| YOUR PEOPLE |
| Awareness training done, no simulation |
Medium |
Staff completed training in the last 12 months, but it has never been tested against a real-looking phishing attempt. Training without testing rarely changes behaviour. |
Sophos Phish Threat: first simulation campaign |
Partial |
| No clear incident reporting process |
High |
Staff don't know exactly who to contact if they spot something suspicious. Without a known process, small issues go unreported until they become large ones. |
Define & communicate a one-line reporting path (who to email/call) |
Missing |
| No written security policy |
Medium |
No one-page document covering passwords, file sharing, or personal device use. Staff make daily security decisions with no standard to follow. |
Draft a one-page acceptable-use policy (Lumora template) |
Missing |
| Your devices |
| Mobile devices unmanaged |
High |
Staff access payment dashboards on personal and corporate mobile devices with no management or remote wipe. A lost phone is an open door to customer data. |
Microsoft Intune MDM: enrolment & compliance policies |
Missing |
| Patch cadence not clearly owned |
Medium |
Updates are applied, but there's no defined two-week target or named owner. Unpatched devices are actively scanned for and exploited by attackers. |
Assign patch ownership; set a 2-week SLA |
Partial |
| Device inventory incomplete |
Medium |
No single list of every device touching company systems. Devices you don't know about can't be patched, monitored, or protected. |
Build & maintain a device inventory via Intune/Entra ID |
Partial |
| Your email |
| Microsoft Defender: Plan 1 only |
Medium |
Defender for O365 Plan 1 covers the basics but lacks automated investigation and attack simulation. A fintech handling payment instructions needs the stronger tier. |
Upgrade to Microsoft Defender for O365 Plan 2 |
Partial |
| DMARC not enforced |
High |
DMARC is configured but not at project. Anyone can currently send an email that appears to come from the company domain, including fake payment instructions to clients. |
PowerDMARC: guided enforcement to project |
Partial |
| Who can access what |
| No SSO across cloud apps |
Critical |
Staff hold separate logins for the payment platform, accounting tools, and other SaaS apps. Every extra password is another phishing target. |
Microsoft Entra ID P2: SSO + Conditional Access |
Missing |
| Admin accounts not separated |
High |
People managing payment infrastructure use the same account for daily email and browsing. If that account is phished, the attacker gets admin-level access too. |
Issue separate admin logins; no shared use with daily accounts |
Partial |
| No vendor access review process |
Medium |
External vendors or IT providers may hold ongoing access that's never reviewed. Forgotten vendor access is an entry point nobody is watching. |
Quarterly vendor/third-party access review |
Missing |
| Your data & recovery |
| Backup recovery never tested |
High |
Backups run automatically, but nobody has restored from one. Untested backups routinely fail at the exact moment they're needed most. |
Quarterly recovery test; document actual RPO/RTO |
Partial |
| No data loss prevention |
Critical |
Payment data, card details, and customer financial records can leave the environment via email, Teams, or USB with no controls or alerts. Direct PCI DSS exposure. |
Microsoft Purview DLP: classification & policies for payment data |
Missing |
| Uncontrolled data movement |
Medium |
Staff can currently move company data to personal USB drives, personal cloud, or WhatsApp without restriction β a common cause of data leaks and UAE PDPL exposure. |
Endpoint DLP policy for copy/paste & removable media |
Missing |
| Your security visibility |
| No basic security monitoring |
High |
Nobody is watching for signs of intrusion. Attacks against businesses this size routinely go unnoticed for weeks before surfacing on their own. |
Lumora essential monitoring & support package |
Missing |
| No vulnerability check ever run |
Medium |
No independent look at where the actual weaknesses are. You can't fix a gap you've never been shown. |
Annual light-touch vulnerability scan |
Missing |
| No incident response plan |
Critical |
No written plan for the first 24 hours of a breach or fraud event. Businesses without a plan take far longer to recover and face higher costs. |
One-page IR plan + walkthrough with leadership |
Missing |