Cybersecurity Risk Assessment Template: Email and Browser Protection

What is the best template to use for a Cybersecurity risk assessment, for email and browser protection?

In this video, I explain 7 steps to protect your email and browser from possible threats.

Want my recommendations on the best companies to quote for a cybersecurity risk assessment? Click the button below and ask me today.

About Me

Mike Smith has been helping companies select the best telecom, WAN, security, and cloud services since 1999. He founded AeroCom in 2003, and has been the recipient of numerous business telecommunications industry awards, including being recognized as one of the top 40 business people in tech-heavy Orange County, CA. Follow Mike on YouTube, LinkedIn, Reddit and SpiceWorks.

Transcript

You are in charge of your company’s cybersecurity and you’re wondering if your company’s policies are adequate. When it comes to email and browser protection, well, you’re in luck because that’s what today’s video is going to be on. So I’m going to use the case template to go over the best practices for different sized companies or different requirements of companies. When it comes to protecting your organization’s email and browsers.

Not Sure? Contact me

But before we get too far ahead of myself, this information in the video starts to feel a little bit overwhelming, don’t worry about it. Just reach out and contact me. I’m a broker for all the major outsource cybersecurity vendors out there and you don’t have to tackle all this stuff by yourself. You can hire a third party to come in and do the assessment for You can also provide some of the cybersecurity services where you just don’t have time to do them. And that’s really, really common these days because it staffs are typically pretty thin. And cybersecurity is advancing really fast. So it’s no big deal. If you cover all this stuff, just hire an outsource company and have them fill in the gaps and reach out. Contact me, send me an email, give me a call (714.593.0011) if you’d like some recommendations. I highly recommend you reach out and contact me because I’m a broker for all the major cybersecurity vendors out there. And if you just browse the internet, you’re going to find a ton of them. You won’t know which ones to choose. Just contact me, it’s free.

Check out our website

Also, if you’d like to do some kind of self browsing, if you go to our web site Aerocominc and in the search bar you can search for cybersecurity services such as EMDR or ADR or risk assessments, things like that, you know, pen testing, that type of thing. You can actually search vendors according to the features that they offer when it comes to those types of services. So go check out our website and while you’re there, leave some reviews for different vendors you’re using for things like VoIP and Internet services, things like that. I’d love it if more of the I.T. community left her views on the providers that they’re using, so you guys could all benefit from that and more information on that stuff at the end of the video.

Biggest issues during assessments

So browser and email protection. I would say the biggest thing that outsourced companies find when they come into a company and do a formal cybersecurity risk assessment, the number one thing that they find is that companies think that the Office 365 Suite or the Google Suite is enough when it comes to protecting email and browsers. So they think, you know, like the spam filter that they have on their email, application or maybe defender they’re using to protect the browser, stuff like that. They think that’s enough. Maybe they’ve blocked pop ups or something like that and they think that’s fine. Well, it’s not enough. so what I’ll do today is I’m going to break down the recommended safeguards that your company should be using for email and browsers, depending on your company’s cyber security needs. Now, every company is a little bit different, but you know, in terms of their cybersecurity requirements, but a nice thing that the CIS framework does is it breaks down the safeguard recommendations based on three different types of companies.

IG1

the first type of company is a company that doesn’t have extremely sensitive data all they have is kind of employee information. You know, Social Security numbers, things like that of their employees internally that they’re not they’re not really a main safety risk to the outside world if they’re breached. But they can’t really afford any downtime. Their i.t staff is very thin. Their company just can’t afford any downtime. That’s kind of category number one

IG2

Category number two is companies that can afford a tiny bit of downtime, but they have very sensitive data and maybe they have to meet certain requirements like you know, they’re there have certain compliance requirements that they have to meet. So that would be category number two

IG3

Category number three companies or large organizations that have their own cybersecurity staff internally. And they also pose a very specific public threat if they’re breached and they’re actually targets for threat actors, they’re common target. So those are big companies that if they are breached, they’re going to have downtime, they can’t afford downtime and they are public safety targets. So if they’re breach, it can be a public safety problem. So depending on where your company falls, they have different safeguard recommendations. Now, if your company doesn’t fall into any of those, then you don’t you know, don’t worry about this video. You don’t really meet the minimum requirements to start really worrying about cybersecurity. Maybe maybe the basic safeguards like that that Microsoft offers are kind of good enough and you don’t really have to start worrying a whole lot.

