CYBER SECURITY SELF-ASSESSMENT How safe/secure is your organisation? Is your organisation sufficiently protected against cyber attacks? What are the most important cyber risks of your organisation? And will your organisation be able to adequately respond in case of a cyber incident? It takes about 10 minutes on average to respond to the 25 questions of this self-assessment and to determine the cyber security maturity level of your organisation. The result will immediately be sent to you by e-mail. Take the test Disclaimer The assessment data will of course be treated confidentially. If you wish, we can have a discussion on the results of the assessment afterwards. If you explicitly agree, these data will also be used anonymously for our cyber security survey, which will allow you to compare your organisation with similar organisations. In this case, you will receive the report within a couple of months by e-mail. If you have any questions on this cyber security assessment, feel free to contact us via ras@bdo.be. Please consult our BDO privacy policy. 10% 10% Hi there stranger! My name is Nick. What's your name?Nick 20% 20% Nice to meet you, ! Before we can start with the assessment, I need to know a bit more about your organisation.Nick What is the name of your organisation? * What is your role within the organisation? * How many employees work at your organisation? * 1 to 49 50 to 199 200 to 499 500 to 1999 2000 to 4999 5000 or more Which category best defines your organisation’s primary industry? * Construction Education and training Electricity, gas, water and waste services Financial and insurance services Health care and social assistance Information media and telecommunications Manufacturing Professional, scientific and technical services Public, non-profit Rental, hiring and real estate services Retail Transport, postal and warehousing Other 40% 40% Thank you, ! I got all the basic info I need, let's start with the assessment.Nick Do you have a user administration process for new employees and leaving employees? * No Yes, but not documented A formally documented process Are user privileges reviewed? * No Reviews are performed on an ad-hoc basis Only administrator accounts are reviewed All user privileges are monitored on a periodic basis Are complex passwords enforced within the organisation? * No Less than 8 characters and no other requirements 8 characters or more, special characters, upper and lower case, numbers and required change on a periodic basis Multi-factor authentication Do employees, individuals or third parties have remote access to your network? * No Continuously without monitoring or tools Remote access tools to access the corporate network from outside Facilitated via VPN Do you perform security awareness training? * No Only for new employees For all employees on a periodic basis Mandatory for all employees and management, periodically, with assessment of understanding Are laptops of employees encrypted? * Unencrypted File encryption Hard Drive encryption Full encryption and no data stored locally Are backups stored remotely, and if so are they properly protected? * Not stored remotely Yes, but physically unsecured Yes, but unencrypted Yes, encrypted Are patches installed on a timely basis? * Not monitored Patches are installed on an ad-hoc basis A formal patch management process is in place and covers servers, clients and security devices Do you have a wireless Corporate network? * Published SSID with weak password Published SSID with complex password Hidden SSID, complex password (+ additional measures) Do you have a wireless Guest network? * Yes Yes, fully isolated with no access to internal network No No, guests connect to our corporate network Do you have security & privacy policies? * No On-the-shelf Approved by board, trained, signed by employees, enforced, … Do you have a security function within your organisation? * No Security functions within the technical/IT team Dedicated security team Do you have an incident response and recovery plan? * No Our response team operates between business hours Our response team is 24/7 on stand-by with an immediate response when required Do you have an anti-virus? * No Installed on employee computers Installed on all computers and servers Advanced End-Point Protection Do you protect your environment with a firewall? * No Residential grade firewall Each network entry/exit point has a commercial grade firewall that is vendor supported Each network entry/exit point has a commercial grade firewall that is vendor supported and configurations are reviewed on a periodic basis Do you perform internal vulnerability scans? * No Ad-hoc Internal vulnerability scans are running across all systems at least once a year Yearly penetration testing is performed 70% 70% Well done, ! I'm calculating your cyber security maturity score. I would like to finish the assessment with some general questions on cyber security.Nick Was your organisation in the past year a victim of a cyber attack? * Yes No I don’t know I’d rather not disclose this information What kind of attack was performed? Social Engineering (phishing, invoice fraud, CEO fraud, …) (Distributed) Denial of Service attack Exploitation of vulnerabilities Malware Ransomware Human error Data breach Brute force attack Physical security breach Theft of laptops or mobile devices Other What was the cost related to the cyber incident? (including spend on assistance from third party providers/services)? Do not know / would rather not say Less than €19,999 €20,000 to €99,999 €100,000 to €499,999 €500,000 to €999,999 €1 million to €5 million More than €5 million Compared to this time last year, are you more or less confident in your organisation's ability to respond to a cyber security incident and recover from any associated negative impacts? More confident Less confident No difference in confidence level Do not know / would rather not say Does your organisation have cyber insurance? No ‐ we were not aware of this type of insurance No ‐ we don’t feel we need it No ‐ we believe this risk is covered under other insurance policies we have No ‐ we self‐insure Not yet ‐ we are considering it Yes ‐ we have a standalone cyber policy Yes ‐ we have this covered as an extension to another insurance policy Yes ‐ but do not know how the policy was arranged Do not know / would rather not say Is there anything else you wish to share or ask me? 100% 100% You've reached the final step of the assessment. I will send you the results. What e-mail address can I use?Nick Would you like to share your telephone number in case we would like to contact you about the assessment? Can we include the results of this assessment in our overall cyber security study? Your data will be treated anonymously. Yes, I want to contribute to this study. Can we contact you to discuss the results of the self-assessment? Yes, you can contact me to discuss my results. Can I add you to the BDO Belgium mailing list, ? You're able to change this preference at any time. Yes, keep me informed about BDO events & services. I accept the BDO Privacy Statement. Dutch French English German