1. Is MFA enforced on every admin and email account?

Yes No / Not sure

Multi-factor authentication is the single highest-impact control. Turn it on everywhere administrative.

2. Do all endpoints have EDR/antivirus with automatic updates?

Yes No / Not sure

Modern EDR (Windows Defender for Business, SentinelOne, CrowdStrike) is table stakes.

3. Are backups automated, offsite, and tested for restore at least quarterly?

Yes No / Not sure

A backup you haven't tested to restore is a backup you don't have.

4. Do you have a documented password policy (or a password manager mandated)?

Yes No / Not sure

Deploy 1Password / Bitwarden / Dashlane company-wide. Password policies alone don't work.

5. Is every laptop full-disk encrypted (BitLocker, FileVault)?

Yes No / Not sure

A lost laptop becomes a breach without disk encryption. Both Windows and macOS ship with it free.

6. Do you run phishing simulations or security-awareness training at least yearly?

Yes No / Not sure

Even basic free training (KnowBe4 free tier, Hoxhunt) reduces click-through on real phishing.

7. Are OS and application patches applied within 30 days of release?

Yes No / Not sure

Most ransomware exploits known vulnerabilities patched months ago. Close the window.

8. Do you have a written incident response plan (even one page)?

Yes No / Not sure

When a breach happens you don't want to be googling "what to do." Write it now.

9. Are contractor / ex-employee accounts disabled within 24 hours of offboarding?

Yes No / Not sure

Dormant accounts are a favourite attacker pivot. Automate offboarding checklists.

10. Is the Wi-Fi network segmented so guest devices can't reach internal hosts?

Yes No / Not sure

Most business routers support VLAN or guest-network separation. Turn it on.

11. Do you use SSO (Google, Microsoft 365, Okta) for the SaaS tools you can?

Yes No / Not sure

SSO means one place to disable access for departed employees, and one place to enforce MFA.

12. Do you have cyber insurance, and know what it excludes?

Yes No / Not sure

Insurance is a financial safety net, not a control. Read the exclusions before an incident.

13. Is critical data categorized and access-controlled (not everyone-can-read)?

Yes No / Not sure

Least-privilege access on anything sensitive: HR, finance, customer PII.

14. Are vendor security posture questionnaires reviewed before signing SaaS contracts?

Yes No / Not sure

Your weakest vendor is your effective security floor. Ask for SOC 2 + DPA at minimum.

15. Do you have a formal response plan for wire-fraud / BEC attempts?

Yes No / Not sure

BEC is the #1 financial cyber loss. Require out-of-band verification for any money movement.

16. Is logging enabled and retained (email, auth, file-share access) for at least 90 days?

Yes No / Not sure

Without logs you can't investigate anything. Most platforms log for free — just enable it.

17. Are shared drives organized so sensitive folders have access-controlled permissions?

Yes No / Not sure

Walk your Google Drive / OneDrive — would a new hire see things they shouldn't?

18. Do you run external vulnerability scans on your public IPs / websites quarterly?

Yes No / Not sure

Free tools like SSL Labs, SafeCadence's Security Headers Checker cover the basics.

19. Is there a process to review privileged-account usage (admin, root) monthly?

Yes No / Not sure

Rotate privileged creds + review access logs once a month; takes 20 minutes.

20. Do you have a named security owner (even if it's part-time)?

Yes No / Not sure

If security is "everyone's job" it's no-one's job. Name one person accountable.

SMB Cyber Risk Score

SMB Cyber Risk Score