IG1 Safeguards 1 & 2

okay, so the first two safeguard recommendations are for that first category of companies, what CIS calls G one group. Okay. So the first one is to make sure your company only allows approved browsers and email application clients. All right. So pretty standard one there. Make sure everything else internally is blocked. Number two is use some type of a domain filtering service so that, you know, all of the main domains that are known, that are publicized within the cybersecurity community that are, main threats to organizations, make sure all those domains are blocked. So use some type of filtering service that’s blocking those domains. any company with a minimum IG one grouping needs to follow those two requirements. That’s the template.

IG2 Safeguards 3, 4, 5, & 6

Now safeguards numbers three through six apply to what we call IG number two. That’s the one I described earlier. That second group. Number three, maintain and enforced network based your URL filters. Number four BLOCK. Find a way to not allow any type of extensions or plug ins to browsers or email clients that your company supports. So any type of unsupported plug in or add on to your email application or browsers should absolutely be blocked. number five Institute Dmarc policy. You know Dmarc. I’m an old telecom guy, so Dmarc starts to talk about the demarcation point when you’re walking in the building, but that’s not what this Dmarc is deemed a RC It’s spelled the exact same way, but it represents something different. I don’t want to go too deep into it on this video, but take a look at it. Look it up and number six blocked all unnecessary file types

IG3 Safeguard 7

And finally, number seven. Now this one is the only safeguard that is mandatory for group IG three. Again, those are large companies with their own cybersecurity department who, if they’re breached, it, poses a public threat. So number seven is the only one that really applies to them and it’s maintain and manage email server malware protection. So run that on your email server. Now obviously malware is one. Those things where a lot of companies, even ones that aren’t in IG three, I think in my opinion, you know, maybe you could hire a third party company to do things like malware tests where they’re actually sending out emails to your organization to see if anybody clicks on it and give your your employees a score for and publicize the scores and things like that. So. practicing malware protection, I think applies to a lot of different companies. But this specific safeguard is number seven for group IG three.

My Recommendation

Okay. Well, I hope that helped. Remember, it’s a little bit overwhelming. Don’t worry about it. Hire a third party company to come in and reach out to contact me, send me an email, give me a call (714.593.0011), ask me for my recommendations on the best cybersecurity as a service vendor that your company should be quoting based on the product and requirements that your company needs. So I’m a broker for all the major vendors out there who do this, and there’s hundreds of them, if not thousands. And the nice thing is, is the vendors pay me my broker fee so you don’t have to pay me anything for giving you recommendation. I’ve been doing this for 20 years, so I know all the major players in the industry and I can save you a lot of time. I can help you make a lot more educated decision in a fraction of the time. So you’ll end up with a better vendor with less time invested. Absolutely no brainer. At least reach out and ask me my opinion.

Want to browse first? Check out our website

 And then also if you’d like to do some just self-exploration, take a look at our website. I guarantee you’ve never seen a website like this in our industry. It’s super cool. You can go into the browser or go into the main search bar, I should say, and look up the type of security your company is looking for. And you can search vendors by the actual features that you’re looking for specifically. So really cool website, definitely check it out.

Outro

And as always, don’t forget to hit the subscribe button like the channel. Ring the bell so that the videos get out there to more people so that YouTube likes the videos and sees that you guys like the videos and more people are able to see them. Well, thanks again for watching. I really appreciate it. And I’ll catch you on the next one.