Security at Work · Maturity

How to know if your company is secure: a practical guide to assessing cybersecurity maturity

Quick answer

Knowing whether your company is secure takes more than having antivirus installed: you need to map all exposed assets, measure the maturity of your controls with recognized frameworks like the NIST CSF and CIS Controls, and test — in practice — whether backups restore and whether the team knows what to do in the face of an attack. A secure company is not one that has never been attacked, but one that detects, responds and recovers quickly when it is.

Decripte is a cybersecurity company serving businesses from 1 to 100,000+ employees — from assessment to 24x7 incident response.

Warning signs

  • No MFA on critical systems. If any user — especially administrators — accesses email, VPN or cloud consoles with only a username and password, the company is one phishing away from a complete breach.
  • Backup has never been tested or is on the same network as production. Untested backups tend to fail on restore. Backups on the same network are encrypted along with the original data in a ransomware attack. Both scenarios result in total data loss.
  • There is no formal incident response plan. Without a documented and rehearsed plan, the response to an attack is improvised and slow. Every hour of confusion increases the financial loss and the exposure of customer data.
  • IT is overloaded and reactive, with no time for proactive security. When the IT team spends the day resolving operational tickets, no effort is left for patch management, log monitoring or access reviews. This situation creates a permanent window of exposure.
  • 'We've never been attacked' as a security argument. Companies that do not detect attacks are not free of attacks — it means they have no visibility. Without log monitoring and alerts, an intrusion can remain active for months without being noticed.
  • Suppliers with network access and no security review. Partners, service providers and SaaS with privileged access and no verification of controls are invisible attack vectors. The legal liability for data leaked via third parties falls on the contracting company.

Step by step

  1. 1

    1. Build an asset inventory and map your attack surface

    List every device, system, application, API and cloud service the company uses or exposes to the internet. Passive discovery tools (Shodan, Censys, TLS certificates via crt.sh) reveal what is visible to any attacker before you even know it. Without an inventory, you cannot protect what you do not know exists.

  2. 2

    2. Apply a maturity assessment framework

    Use the NIST Cybersecurity Framework (CSF 2.0) or the CIS Controls v8 to score each domain: Identify, Protect, Detect, Respond and Recover. The result is a gap assessment — the difference between where the company is and where it should be — with clear investment priorities, not a generic list of recommendations.

  3. 3

    3. Check whether the company's credentials have already leaked on the dark web

    Stolen corporate credentials are the entry vector in more than 80% of incidents. Dark web monitoring services and databases like Have I Been Pwned let you check whether your company's emails and passwords are circulating in criminal forums. If there are findings, force an immediate reset and enable MFA on all affected accounts.

  4. 4

    4. Run a vulnerability scan and then a pentest

    Automated scans (Nessus, OpenVAS, Qualys) identify known vulnerabilities in exposed systems and services. A pentest goes further: certified professionals simulate a real attacker, chaining vulnerabilities to demonstrate the real impact of a breach. The pentest answers 'can an attacker get in, and what can they do?'.

  5. 5

    5. Test your backups — do not just verify that they exist

    The vast majority of companies discover that their backups do not restore during a ransomware incident — when it is too late. Test a full restore of at least one critical system every quarter, measure the real recovery time (RTO) and confirm that the backup is isolated from the main network so it is not encrypted along with production.

  6. 6

    6. Assess access management and MFA adoption

    Audit who has access to which systems, eliminate orphaned accounts (former employees, terminated vendors), apply the principle of least privilege, and ensure MFA is active on corporate email, VPN, cloud consoles and financial systems. A single privileged access without MFA is enough to compromise the entire company.

  7. 7

    7. Review the incident response plan and run an exercise

    Having an IR document in a drawer is not the same as being prepared. Run a tabletop exercise: simulate a ransomware or data breach scenario with leadership and IT and see who notifies whom, how quickly, and whether the procedures work. An untested plan is a plan that fails at the most critical moment.

  8. 8

    8. Assess the security of your supplier chain

    Supply chain attacks have compromised large companies in recent years by exploiting suppliers with privileged access and weak controls. Map which third parties have access to your systems, data or network, require evidence of minimum controls (MFA, patch management, access policy) and include security clauses in contracts.

What NOT to do

  • Confusing compliance with security. Being compliant with the LGPD or obtaining a certification does not mean the company is protected. Compliance is a legal minimum floor, not a security ceiling. A company can be certified and compromised at the same time.
  • Delegating security entirely to IT without involving leadership. Cybersecurity is a business decision: it involves budget, risk tolerance, customer relationships and legal obligations. Without C-level buy-in, security projects end up without resources and without priority.
  • Running a pentest and filing the report away without fixing the findings. A pentest without a remediation plan is a wasted investment. The report documents the vulnerabilities an attacker would also find — and that will remain open until they are fixed and validated.
  • Ignoring the security of mobile devices and home office. With remote work now established, personal laptops, home networks and mobile devices are frequent blind spots. MDM policies, mandatory VPN and user education are basic controls that many companies still have not implemented.
  • Treating security as a one-off project instead of a continuous process. The threat landscape changes daily: new CVEs, new attack techniques, new suppliers with access. An assessment done two years ago does not reflect current exposure. Security requires monitoring, periodic reviews and continuous improvement.

