Will your cyber security plan meet your insurer's requirements?

Do you use multi-factor authentication?

Do all of your users follow this critical security control, verifying their identity with more than one factor when logging in to email, VPN , and critical system access?

Do you regularly test your incident response plan?

When is the last time your organization thought out--and documented-- a plan for how to identify, respond, and recover from a cyber security incident. Do you regularly test it?

Can your employees access their remote desktops from the public internet?

Do you require a VPN, remote access gateway, or networking filtering device to your internal network?

Is your data protected with air-gapped and encrypted backups?

Are you encrypting your data and storing it in a truly immutable, air-gapped environment, physically isolated from your network?

Have you removed end-of life and end-of-support devices and software?

What processes and protections do you have in place to make sure that legacy systems or hardware that are no longer addressed by security patches are no longer in use?

Have you implemented advance endpoint detection and response (EDR) solutions on all endpoints and servers?

Are you using EDR solutions with machine learning that identifies and blocks ransomware and malware, mitigating threats that haven't even been identified yet?

Do you have logging enabled for all systems, software, and perimeter devices?

Have you configured your capability to generate logs and send them to a centralized platform or SIEM solution so you can identify the threat and analyze what happened?

Are you carrying out regular employee awareness trainings and phishing simulations?

What tools are you using to educate your staff about the latest real-world risks of phishing and social engineering attacks?

Do you have an updated patch management program?

What policies and mechanisms do you have in place to make sure software updates are taken care of promptly? Can you prioritize risk when new exploits are released?

Have you secured your passwords and adopted least privilege access for employees?

Do staff use a password manager to with MFA to generate and store strong, unique passwords? Are employees limited to access only the systems and applications they need for day-to-day responsibilities?