Cybersecurity Assessment
Get started
This Cybersecurity Assessment and its related reports are meant for educational purposes only. Though your score may improve; it is not an indication of cybersecurity protection for your business.
Answer a few simple questions to receive a Cybersecurity Assessment Report, complete with recommendations based on your responses.
My business has clear password standards that are communicated to all employees.
password standards
Yes.
Sometimes.
Perfect! It’s also great to include password standards in employee training.
More information +
creates a unique password for every application and device includes 14 to 20 characters, including upper- and lower-case letters, numbers and characters in passwords never reuses the same password on multiple accounts never shares passwords with others uses a trusted password manager application changes passwords if accounts are compromised uses two-factor authentication wherever possible
Always communicating and following password standards reduces your risk of a costly cyberbreach.
Not practicing savvy password standards puts your business at risk of cyberbreaches which are costly and inconvenient. Start improving your practices now.
Continue →
← Back
Password standards mean your organization:
No.
My business uses two-factor authentication (2FA), or multifactor authentication (MFA), wherever possible.
Two-Factor Authentication (2FA)
You’re in good company. Most banks, digital wallets and online accounts offer 2FA or MFA that can be set up in account security settings.
2FA is an extra layer of protection used to ensure the security of online accounts beyond username and password. This can include a text message sent to a mobile phone with a one-time code, or biometric authentication such as thumbprint or facial recognition on your mobile phone.
It’s your advantage to always use 2FA or MFA to limit access to online accounts.
Start using 2FA or MFA today to put a stop to cybercriminals and their access to private information.
My team knows how to recognize and react appropriately to potential phishing attempts.
PHISHING
Stopping phishing before it starts means keeping your business, its data and its money safe. Cybercriminals are getting smarter, so keep updating your training to keep up on recognizing risks.
Phishing is the practice of sending fraudulent communications via email, text messages and phone calls that appear to come from a reputable source. The goal is to lure recipients into sharing sensitive data such as credit card, bank account, personal identifying information and login information, or to install harmful malware.
It’s time to get serious about phishing. These emails are getting more and more sophisticated and more and more detrimental to your business. Start the discussion with your team and start wiping out crime that comes from phishing.
Helping your team to recognize phishing attempts, knowing not to click on or react to phishing attempts, and deleting suspicious emails is a good start, but together we can do better.
My business has automated updates for our operating systems, software and applications, so updates are made on the same day they are released.
AUTOMATED UPDATES
Making sure your business assets are as secure as possible requires frequent updates. Installing them the day they are available is essential to repairing known security and programming issues to deter cybercriminals.
An update or patch is a code modification that corrects security and/or functionality problems in operating systems, software and applications.
You can get started today and protect your business's digital assets. Setting up automated updates ensures that updates are launched when they become available, reducing the likelihood that cybercriminals will exploit your digital assets.
Your business is at risk of a cyberattack. Each digital asset that is not patched can be used as a weapon against your business if it is not updated the same day updates are available.
My business has a secure backup system for critical data.
BACKUP SYSTEMS
When you expect the unexpected, your plan can help you resume normal operations following a cyberattack or data loss due to theft, fire or natural disaster. Scheduling regular online backups will facilitate faster recovery from data loss or data corruption.
Your company’s critical data includes Personal Identifying Information (PII) of customers, employees, suppliers and business data such as sales data, intellectual property, financial data and other essentials. Securely backing up and storing your critical data allows you to keep your business running after a data breach or ransomware attack. Secure online backup options include Cloud storage and an online backup service.
Resuming business-as-usual operations after a data breach will take longer and cost more without regular backups. Scheduling regular online backups will facilitate faster recovery from data loss or data corruption.
My business maintains an up-to-date digital asset list, including all devices, systems, software and accounts.
DIGITAL ASSET LIST
Maintaining an up-to-date list helps you understand your risk and better protect your business so you can track assets and remember what to update to prevent cyberattacks.