What being secure as a company really means

Most Brazilian companies still associate cybersecurity with having antivirus installed and a firewall active. This view is dangerous because it treats security as a purchased product, not as a built capability. Being secure, in the real sense of the term, means having visibility into what is exposed, controls that are implemented and tested, and the ability to detect and respond to an incident before it becomes a catastrophe.

International frameworks such as the NIST Cybersecurity Framework (CSF 2.0) and the CIS Controls v8 define security as a set of functions: Govern, Identify, Protect, Detect, Respond and Recover. Companies that operate only in the first two functions — identification and protection — are blind to attacks in progress and unable to recover quickly when attacked.

An honest maturity assessment begins with the question: 'If an attacker gets in today, how long does it take us to notice, how long to contain, and how much do we lose?' The answers reveal where the company really is — not where it imagines it is.

How to conduct a security self-assessment step by step

The self-assessment begins with the asset inventory. List all the systems, applications, cloud services, devices and APIs the company operates or exposes. Free tools like Shodan and Censys let you see what is visible to anyone on the internet — many companies are surprised by what they find. This inventory is the foundation for everything: you cannot protect what you do not know exists.

With the inventory in hand, apply the CIS Controls v8 as an assessment checklist. The first six controls — hardware inventory, software inventory, data protection, secure configuration, account management and access control management — cover most of the entry vectors exploited in real incidents. For each control, assess whether a policy exists, whether it is technically enforced and whether there is evidence it works.

Document the gaps found and prioritize by the combination of likelihood and impact: a critical vulnerability in an internet-exposed system takes priority over a suboptimal configuration in an internal system with no sensitive data. The result is a remediation roadmap with realistic deadlines, not an endless list of tasks without context.

For companies without an internal security team, the ideal is to combine the self-assessment with an assessment conducted by a third party. The external perspective captures blind spots that the internal team normalizes over time, and the eye of a specialist in recent threats adds context that does not appear in generic checklists.

Assess your company for free

See in minutes what is already exposed from your business.

Decripte's free Threat Management plan maps vulnerabilities, monitors threats and shows leaked credentials — no credit card and no technical team.

Start free now

When self-assessment is not enough: the role of the pentest and the gap assessment

A checklist-based self-assessment measures what the company declared it has implemented. The pentest measures what an attacker can actually do — and the difference is usually considerable. A penetration test conducted by certified professionals (OSCP, CEH, GPEN) simulates the real techniques used by criminal groups and APTs, chaining individual vulnerabilities to demonstrate the real impact of a successful breach.

The gap assessment goes beyond the pentest by mapping not only technical vulnerabilities, but process and governance gaps: the absence of a change management policy, the lack of awareness training, the nonexistence of documented incident response procedures. These gaps do not appear in automated scans, but are equally exploitable by attackers who use social engineering and targeted phishing attacks.

Companies that process sensitive personal data — healthcare, financial, legal — or that operate critical infrastructure should conduct a pentest and gap assessment at least annually, and always after significant infrastructure changes. For the rest, an annual review combined with quarterly vulnerability scans is a reasonable starting point.

LGPD, regulatory compliance and what the law really requires

The General Data Protection Law (LGPD) requires companies to adopt appropriate technical and administrative measures to protect personal data from unauthorized access and accidental or unlawful destruction, loss, alteration, communication or dissemination. The law does not specify technologies, but the ANPD has signaled that adequacy requires, at a minimum: a data inventory, a risk assessment, access controls, a retention policy and an incident notification procedure.

Companies that have suffered data breaches and cannot demonstrate they had adequate controls face fines of up to 2% of revenue (limited to R$ 50 million per infraction) and, more importantly, reputational damage that affects contracts and business relationships. Compliance is not just a legal obligation — it is a competitive differentiator in due diligence processes and bids.

The LGPD compliance assessment should include: mapping the flow of personal data, reviewing contracts with suppliers that process data, verifying the legal bases for each processing activity, and testing the process for handling data subjects' rights. For companies that have not yet performed this mapping, the starting point is to identify where customer and employee data is stored and who has access to it.

How Decripte assesses and monitors your company's security maturity

Decripte is a Brazilian company specialized in the implementation and management of cybersecurity for organizations of all sizes — from the sole proprietor to the enterprise with more than 100,000 employees. Our approach combines maturity diagnostics based on the NIST CSF and CIS Controls with real-time threat intelligence, dark web monitoring and technical tests conducted by certified professionals.

