Enterprise-grade next-generation firewall
Standard business firewall
Basic router firewall
No firewall protection
Advanced endpoint detection and response (EDR)
Standard antivirus with real-time protection
Basic antivirus software
No endpoint protection
Zero-trust network architecture
VPN with multi-factor authentication
Basic VPN access
Direct network access without VPN
Advanced threat protection with sandboxing
Standard spam filtering with attachment scanning
Basic spam filtering
No email security measures
Automated patch management with testing
Regular manual updates with schedule
Occasional updates when remembered
Rarely update software
Enterprise password manager with complex requirements
Password policy with regular changes required
Basic password requirements
No formal password policy
24/7 security operations center (SOC) monitoring
Automated monitoring with alerts
Basic logging and periodic review
No network monitoring
End-to-end encryption for all sensitive data
Encryption for data at rest and in transit
Basic encryption for some data
No data encryption
Mobile device management (MDM) with full control
Basic mobile security policies
BYOD with minimal restrictions
No mobile device security measures
Continuous vulnerability scanning
Monthly vulnerability assessments
Quarterly assessments
Annual or no assessments
Multi-factor authentication with privileged access management
VPN with two-factor authentication
Direct remote access without security
Regular training with simulated phishing tests
Annual security training sessions
Basic security guidelines provided
No formal security awareness program
Major data breach with patient data compromised
Ransomware attack or attempt
Phishing attacks targeting staff
Malware infections
Unauthorized access attempts
Minor security incidents
No known security incidents
Highly sensitive (PHI, financial, research data)
Moderately sensitive (operational, administrative)
Mixed sensitivity levels
Primarily non-sensitive data
Comprehensive vendor risk assessments with ongoing monitoring
Basic vendor security questionnaires
Minimal vendor security review
No formal vendor security assessments