Devices: Laptops Desktop computers Point-of-Sale devices Mobile phones Tablets CCTV, etc. Operating systems: Apple iOS/MacOS Windows Android
A complete list of devices, operating systems, software/applications and online accounts helps you quickly perform updates, recover from loss or theft and file insurance claims. Update your digital asset list whenever you acquire new assets and retire old assets.
Maintaining an updated inventory of all assets is essential to protecting your business and even recovering assets in case of theft or a breach.
Software and applications: Microsoft 365 Dropbox Web browsers, etc. Online accounts: Email Online Shopping Accounts Banking Credit cards Vendor accounts, etc.
These are some of the digital assets that should be included in your comprehensive list.
My business's employee training initiatives include regularly educating employees on required cybersecurity policies and best practices.
EMPLOYEE TRAINING
Committing to securing your business against cybercriminals is always a good business move.
Prioritizing cybersecurity-best-practices training for new and existing employees is an important part of your business's overall cybersecurity health.
Making sure your business is protected against cyberattacks starts today with new and existing employees. Begin your plan now.
Your cybersecurity training for employees should include safe password usage, two-factor authentication, software updates, phishing recognition and response, safe USB use, cyberattack response plan, data backup and recovery, and email protection.
My business has a ransomware response plan to effectively mitigate and recover from a cyberattack.
Ransomware response plan
Backing up your data regularly and having a ransomware-attack response plan in place will help your business respond and recover quickly.
Making sure all plans are documented and communicated to help reduce your risk of loss and downtime. Be prepared to respond and recover quickly.
Your business is at risk if you don’t regularly back up your data and have a ransomware-attack response plan. Without this advanced preparation, your business will likely shut down until the damage from the attack is effectively resolved and your data is restored.
Ransomware is a type of malware (bad software) that blocks access to a system, device or file until a ransom is paid or you access a decryption key to unlock your data.
Source: https://www.cyber.gc.ca
Your ransomware-attack response plan should include: risk assessment policies and procedures establish a Cyberincident Response Team employee training stakeholder identification communications
My business uses unique and secure passwords for every IoT device used to run my business.
SECURING IOT DEVICES
Your first line of defense for your IoTs is set! Remember to remain diligent with your IoT passwords to harden your defenses.
Make sure each IoT has a complex, unique password to help protect against a threat that could cause a service disruption, data theft, data or service manipulation and noncompliance with government standards.
IoT devices can get hacked just like any other device your business counts on. Help protect your IoT devices by setting complex, unique passwords that help block cybercriminals from taking over.
Internet-of-Things or IoT devices have sensors, processing ability, software and other technologies that connect and exchange data with other devices and systems over the Internet or other communications networks. Each IoT device should have a unique, complex password to help protect against a cyberattack that could result in service disruption, data theft, data or service manipulation, and/or noncompliance with government standards.
Source: Internet of Things (IoT) Security - ITSAP.00.012 - Canadian Centre for Cyber Security
My employees and I refrain from posting personal information on social media sites.
SOCIAL MEDIA
Resisting the temptation to post personal information on social media sites helps protect your business and your personal life by making it harder for cybercriminals.
Be very careful about what personal information you share on social media sites. Sharing too much information helps cybercriminals piece together aspects of your life that open the doors on various types of cyberattacks.
Cybercriminals can use information you and your employees post on social media to launch several types of attacks, including phishing attacks, malware and ransomware attacks, disinformation campaigns, identity theft and others. These platforms include Meta, Instagram, Snapchat, TikTok, LinkedIn and X.
Social media can help your business, but posting personal information can be dangerous. Review what’s appropriate with your team and unite against cybercrime weaknesses.
My business uses enhanced email filtering.
enhanced email filtering
An enhanced email filtering tool is an excellent way to block phishing emails, including damaging attachments and links, before they are delivered to your inbox.
Enhanced email filtering is a tool that inspects all emails before they are delivered to your inbox. The tool detects and blocks emails that contain attachments and links known to be harmful, which helps protect against phishing attacks. They provide more protection than typical spam filters and can be adjusted to fit your preferences.
