In many companies, IT security lags behind the state of the art. Usually even by several years.
In our experience, one reason is that to users — including companies — are often simply sold alleged solutions without questions being answered or even being defined.
Unfortunately, this also applies to some external IT service providers who can sell their customers hardware and software packages without having to prove their relevance.
Usually they do not have to fear critical questions. We want to change that — in the sense of improving IT security.
Here we have compiled ten questions that companies should have answered by their internal or external IT service provider.
1. Do you follow the 3-2-1 rule for backups?
2. Which anti-virus solution do you use — and is it centrally monitored?
- Do you have a professional antivirus solution installed on your clients, servers and mobile devices?
- Are the messages of the software monitored or evaluated centrally and daily?
3. Firewall
- Does your company have a professional UTM firewall?
- Are there real rule or filter sets or is the rule just “any out”?
- Who takes care of the firmware updates regularly and verifiably?
4. Network separation
- Are office IT and production IT separated from each other?
- Does the production IT have permanent interfaces to other networks connected to the Internet? Is it even directly connected to the internet? If yes, why?
- Are your PCs / notebooks, servers, telephones, printers and above all the management interfaces of all devices separated into their own subnets?
5. Administrative rights
- Are there users who work with local administrator rights? If yes, why? Are these users particularly sensitive?
- Is it avoided that a user with domain administration rights accesses the user's PCs for support purposes?
6. Documentation
7. Passwords/Two-factor authentication
- Does your company have a password policy?
- Is there a two-factor authentication with as many important services and applications as possible?
- Are you using Microsoft LAPS?
- Are the passwords saved in a Password safe (e.g. Keepass, Passwordstate)?
- As a managing director, do you theoretically have access to at least one domain administrator password?
8. Updates / Monitoring
- Are the operating systems and standard software of your PCs and servers rolled out centrally and is the patch status regularly monitored?
- Is the firmware of your switches, printers, routers, WLAN environment, etc. verifiably updated regularly?
- Are the active components in your network permanently monitored for errors? Do you have access to a general overview?
9. External hard drives/USB sticks/Encryption
- Are USB sticks and external hard disks generally forbidden or do only certain selected devices work?
- Are the hard drives of your mobile devices (laptops, smartphones, tablets) encrypted? This is particularly important against the background of the reporting obligation of the GDPR!