Small Business IT & Cybersecurity Assessment

Use the free tool on this page to assess your small business security posture. You can either:

i) Fill out and submit the form to schedule a free 1-hour call to receive a comprehensive assessment for your small business with one of our cybersecurity experts;

or

ii) Use the form and guidance provided under each question to perform a self-assessment. Of course, you won’t get the benefit of our expert coaching. But you can still get some ideas regarding high-level issues that you may want to look into!

Note that this assessment is strongly linked with our free Small Business Cybersecurity Course, which contains both informational articles and Task-based articles to help guide small business owners. Most of the questions below have a corresponding article and/or Task in the course. You can find an abundance of information and a step-by-step guide to strengthening your small business security there!

Contact Name (Your Name) *

First

Last

Name of Business *

Email Address *

Phone Number (Optional)

Business Industry

How many employees does your business currently have?

Are You The Owner/Operator or Designated IT Person For This Business?

• I Am the Owner/Operator
• I Am the Designated IT Person
• I’m An Employee and I Wear Many Hats Including IT

Do employees primarily work in-office, remote, or hybrid?

• Primarily In-Office
• Primarily Remote
• Hybrid

About This Question: Each of these situations has a unique impact on securing your business.

Do You Currently Have Dedicated IT staff, an IT Service Provider, or Do You Manage IT Internally (DIY – Without Dedicated Staff)?

• We Have Dedicated IT Staff
• We Use An IT Provider
• We Manage IT Internally (Without Dedicated Staff)

Does Your Company Use Google Workspace or Microsoft 365?

• Yes, We Use Google Workspace
• Yes, We Use Microsoft 365
• No, We Don’t Use Either
• We/I still use Gmail (or another email app)
• I’m Not Sure

About This Question: Google Workspace and Microsoft 365 are the two most common productivity app suites used by businesses today.

Does Your Company Use Microsoft Active Directory or Entra ID?

• Yes, We Use Active Directory (On Premises)
• Yes, We Use Entra ID (Formerly Known As Azure Active Directory)
• No, We Don’t Use Either
• I’m Not Sure

About This Question: Active Directory (AD) and its cloud-based component, Entra ID, are great ways to help manage access and identity. However, using AD or Entra ID has a significant impact to both cybersecurity and IT management.

Do You Have a Storefront Or Customer-Facing Location With Wi-Fi?

• Yes
• No
• I’m Not Sure

About This Question: Does your business have a store or a location that your customers can visit? If so, do you also use Wi-Fi? This may or may not include guest Wi-Fi for your customers.

Do You Offer Wi-Fi For Your Guests, Customers, or Non-Employee Visitors?

• Yes
• No
• I’m Not Sure

About This Question: Guest networks are often the easiest way for a malicious actor to compromise your network.

Have You Assessed The Security of Your Wi-Fi Network?

• Yes
• No
• I’m Not Sure

About This Question: We’ve found that most small business Wi-Fi networks are not as secure as their owners think. In many cases, business owners believe their network is protected — but weak settings, outdated equipment, or default configurations leave it wide open to attack.

Does Your Business Have an IT Asset Inventory for Hardware Devices and/or Software?

• Yes, We Have a Hardware Device Inventory
• Yes, We Have a Software Inventory
• Yes, We Have Both!
• No, We Do Not Currently Have An Inventory
• I’m Not Sure

About This Question: Creating inventories for both hardware devices and software is an excellent step toward both general IT management and a strong cybersecurity posture. It doesn’t need to be complex! An excel file works great for most small businesses.

Do You Require Employees to Use Strong, Unique Passwords for Business Accounts?

• Yes
• No
• Not Sure

About This Question: Using strong, unique passwords is foundational for a strong security posture. A password manager can help!

Does Your Business Use a Password Manager?

• Yes
• No
• Not Sure

About This Question: We highly recommend using a password manager to generate and store strong, unique passwords. There are many free, or extremely low-cost, password managers out there. Our two favorites are Bitwarden and Keeper.

Do You Utilize Multi-Factor Authentication (MFA) for Business Accounts?