The starting point for any company is the free Threat Management plan, available in our Intelligence Center. In minutes, it shows what is already exposed about your organization — internet-facing assets, leaked credentials, known vulnerabilities in public systems — with nothing to install. It is an honest picture of the attack surface any attacker can see today.

For those who need a structured assessment, we offer the Maturity Diagnostic, which maps gaps in governance, technical controls and response capability, and delivers a prioritized remediation roadmap. The diagnostic is the first step toward turning security from an operational cost into a measurable competitive advantage. Go to /intelligence-center to start for free or /diagnostico to talk to a specialist.

Key terms

Attack surface
The total set of entry points — systems, applications, APIs, devices, users and suppliers — through which an attacker can attempt to compromise an organization. It includes both known assets and assets forgotten or unknown to the IT team. Reducing the attack surface means eliminating what is not necessary and continuously monitoring what remains exposed.
Maturity assessment
A structured process for measuring the level of implementation of an organization's security controls against a reference framework, such as the NIST Cybersecurity Framework (CSF 2.0) or the CIS Controls v8. The result is a maturity index by domain (Identify, Protect, Detect, Respond, Recover) and a prioritized roadmap of improvements based on the gaps found.
Pentest
A penetration test conducted by certified professionals who simulate the techniques and tactics of a real attacker to identify exploitable vulnerabilities in an organization's systems, applications and networks. Unlike an automated scan, the pentest chains vulnerabilities and demonstrates the real impact of a breach, answering the question: 'What can an attacker do if they get in?'.
Gap assessment
A comparative analysis between an organization's current security state and a target state defined by a framework, regulation or internal policy. It identifies not only technical vulnerabilities, but also gaps in process, governance and human capacity. The result is a prioritized list of gaps with remediation recommendations, estimated cost and timeline, serving as a basis for security budget planning.

Frequently asked questions

How can I tell if my company has already been attacked without knowing it?

Companies without log monitoring and detection tools often fail to notice intrusions in progress. Warning signs include unexplained system slowness, logins at atypical hours, unusual data transfers and alerts from email providers about suspicious access. The most reliable way to check is a continuous monitoring service and a dark web scan to see whether the company's credentials have already been compromised.

What is the difference between a maturity assessment and a pentest?

A maturity assessment measures the level of implementation of security controls against a framework (NIST CSF, CIS Controls) and identifies process and governance gaps. A pentest is a practical technical test in which professionals simulate a real attacker to demonstrate exploitable vulnerabilities and their impact. The two are complementary: the assessment shows where controls are missing, the pentest demonstrates what an attacker can do with that absence.

Do small companies also need a security assessment?

Yes. Small and medium-sized companies are frequent targets precisely because they tend to have weaker controls than large corporations. Ransomware attacks and BEC (Business Email Compromise) fraud have a proportionally greater impact on smaller companies, which often do not survive a serious incident without a recovery plan. The cost of a preventive assessment is a fraction of the average cost of an incident.

How often should I review my company's security?

Continuous monitoring is ideal: vulnerability alerts, access logs and dark web scanning should be permanent processes. Formal maturity assessments should be performed annually or after significant changes (a new system, a merger, team expansion). Pentests should occur at least once a year for internet-exposed environments, and after any relevant infrastructure change.

What is an attack surface and why does it matter?

The attack surface is the set of all the points — systems, applications, APIs, devices, users, suppliers — through which an attacker can attempt to enter an organization. The larger and more unknown the attack surface, the greater the risk. Mapping and reducing the attack surface is the first step of any effective security program: disable what is not used, close unnecessary ports, and keep an up-to-date inventory of what is exposed.

Does MFA really make a difference to a company's security?

Yes — significantly. Studies from Microsoft and Google indicate that MFA blocks more than 99% of automated credential stuffing attacks and basic phishing. Most breaches and ransomware cases analyzed in real incidents begin with a valid credential without MFA being used by an attacker. Implementing MFA on corporate email, VPN and administration consoles is probably the highest-return, lowest-cost control available.

How do I assess the security of my suppliers and partners?

Start by mapping which suppliers have access to your systems, data or network. For each one, request evidence of minimum controls: an information security policy, MFA adoption, a patch management process and an incident history. Include security clauses and a right to audit in contracts. For critical suppliers, consider a questionnaire based on the NIST CSF or the ISO 27001 standard as a reference. Supply chain attacks are on the rise, and the legal liability for customer data exposed via third parties falls on your company.

Security for businesses

Decripte protects companies of every size — from solo founders to Enterprise.

A full platform and services: threat management, 24x7 SOC, incident response, pentest and compliance. Start free and see what has already leaked from your business.