Cyber Security Assessment

While a focus on prevention and defense against cyber threats is required, it is also insufficient because we know that perfect prevention is unrealistic. An emphasis on early detection and fast recovery from breaches is essential. Complete the following questionnaire to receive your cyber security mini-audit. Rate yourself from 1 – 3 (3 being best) for each question.

Rate yourself from 1 – 3 (3 being best) for each question. When finished, click “Get My Results” button at the bottom of the page and to receive your results by email.


Image-based Backups:  I have an image-based backup in place. Entire systems are backed up including applications, user accounts, permissions, operating systems, and all data. The backup has multiple copies and is stored in multiple locations, at least one of which is in the cloud.

SaaS Backups: We use SaaS (Software as a Service) solutions like Office 365, Google Suite, SharePoint and Salesforce. Skip this section if you do not use any SaaS solutions. I back up my cloud-based solutions at least three times daily. If I depend on my software vendor for backups and recovery services, I have purchased an explicit license or service from them for this purpose.


Recovery Testing Completed: I perform simulated outages to test the recovery of my backups at least twice every year. My backup recovers in an acceptable amount of time when I perform the outages.

SaaS Recovery Testing Completed: I can selectively restore any or all of my SaaS content from my backups. I can restore it to either the original location, or a different location of my choosing. I perform simulated outages to test the recovery of SaaS backups at least twice every year. My backup recovers are completed in an acceptable amount of time.

Skip this question if you do not use any SaaS solutions like Office 365, G-Site, SharePoint, OneDirve, or Salesforce.

Credential Security and Monitoring

Good Password Hygiene: I use complex passwords. My passwords are unique across websites and apps. I use a password manager and have changed my passwords for all sites that have been compromised.

Strong Passwords on Privileged Account:  Passwords on privileged accounts like application administrators, business leaders, accounting, or compliance systems,  are at least 16 characters long and complex. The password could not be found in any dictionary in any language.

Retired credentials are actively managed and we audit privileged accounts annually.

Multi-Factor Authentication Used: MFA/2FA are required for both privileged and high value accounts. We moving to implementing MFA on all user accounts.

Monitor for Compromised Credentials: I know which of my email addresses and passwords are for sale on the dark web, and I know the related date. I continuously monitor for new compromised credentials on the dark web. I actively manage compromised credentials and old accounts with a dark web monitoring solution.

Security Culture and Awareness

Security Awareness Program Exists: I make cyber security awareness, education, and testing part of my company culture.   I have a common sense security policy that is understood, implemented and tested.  My employees have received education about phishing scams.   Moving to compliance starts with education and repeat offenders need to be treated seriously.

Note: Here are the common reason that you don’t appear to receive your report.  If you don’t receive an email shortly, please check:

  1. Check your Junk or Spam folder
  2. Check Clutter or turn Focused view in outlook to all
  3. Check with IT team to see if is whitelisted, if not, ask them to whitelist the entire domain (

If it still cannot be found, contact our service desk at or call us at 403-455-5969 and we will manually send it to you directly.

This contact form is deactivated because you refused to accept Google reCaptcha service which is necessary to validate any messages sent by the form.