Top 10 cybersecurity questions to ask your IT department

Should you be worried that your organisation may be the next victim of a cyberattack? Absolutely. 

From Australian National University (ANU) to Australian Catholic University (ACU), Westpac to P&N Bank, Landmark White to Canva, organisations across all industries, regardless of size, are susceptible to a cyberattack.  

Cybersecurity needs to be tackled head-on across all teams in your organisation, something achieved through the cultivation of a strong security-focused culture. 

This includes regular, and frequent conversations with your IT and info-security leaders on their understanding of the current cyber threat landscape, your organisation’s level of preparedness to meet these threats, the framework you need to adopt to ensure you have the right policy settings, as well as up-to-date cybersecurity staff awareness training. 

Below, are ten questions you need to ask your internal IT department or external service provider (MSP) to establish your company’s readiness in the face of an attack: 

  1. Is shadow IT (unsanctioned device/application use) a security threat to your organisation, and if so, what are you doing to address the situation?

    Shadow IT is an information technology (IT) practice performed outside of, and without the knowledge of, the IT department and occurs when your employees circumvent procedures to use unapproved services and software.  
    There is little or no visibility and control over such practices, and they create numerous weak spots that hackers could use to compromise a system.  
    To minimise these practices, you should - encourage an open door policy, prioritise end-user experience, focus on behaviour instead of applications, gain a greater understanding of how apps are being used, and provide your staff with the latest apps/tools to enable them to perform their work.  
    Red Piranha’s Contracted Chief Information Security Officer (CCISO) service provides practical guidance to help you build your framework and strategies at a fraction of the market rate.  

  2. Are you in compliance with the relevant industry standards? 

    There are many industry standards and regulatory frameworks in Australia. CPS234, for example, is a Prudential Standard for an APRA regulated entity, The Information Security Registered Assessors Program (IRAP) is an Australian Signals Directorate (ASD) initiative to endorse suitably qualified ICT professionals.  

    There is the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) which developed the ISO/IEC 27000 series - Information security management systems standards – designed to assist any entity, regardless of size, keep information systems and data secure.

  3. What is your patch management strategy?  

    One of the critical responsibilities of the internal IT team, or an external service provider (MSP), is to ensure that your business is running the most up to date software available.  

    The responsibility sits with them to ensure regular patching or updates of software occurs, and products don’t exceed ‘end of life’ (think windows 7).  

    For example, Microsoft no longer provides updates for Windows 7, putting your organisation is at risk and would be a prime target for easy access. 

  4. What firewall do you currently use? 

    Does it incorporate the latest in threat detection and prevention technologies? 

  5. What antivirus software do you use?   

    Request regular reports on all desktops, laptops and servers to establish if there are machines that do not have an antivirus installed. If they do, are the definition files up to date? 

  6. When was cybersecurity awareness training last conducted in your organisation?

    Technology can assist to safeguard your environment to a certain degree; however, social engineering often referred to as spear-phishing campaigns are used to create breaches.

    Often these are tailored to a specific organisation or industry which makes detection particularly tricky.

    The best prevention is education, and Red Piranha’s cybersecurity awareness program ensures that your staff are well-equipped to identify potential threats. 

  7. What is your backup and recovery plan?  

    Should you find yourself having suffered a breach or becoming the victim of ransomware, can your files be easily retrieved and restored from back-up?

    How long would it take to get these files to be operational?

  8. Who has access to your systems?  

    VPN's, SSH and Remote Desktop are tools of choice for external parties to manage networks; how are login attempts, location and activity monitored? 

  9. What is your password policy?  

    Are your passwords reused elsewhere? 
    How often are passwords enforced to be changed?
    What is the uniqueness of passwords between changes?

    A “complex password” policy must be deployed and implemented company-wide, a multi-factorial authentication policy is also highly recommended.    

  10. Do you know how to respond in a cybersecurity emergency? 

    How prepared are you in response to a cyber breach? What are your current detection and reporting capabilities?

    Do you have the capacity to triage and analyse the potential threats quickly? How capable are you in containment and neutralisation? What are the post-incident activities? 

    The real benefits of Red Piranha’s Virtual CISO or Contracted CISO services come into full effect when a security incident is suspected. Whether internal employee misconduct, sabotage, intrusions, breaches to security by cyber-criminals, hostage situations with ransomware or other crisis handling needs – we can intervene and manage the situation to ensure minimal damage and maximum protection. 


Contact Red Piranha today for a confidential discussion on how we could help you to maximise your cybersecurity posture.  

Monday, February 24, 2020 By rayah.medina