16 QUESTIONS TO ASK CLIENTS IN A VULNERABILITY ASSESSMENT

To create a security plan, MSPs need to start by assessing their clients’ risk.

By working with clients to examine and inventory threats, vulnerabilities, and assets, MSPs can create an effective baseline to help determine the proper security policies and procedures to put into place.

First, you’ll need to discuss the following four threat profiles with your clients to help them pinpoint the threats they are most likely to experience.

1. Malicious Insider

Someone associated with your client’s organization who wants to create harm, such as a disgruntled employee or contractor.

3. Accidental Insider

A client’s employee or contractor who is poorly trained in security practices. Examples include an employee who uses his birthdate as a password, and shadow IT, in which a department (such as marketing) bypasses IT to set up their own Dropbox account with a shared password.

2. Malicious Outsider

A hacker or someone involved in industrial espionage. Per the Ponemon Institute, these are the most frequent types of threats SMBs face, and typically the most expensive.*

*Ponemon Institute. “2017 Cost of Data Breach Study.” (June 2017)

4. Natural Disasters

Companies with facilities on a flood plain, in a tornado zone, or in an area that is susceptible to wildfires or other natural disasters can be at risk for losing critical assets.

Once you’ve discussed threat types, it’s time to do the vulnerability assessment. After all, the best cybersecurity in the world won’t protect your clients if they don’t address existing vulnerabilities within their organizations.

Run through this 16-question checklist with your clients to determine which areas need attention, so you can help them build out a robust security plan.

1. Do you have a security plan in place? Who has access to it?
 

2. Does your organization have a resource dedicated to enforcing and maintaining security policies, such as a Chief Information Security Officer (CISO)?
 

3. Does your company have a bring-your-own-device (BYOD) policy?
 

4. Do you have a password policy for all company-issued devices? What about two-factor authentication?
 

5. Do you have account management and access controls in place?
 

6. Do you give employees and contractors only enough access to do their jobs (i.e., least privilege necessary, “need to know”, etc.)?
 

7. Does your organization have session controls in place?
 

8. What security products do you already have (e.g., firewall, intrusion detection, encryption)?

9. How often do you review your audit logs?
 

10. Do you have antivirus protection? How often do you update it?
 

11. Do you perform regular backups? All data or only business critical? How often do you test your backups?
 

12. Have you applied all applicable security patches?
 

13. What are your policies for data segregation and encryption?
 

14. What method do you use to dispose of sensitive data, or equipment that may have had sensitive data on it?
 

15. Where are your servers located? What access controls do they have?
 

16. Are your employees and contractors trained in security best practices?

Take the Next Step

Start a free 30-day, no-risk, no-software-conflict trial today to see the Webroot difference for yourself. Have other questions? Ask away.