Self-Assessment: Rate Yourself On How Your Business Stacks Up Against Baseline Cyber Security Tasks

Developed by Alex Locatelli, Chief Technology Officer

The Essential Eight are a set of strategies designed to provide a baseline for cybersecurity. While they are easy to understand, they are difficult to measure. 

Hence, we have come up with this self-assessment which allows you to rank your own capabilities. If you’re not sure what something means, or whether you’re doing it - just give yourself a lower score. You can repeat the self-assessment any time.

For each statement below, select the number that best represents how your business performs in that area. Add up your scores for each section to get an overall picture of where your business stands.

Application Control

We have a policy in place that only allows approved applications to run within our network.
1 - 2 - 3 - 4 - 5

We regularly review and update the list of approved applications.
1 - 2 - 3 - 4 - 5

We use application whitelisting technology to enforce our policy.
1 - 2 - 3 - 4 - 5

Employees are informed about the importance of using only approved applications.
1 - 2 - 3 - 4 - 5

Unauthorised applications are promptly detected and removed.
1 - 2 - 3 - 4 - 5

Total Score for Application Control: _____ / 25

Patch Applications

We have a process for regularly updating all applications to their latest versions.
1 - 2 - 3 - 4 - 5

Security patches and updates are applied promptly as they are released.
1 - 2 - 3 - 4 - 5

We track and document the application patch status across the organization.
1 - 2 - 3 - 4 - 5

Automated tools are used to manage application updates and patches.
1 - 2 - 3 - 4 - 5

We have a policy in place to ensure no application is left outdated.
1 - 2 - 3 - 4 - 5

Total Score for Patch Applications: _____ / 25

Configure Microsoft Office Macro Settings

We have configured macro settings in Microsoft Office to disable macros from untrusted sources.
1 - 2 - 3 - 4 - 5

Users are educated about the risks of enabling macros from unknown sources.
1 - 2 - 3 - 4 - 5

We regularly review and update our macro security settings.
1 - 2 - 3 - 4 - 5

Macros are only allowed from trusted locations or sources.
1 - 2 - 3 - 4 - 5

We have controls in place to monitor and manage macro usage.
1 - 2 - 3 - 4 - 5

Total Score for Macro Settings: _____ / 25

User Application Hardening

We have disabled unnecessary features in Microsoft Office to reduce exploit risks.
1 - 2 - 3 - 4 - 5

Security settings are configured in web browsers to limit potential vulnerabilities.
1 - 2 - 3 - 4 - 5

PDF viewers are configured to disable potentially dangerous features.
1 - 2 - 3 - 4 - 5

We regularly review and update hardening configurations for user applications.
1 - 2 - 3 - 4 - 5

Users are trained on the importance of maintaining application security settings.
1 - 2 - 3 - 4 - 5

Total Score for User Application Hardening: _____ / 25

Restrict Administrative Privileges

We limit administrative privileges to only those users who absolutely need them.
1 - 2 - 3 - 4 - 5

Administrative accounts are monitored for unusual activity.
1 - 2 - 3 - 4 - 5

We regularly review and adjust administrative privileges based on role changes.
1 - 2 - 3 - 4 - 5

Least privilege principles are enforced in our access control policies.
1 - 2 - 3 - 4 - 5

There is a formal process for requesting and granting administrative access.
1 - 2 - 3 - 4 - 5

Total Score for Restrict Administrative Privileges: _____ / 25

Patch Operating Systems

We have a process for regularly updating our operating systems to their latest versions.
1 - 2 - 3 - 4 - 5

Security patches and updates for operating systems are applied as soon as they are released.
1 - 2 - 3 - 4 - 5

We track and document the patch status for all operating systems in use.
1 - 2 - 3 - 4 - 5

Automated patch management tools are used for operating systems.
1 - 2 - 3 - 4 - 5

We have a policy in place to ensure all operating systems are up-to-date.
1 - 2 - 3 - 4 - 5

Total Score for Patch Operating Systems: _____ / 25

Multi-Factor Authentication

We use multi-factor authentication (MFA) for accessing critical systems and data.
1 - 2 - 3 - 4 - 5

MFA is enforced for all remote access and administrative accounts.
1 - 2 - 3 - 4 - 5

We regularly review and update our MFA methods and policies.
1 - 2 - 3 - 4 - 5

Users are trained on how to use MFA and its importance for security.
1 - 2 - 3 - 4 - 5

We monitor the effectiveness and compliance of our MFA implementation.
1 - 2 - 3 - 4 - 5

Total Score for Multi-Factor Authentication: _____ / 25

Daily Backups

We perform daily backups of all critical data.
1 - 2 - 3 - 4 - 5

Backup processes are automated and monitored for success.
1 - 2 - 3 - 4 - 5

Backups are stored securely and are protected from unauthorized access.
1 - 2 - 3 - 4 - 5

We regularly test our backup recovery process to ensure data can be restored.
1 - 2 - 3 - 4 - 5

We have a documented backup and recovery plan that is reviewed regularly.
1 - 2 - 3 - 4 - 5

Total Score for Daily Backups: _____ / 25

Scoring and Interpretation

Rather than receiving a total score, you can evaluate your proficiency section by section. Below are the grading and rankings for each portion of the  Essential 8 Quiz. 

21-25: Excellent - Your practices in this area are highly effective.
16-20: Good - Your practices are strong, but there may be room for enhancement.
11-15: Fair - Improvements are needed to strengthen your practices in this area.
06-10: Poor - Significant improvements are required to address vulnerabilities.
01-05: Very Poor - Immediate action is needed to address critical issues.

Next Steps

Identify areas where your scores were lower and develop a plan to address the gaps. Regularly reassess your practices to ensure continued security and compliance with best practices.

Or, speak to us! We specialise in helping businesses with 5-15 employees to proactively manage IT support.