Security Report Card

Backups:
Automated backups & tested +1,
offsite +1,
encrypted +1
versioned controlled OR immutable +1,
our data in cloud services is also backed up +1

Hardware:
support contract OR spare in stock +1,
redundant power supplies +1,
redundant/trunked uplinks +1,
config backed up automatically +1,
monitored by an alerting server +1,
config changes result in an alert +2

Remote Access:
RDP port forward -5,
SSL VPN -2,
Filtered by Country or autoupdated blocklist +1,
includes method to prevent pw guessing +1
requires 2FA for ALL users +2,

Testing:
own a product that tests onsite gear +1,
we contract professionals to test us +2,
management understands the risks +5

Training:
documented employee on-boarding includes privacy expectations +1,
we do yearly training +1,
we have a competition and give out prizes +3

Email Filter:
SPF record set to strict +1,
3rd party filtering service +2,
external email easily identified by banner or color +1,
Accounting checks before transferring any $ +2,
employees know how to use PlusAliasing/TemporaryEmail to reduce spam +2

Workstation Sec:
Antivirus installed & centrally controlled +1,
includes User Behavioural Analysis UBA +1,
Logs are collected centrally +1,
users are NOT local admin +1,
Local admin pw is complex & >12 char +1,
executable allow-list prevents unapproved programs from running +2

Laptops:
secure boot OR Bios pw +1,
HDD encryption +1,
remote management and updates +1,
user is not Admin +1,
owned by employees -1

MFA:
via SMS +1,
via App/hw token +2,
enabled for ALL cloud services +3

Phones:
supported hardware getting regular updates +1,
updates installed weekly +1,
MDM installed +5,
owned by employees -1

Score:
0-10 You are a pushover for Hack-bots and script-kiddies. You are likely already compromised.
11-20 You are a prime target for the next big vulnerability
21-30 You are outrunning your peers but not the bear, your turn will come.
31-40 Congrats, you are above average. Keep up the good work.
41-50 You are probably a cyber-security firm. Confirm with a security assessment and embarrass your competition.

based on this