Small Business Cybersecurity Assessment

Use the free tool on this page to assess your small business security posture. You can either:

i) Fill out and submit the form to schedule a free 1-hour assessment for your small business with one of our cybersecurity experts;

or

ii) Simply use the form and guidance provided under each question to perform a self-assessment. Of course, you won’t get the benefit of our expert coaching. But you can still get some ideas regarding the high-level things that you may want to look into!

Note that this assessment is strongly linked with our free Small Business Cybersecurity Course, which contains both informational articles and Task-based articles to help guide small business owners. Most of the questions below have a corresponding article and/or Task in the course. You can find an abundance of information and a step-by-step guide to strengthening your small business security there!

About This Question: Google Workspace and Microsoft 365 are the two most common productivity app suites used by businesses today.
About This Question: Google Workspace and Microsoft 365 are the two most common productivity app suites used by businesses today.
About This Question: Google Workspace and Microsoft 365 are the two most common productivity app suites used by businesses today.
About This Question: Google Workspace and Microsoft 365 are the two most common productivity app suites used by businesses today.
About This Question: Active Directory (AD) and its cloud-based component, Entra ID, are great ways to help manage access and identity. However, using AD or Entra ID has a significant impact to both cybersecurity and IT management. If you don’t know the answer to this question, you probably don’t use it!
About This Question: Does your business have a store or a location that your customers can visit? If so, do you also use Wi-Fi? This may or may not include guest Wi-Fi for your customers.
About This Question: We’ve found that the majority of small business Wi-Fi setups are poorly secured, if at all. In many cases, small business owners think that they are secure while in reality almost anyone can connect directly to the network, listen to the traffic across it, and attack it. A short assessment is typically all we need to determine if your Wi-Fi is set up securely and make appropriate recommendations.
About This Question: Creating inventories for both hardware devices and software is an excellent step toward both general IT management and a strong cybersecurity posture. It doesn’t need to be complex! An excel file works great for most small businesses.
About This Question: Using strong, unique passwords is foundational for a strong security posture. A password manager can help!
About This Question: We highly recommend using a password manager to generate and store strong, unique passwords. There are lots of free, or extremely cheap, password managers out there. Our two favorites are Bitwarden and Keeper.
About This Question: We recommend using MFA with an authenticator app (like Google Authenticator) wherever possible. Go one step further by requiring biometric (fingerprint) login on the authenticator app. It’s easier than it sounds!
About This Question: Restricting administrative accounts is part of something called the Principle of Least Privilege (PoLP), also called Least Privilege Access. If this sounds complicated, no worries! We can help!
About This Question: Most small businesses don’t perform active patch and update management, leaving them open to a wide variety of attacks. Chances are if you (or someone at your organization) isn’t using a Remote Monitoring and Management (RMM) tool to perform patch, update, and vulnerability management, then you’re probably already vulnerable. We find significant, often critical vulnerabilities when onboarding the majority of our clients. We include fully managed-for-you vulnerability, patch, and update management with a Security Essentials subscription!
About This Question: Antivirus (AV) is an essential first security layer for devices in your company. The best part about AV is that free versions exist for every operating system. These free AV solutions (like Micrsoft Defender Antirus) work just as well as, and sometimes better than, premium, paid versions.
About This Question: DNS-based security works by detecting web requests to known malicious domains and IP addresses. We recommend using a dedicated, lightweight DNS-based security agent across all company devices. Although there is some cost and a bit of IT management, the benefit is extremely high. We include fully managed-for-you DNS security with our Security Essentials service bundle!
About This Question: Managed Detection and Response, or MDR, provides true enterprise-grade security across the devices at your organization. It detects and protects against attacks by skilled malicious actors, including remote code execution (RCE), phishing and ransomware. It can detect obfuscated or custom malware, which antivirus (AV) is typically powerless against. We recommend small business use it – ideally everywhere – but at minimum, on all operations-critical machines. And we include fully managed MDR along with our Security Essentials bundle.
About This Question: Critical data needs to be backed up. Backups help prevent against things like ransomware, accidental deletion, and even insider threats like a newly terminated employee, from being able to destroy or encrypt your data.
About This Question: Using a network firewall to segment your company’s network provides a lot of security benefits and can make your internal network more efficient, too. When you use a firewall for network segmentation, it makes it much harder for malicious attackers to pivot through your network. This means that even if they gain access to one network segment, they won’t be able to get to the others. You also get a lot of additional protections that can be customized for each network segment.
About This Question: In most cases, a company website is pretty easy to secure. It should be backed up and hosted securely. A brief web application, or website security assessment, should be performed periodically to determine if the site is secure.
About This Question: We don’t recommend vulnerability assessments or penetration tests unless you’ve answered yes to (most or all of) the previous questions. However once your business has done this, a vulnerability assessment can easily identify any remaining security gaps.
About This Question: Cybersecurity awareness training helps companies be more secure in a lot of ways. The more aware you and your employees are, the more likely you are to embrace strong security practices like using strong passwords, and the less likely you are to suffer attacks due to phishing, business email compromise, and more. We recommend that small businesses perform training annually, across the organization.
About This Question: Let us know if there’s anything specific that you’d like us to help with, and we’ll go over it during your free assessment! For example, many small businesses aren’t happy with the Wi-Fi coverage at their locations. We can help with this or other IT or cybersecurity issues!
About This Question: Let us know any other pertinent details about your business, network(s), or security posture. We’ll review it before our meeting so the more we know beforehand, the better we’ll be able to help you!