in the sense of improving IT security.

Here we have compiled ten questions that companies should have answered by their internal or external IT service provider.

1. Do you follow the 3-2-1 rule for backups?

Loss of data can cause companies to become unable to act and ruin them. It does not matter why the data can no longer be called up. The 3-2-1 rule always generates three data records: two on different media (e.g. tape and hard disk in the same system) and one in an external system — e.g. in the cloud or on a server in another location. So you always have at least one backup that you can fall back on. Your IT administration should know, apply and document this to be on the safe side. It is also very important that a backup is not only created every 14 days or once a month: If you assume the worst-case scenario, you will lose the data of 13 or even 30 days. Also here a short question is worthwhile.

2. Which anti-virus solution do you use — and is it centrally monitored?

  • Do you have a professional antivirus solution installed on your clients, servers and mobile devices?
  • Are the messages of the software monitored or evaluated centrally and daily?

3. Firewall

  • Does your company have a professional UTM firewall?
  • Are there real rule or filter sets or is the rule just “any out”?
  • Who takes care of the firmware updates regularly and verifiably?

4. Network separation

Do you consistently implement network separation or network segmentation ? This means, for example:
  • Are office IT and production IT separated from each other?
  • Does the production IT have permanent interfaces to other networks connected to the Internet? Is it even directly connected to the internet? If yes, why?
  • Are your PCs / notebooks, servers, telephones, printers and above all the management interfaces of all devices separated into their own subnets?

5. Administrative rights

  • Are there users who work with local administrator rights? If yes, why? Are these users particularly sensitive?
  • Is it avoided that a user with domain administration rights accesses the user's PCs for support purposes?

6. Documentation

Do you have access to detailed and, above all, up-to-date documentation for your IT environment? This includes a list of all software licences, terms of service contracts and care packs, an overview of the network and the VLAN configuration on the switches, etc. And is there a copy of it outside the building?

7. Passwords/Two-factor authentication

  • Does your company have a password policy?
  • Is there a two-factor authentication with as many important services and applications as possible?
  • Are you using Microsoft LAPS?
  • Are the passwords saved in a Password safe (e.g. Keepass, Passwordstate)?
  • As a managing director, do you theoretically have access to at least one domain administrator password?

8. Updates / Monitoring

  • Are the operating systems and standard software of your PCs and servers rolled out centrally and is the patch status regularly monitored?
  • Is the firmware of your switches, printers, routers, WLAN environment, etc. verifiably updated regularly?
  • Are the active components in your network permanently monitored for errors? Do you have access to a general overview?

9. External hard drives/USB sticks/Encryption

  • Are USB sticks and external hard disks generally forbidden or do only certain selected devices work?
  • Are the hard drives of your mobile devices (laptops, smartphones, tablets) encrypted? This is particularly important against the background of the reporting obligation of the GDPR!

10. Emergency plans

Do IT emergency plans exist in your company? For example, what should be done after a power failure?
If you have observed and implemented these points, the security level of your IT should already be relatively high. If you also remember that IT security is not a one-time purchase but an ongoing process, you and your company are on the right path to more security. If you have any questions about the topic, please do not hesitate to contact us!