16 QUESTIONS TO ASK CLIENTS IN A VULNERABILITY ASSESSMENT

What is a vulnerability assessment?

A vulnerability assessment is when you define, identify, and prioritize vulnerabilities in a given network infrastructure, computer system, set of applications, etc. You then use this understanding to address or patch potential vulnerabilities and build out a security plan so everyone knows what to do in the event of a cyberattack. Typically, you’ll use automated testing tools, e.g., a network or application security scanner, to begin identifying risks.

First, you’ll need to discuss the following four threat profiles with your clients to help them pinpoint the threats they are most likely to experience.

Why should I do a vulnerability assessment?

By working with clients to examine their risk, MSPs can create an effective baseline to help determine the proper security policies and procedures to put in place. Ultimately, this process helps reduce the likelihood that a cybercriminal will successfully breach your clients’ systems. The vulnerability assessment also helps you develop an appropriate disaster recovery plan to ensure your clients can get back up and running with minimal downtime or fallout, in the event that an attack does get through.

Where do I start?

First, you’ll need to discuss the following four threat profiles with your clients to help them pinpoint the threats they are most likely to experience.

1. Malicious Insider

Someone associated with your client’s organization who wants to create harm, such as a disgruntled employee or contractor.

3. Accidental Insider

A client’s employee or contractor who is poorly trained in security practices. Examples include an employee who uses his birthdate as a password, and shadow IT, in which a department (such as marketing) bypasses IT to set up their own Dropbox account with a shared password.

2. Malicious Outsider

A hacker or someone involved in industrial espionage. Per the Ponemon Institute, these are the most frequent types of threats SMBs face, and typically the most expensive.*

*Ponemon Institute. “2017 Cost of Data Breach Study.” (June 2017)

4. Natural Disasters

Companies with facilities on a flood plain, in a tornado zone, or in an area that is susceptible to wildfires or other natural disasters can be at risk for losing critical assets.

Once you’ve discussed threat types, it’s time to do the vulnerability assessment. After all, the best cybersecurity in the world won’t protect your clients if they don’t address existing vulnerabilities within their organizations.

What questions should I ask my clients in a vulnerability assessment?

Run through this 16-question checklist with your clients to determine which areas need attention, so you can help them build out a robust security plan.

1. Do you have a security plan in place? Who has access to it?
 

2. Does your organization have a resource dedicated to enforcing and maintaining security policies, such as a Chief Information Security Officer (CISO)?
 

3. Does your company have a bring-your-own-device (BYOD) policy?
 

4. Do you have a password policy for all company-issued devices? What about two-factor authentication?
 

5. Do you have account management and access controls in place?
 

6. Do you give employees and contractors only enough access to do their jobs (i.e., least privilege necessary, “need to know”, etc.)?
 

7. Does your organization have session controls in place?
 

8. What security products do you already have (e.g., firewall, intrusion detection, encryption)?

9. How often do you review your audit logs?
 

10. Do you have antivirus protection? How often do you update it?
 

11. Do you perform regular backups? All data or only business critical? How often do you test your backups?
 

12. Have you applied all applicable security patches?
 

13. What are your policies for data segregation and encryption?
 

14. What method do you use to dispose of sensitive data, or equipment that may have had sensitive data on it?
 

15. Where are your servers located? What access controls do they have?
 

16. Are your employees and contractors trained in security best practices?