Exposed RDP and other remote desktop software are the most common ways ransomware and other attacks are started. For accessing your systems remotely, these remote access tools need to be hidden behind a VPN, and so not exposing them directly to the Internet (and to threat actors).

Critical security patches include patches which address/fix vulnerabilities which could lead to a material detrimental impact if exploited, i.e., critical vulnerabilities. Often critical security patches will be flagged as important/critical by software providers, and will carry a CVSS score of 9 or above (see Help Sheet in Documents pack for CVSS score explanation). It is particularly important you patch any remote desk top (RDP) software you use.

You should not publicly expose to the Internet EoL software or services running on EoL Operating Systems, as those vulnerable services will be very visible to potential attackers.

Email security gateways reduce email threats like spam, viruses, and phishing attacks by filtering potentially malicious messages, stopping them from reaching employees in the first place. Attackers also deliver malware through these commonly used malicious attachment types: .HTA, .ocm, .lsm, .exe, .PS1, .VBS, .js, .zip, .lnk, .iso, .one

Endpoints include both servers and users’ workstations. Workstations can include desktops, laptops, tablets etc. which are used to access your IT network or applications (whether cloud hosted or on-premises). Employees own devices and external consultants devices’ should be included here if they are used to access the organisation’s services (e.g., BYOD “Bring Your Own Device”).

Training should be performed at least within the first three months for new users, ideally sooner, and then regularity of training depends on the number of users and size of network/data, e.g., if lots of users and/or large network then ideally regularity would be at least twice per year. If small network and small data set, then at least annually is fine.

MFA uses a second piece of information to authenticate access, so more than just a password. Passwords alone no longer provide enough security, especially for services accessible from the Internet (e.g., Microsoft 365, Google Workspace, etc).

Regularity of back-ups being taken and being tested depends on the size of back-up and how frequently the critical data is updating/changing – e.g., if there are large quantities of critical data and the critical data is changing daily, then daily back-ups should be considered, and back-ups tested at least every month/few months.

If you are a new start up, please provide your estimated Gross Turnover for the first 12 months of trading

Please provide the primary registered internet domain name used to market business, provide information about the business or operate the business. Please ensure this does not include any prefix/subdomain, and that it is purely the root domain (i.e. the domain name plus top-level domains).

E.g. plb.insure, or , google.co.uk as examples.