Cyber Hygiene Standards

PCG Recommended Cyber Hygiene Standards

PCG is aware of the continued increase in cyber threats to businesses and we continue to advise you, our client, about the increased risks and the need for enhanced security. With the growing economic risks, PCG recommends a minimum cyber standard that we expect each of our clients to meet. We strongly recommend that all of our prospective companies that do not currently meet these standards should expeditiously upgrade their systems, policies, and practices to bring them into compliance with these minimum standards.

The following are PCG’s Cyber Health Standards for 2023.

Policies and Procedures

  • Password Policies: You must comply with PCG’s current password standards.(Complexity and timeframe). Your password policy must be documented and distributed to users.
  • Microsoft Domain: Each client must operate a Microsoft domain (built on a server, in Microsoft Azure and/or Microsoft 365 Premium or above) with appropriate policies to enforce the password policies.
  • Network Boundaries: Each client office with two or more computer users must be protected by a PCG-approved firewall. Guest devices and computers not meeting these requirements (ex. personal cell phones, tablets) may only access a partitioned guest network.
  • Remote Access: All remote access to the corporate network must be via a VPN or similar technology. Or an approved secure web portal access method such as Teamviewer, GotoMyPC or ScreenConnect. RDP (Remote Desktop Protocol) must be disabled except when needed, and only accessed remotely via a VPN connection.
  • Unsupported Computers: No computers with unsupported operating systems may attached to or accessible from the corporate network. All computers on the network must be maintained up-to-date for security patches.
  • Employee-owned Computers: If you allow employee-owned computers (or other non-company owned computers) to access the client’s corporate network, there must be a PCG-approved policy in place specifying your standards for these computers, limiting their access, or both.
  • Back-up: The client must subscribe to back-up services that include image back-ups of all servers and other systems storing data deemed critical to the business’s operation, including cloud or other off-site backups with a minimum of three months retention.
  • Cyber insurance: You must maintain cyber insurance covering both the insured and third-party claims, with a limit of no less than $1,000,000.00 per occurrence.

Security Services

  • Endpoint Protection: All computers on your corporate network must be protected by an antivirus agent.
  • Endpoint Detection and Response “EDR”: All servers, backup appliances and workstations of principles and privileged users must also be protected by a threat detection agent (such as SentinelOne). In this context, privileged users are those with access to financial accounts or to other confidential information, as well as any users with admin access to the IT system.
  • MS 365 Multi-Factor Authentication (MFA): All users that have a Microsoft 365 email account must have MFA activated
  • Multi-Factor Authentication (MFA): All users must have MFA in place at a minimum for remote access to the corporate network, Key line of business applications with MFA required by the client password policy
  • Email Spam Protection: All email accounts must be protected by a PCG-approved email security program to minimize your spam and help manage your domains allowed or not allowed.
  • User Security Training: All Employees that use a computer users must receive yearly Security Training in Person or via a Teams session. These can be recorded and used for all new hires.
  • Security Awareness Training “SAT”: All Employees will receive phishing simulations. Clients will get reports to improve employee awareness and access to industry specific videos to improve your overall cyber-security education
  • Web Content and Filtering “DNS”: Each Computer will have the DNS “Domain Naming Services” agent deployed to minimize the threat of compromised web sites as well as block common sites such as (Porn, Gambling, Racial, etc.). Each user and industry can have specific domains allowed or not allowed for your business model and culture.
  • Password Manager: Each user will have a Password Manager to gain control of employee password habits. Securely store and share your passwords
  • Password Comprise Service “Dark Web”: Monitors the Internet and dark web for breach accounts an password comprises matching your email