When everyone uses an enhanced email filtering tool, your employees save time and keep the business safe from phishing emails, including damaging attachments and links, before they are delivered to your email inbox.
You are missing out on a great way to help secure your business. Using an enhanced email filtering tool is an excellent way to reduce the need to evaluate each email because phishing attempts are thwarted before they can start.
My business protects against computer viruses by installing antivirus software on all devices.
antivirus software
As you know, anti-virus software checks for viruses in real time, as they are happening, and removes the viruses before they can cause damage.
A computer virus is a type of malicious software or malware that spreads between computers and causes damage to data and software. Cybercriminals use software viruses to disrupt systems which cause major operational issues and result in data loss and leakage.
Installing antivirus software on some, but not all devices, leaves unprotected devices susceptible to computer viruses that can disrupt your business. Install antivirus software that checks for viruses in real time, as they are happening, and removes viruses before they can cause damage.
Your devices are susceptible to computer viruses that can disrupt your business. Anti-virus software is updated as each new virus protection is available — so, the sooner you install anti-virus software, the sooner your business is protected.
My business dedicates 4-7% of our IT budget for cybersecurity tools and resources.
cybersecurity tools
Investing in your cybersecurity tools and resources can save your business money and time in the long run.
Securing your digital ecosystem requires an investment of human resources and money. According to Baseline cybersecurity controls for small and medium organizations — Canadian Centre for Cyber Security, small and medium businesses should expend 4–7% of their IT budget on cybersecurity.
A cyberattack can be much more costly to your business than the cost of cybersecurity tools and resources designed to protect your digital ecosystem. The reputational cost to your business following a cyberattack is incalculable.
It’s time to invest in your business’s cybersecurity by purchasing tools that fill your cybersecurity gaps. Dedicating 4-7% of your IT budget to purchasing cybersecurity tools and resources can save your business money and time in the long run.
My business limits employees' access rights to our digital assets based on their role and responsibilities.
roles and responsibilities
Limiting access means limiting exposure to cybersecurity risks.
Limiting access rights means only employees who need to use specific digital assets can access them. This practice helps reduce the risk of cyberattacks and insider threats where an employee misuses or steals important data.
Evaluating access rights to digital assets and accounts limits the number of employees who have access to your business assets and information. This could mean only giving log-in information to the select people who require access.
You’re at risk for internal attacks and cyberattacks from bad actors. Figure out who requires access to what and restrict everyone else. A need-to-know basis is a good practice when limiting information.
My business has a cyberattack incident response plan.
CYBERATTACK RESPONSE
Preparing in advance for a possible cyberattack will help your business respond and recover faster, thereby reducing downtime and potential data loss.
Calculate results →
A comprehensive incident response plan prepares your business to quickly respond to a cyberattack, resolve issues resulting from the attack and learn from the incident so you can strengthen your cybersecurity profile and reduce the risk of another attack.
Developing a cyberattack incident response plan should be a high priority for your business. Every day your business can’t operate is costly to your bottom line.
Creating a plan for when the unexpected happens means your team knows exactly what to do, and what not to do, so you can minimize loss and downtime.
Learn the basics
Many budding entrepreneurs or owners of smaller businesses can feel anxious just thinking about implementing cybersecurity solutions. But protecting your and your customers' data is crucial – and less difficult than you may think. By understanding your options, available solutions and where to turn, build your cybersecurity knowledge in no time.
0
YOuR SCORE IS
Download the report
Start over
%
Expand your knowledge
You might have some cybersecurity practices in place, but do you know what your vulnerabilities are? Discover and adopt best practices, resources and solutions to improve your business' cybersecurity. Leverage Mastercard as a trusted partner for more information and solutions that help you improve your cybersecurity knowledge.
Master your security
You've established cybersecurity best practices, but the ever-changing risks mean taking defense protocols to the next level. Making Mastercard a trusted partner can help set you up for success by taking an active and intelligent approach in safeguarding your cybersecurity. Staying on top of changing trends and changing innovations can help set you up for long-term success – and safety!
