The Hanover Insurance Group

Cybersecurity checklist

The topic of cybersecurity covers many actions that, together, help deter hackers and protect against viruses and other potential risks to the networked enterprise. This handout provides security tips, developed by the Department of Homeland Security (DHS), to assist business managers in assessing and improving their cybersecurity plans and procedures.

The checklist outlines several hardware, software, and cybersecurity educational items that organizations should consider and implement to protect their digital infrastructure. Negative responses warrant further investigation.

Protecting equipment

Do you secure all computer equipment and servers in a locked storage area with specific individual access permissions?
Is there a process to identify lost or stolen laptops and devices immediately?
Are there appropriate procedures to report lost items for employees?
Is there a formal process to prevent unauthorized data transfer via USB drives and other portable devices?
Is it a standard procedure to wipe content on all devices before they are discarded or transferred to others?
Are there policies and procedures to disable inactive accounts, including those of transferred or terminated employees, after a set time period?
Is there a procedure to set automatic timeouts for all computers, following a period of inactivity?
Does staff monitor, log and report all intrusions to the appropriate authorities?

Management and IT department

Has the management team conducted a computer network assessment to obtain the information needed to develop a cybersecurity plan to reduce cyber-attacks and address breaches?
Are there clear policies and procedures for employee use of the organization’s information technologies?
Have technical defenses, such as firewalls, intrusion detection systems and internet-content filtering, been established?
Is the antivirus software updated daily?
Is there a procedure to regularly download vendor security "patches" for all software?
Have the manufacturer's default passwords been changed on all software?
Is there a log that captures and analyzes successful and attempted intrusions to the systems and networks?

Protect local networks

Is there a policy that requires preapproval for the use of any devices not issued by the organization?
Is it standard practice to encrypt all computers and mobile devices issued by the organization?
Has there been an implementation of role-based access to any systems to ensure employees only have access to programs and applications necessary to perform the functions of their job?
Are there gateways in place to prevent the installation of any peer-to-peer software applications?
Are regular desktop audits performed for the entire organization to ensure unauthorized software applications are not installed?
Is there a group that researches and builds necessary firewalls to protect against intruders?
Are security policies developed for the use of virtual private network or remote connections?
Is data backed up regularly?
Is there a plan to access information quickly in case of a natural or man-made disaster?

Is the plan tested and adjusted to ensure that essential operations are able to continue with minimal disruption?

Are antivirus scans performed on all incoming and outgoing files?

Safe cyber practices

Are there established policies prohibiting the transmittal of protected information using unencrypted public networks (i.e., free Wi-Fi hotspots)?
Are there written, defined policies and procedures for employee use of the organization’s information technologies?
Does the organization conduct information and cybersecurity awareness trainings and brown bag workshops to educate employees about phishing scams, spyware and identity theft on initial hire and on an annual basis, and to make employees aware of how to report and respond to suspicious cyber events?
Do you require employees and staff to utilize strong passwords for networks and systems with a combination of letters, numbers and special characters?
Is it common practice to require frequent password resets for all systems?
Are multiple authentication methods required for computers and networks?
Are users educated on the importance of disconnecting from the internet when not in use?
Is it a regular practice to delete emails, without opening, when they are from unknown sources?
Are users required to contact an entity directly when authentication is requested?

To learn more about Hanover Risk Solutions, visit

Copyright ©2019, ISO Services, Inc.

The recommendation(s), advice and contents of this material are provided for informational purposes only and do not purport to address every possible legal obligation, hazard, code violation, loss potential or exception to good practice. The Hanover Insurance Company and its affiliates and subsidiaries ("The Hanover") specifically disclaim any warranty or representation that acceptance of any recommendations or advice contained herein will make any premises, property or operation safe or in compliance with any law or regulation. Under no circumstances should this material or your acceptance of any recommendations or advice contained herein be construed as establishing the existence or availability of any insurance coverage with The Hanover. By providing this information to you, The Hanover does not assume (and specifically disclaims) any duty, undertaking or responsibility to you. The decision to accept or implement any recommendation(s) or advice contained in this material must be made by you.

LC APR 2019 10-182H
171-0998 (6/19)