• Yes
• No
• Not Sure

About This Question: We recommend using MFA with an authenticator app (like Google Authenticator) wherever possible. Go one step further by requiring biometric (fingerprint) login on the authenticator app. It’s easier than it sounds!

Do You Restrict Administrative Access Across Your Devices and Apps?

• Yes
• No
• Not Sure

About This Question: Restricting administrative accounts is part of something called the Principle of Least Privilege (PoLP), also called Least Privilege Access. If this sounds complicated, no worries! We can help!

Do You Actively Perform Patch and Update Management For Your Apps and Devices?

• Yes
• No
• Not Sure

About This Question Most small businesses don’t actively manage patches and updates, leaving them open to attack. If you’re not using an RMM tool for updates and vulnerability management, your systems are likely at risk. We often find critical issues during onboarding — which is why Security Essentials™ includes fully managed patching and vulnerability management.

Do You Have Antivirus Software Installed and Configured on All Company Devices?

• Yes
• No
• Not Sure

About This Question: Antivirus (AV) is an essential first security layer for devices in your company. The best part about AV is that free versions exist for every operating system. These free AV solutions (like Micrsoft Defender Antirus) work just as well as, and sometimes better than, premium, paid versions.

Do You Use DNS-Based Security For Your Company Devices?

• Yes
• No
• Not Sure

About This Question: DNS-based security blocks web requests to known malicious sites before they can cause harm. We recommend using a lightweight DNS security agent on all company devices. It’s low effort, high benefit — and included with our Security Essentials™ bundle.

Do You Currently Use Managed Detection and Response (MDR) on Your Company Devices?

• Yes
• No
• Not Sure

About This Question: Managed Detection and Response (MDR) delivers enterprise-level protection by continuously monitoring for real-world threats like ransomware, phishing, and remote code execution. It uses advanced analytics and human expertise to stop attacks that traditional antivirus can’t catch. We recommend using MDR on all critical systems — it’s included with our Security Essentials™ bundle for complete, managed protection.

Do You Use Backups on All Computers With Critical Data?

• Yes
• No
• Not Sure

About This QuestionAbout This Question: Critical data needs to be backed up. Backups help prevent against things like ransomware, accidental deletion, and even insider threats like a newly terminated employee, from being able to destroy or encrypt your data.

Is Your Network Segmented Using a Firewall?

• Yes
• No
• Not Sure

About This Question: Using a network firewall to segment your company’s network provides a lot of security benefits and can make your internal network more efficient, too. When you use a firewall for network segmentation, it makes it much harder for malicious attackers to pivot through your network. This means that even if they gain access to one network segment, they won’t be able to get to the others. You also get a lot of additional protections that can be customized for each network segment.

Do You Backup, Defend, and Test Your Company's Website?

• Yes
• No
• Not Sure

About This Question: In most cases, a company website is pretty easy to secure. It should be backed up and hosted securely. A brief web application, or website security assessment, should be performed periodically to determine if the site is secure.

Have You Performed a Vulnerability Assessment or Penetration Test For Your Network?

• Yes
• No
• Not Sure

About This Question: We don’t recommend vulnerability assessments or penetration tests unless you’ve answered yes to (most or all of) the previous questions. However once your business has done this, a vulnerability assessment can easily identify any remaining security gaps.

Without Your Training

Do You Provide Cybersecurity Awareness Training to Your Employees?

• Yes
• No
• Not Sure

About This Question: Cybersecurity awareness training helps companies be more secure in a lot of ways. The more aware you and your employees are, the more likely you are to embrace strong security practices like using strong passwords, and the less likely you are to suffer attacks due to phishing, business email compromise, and more. We recommend that small businesses perform training annually, across the organization.

Is There Anything Else You Would Like Us To Help With?

About This Question: Let us know if there’s anything specific that you’d like us to help with, and we’ll go over it during your free assessment! For example, many small businesses aren’t happy with the Wi-Fi coverage at their locations. We can help with this or other IT or cybersecurity issues!

Scheduling Your Free Assessment? Include Any Extra Details Here!

About This Question: Let us know any other pertinent details about your business, network(s), or security posture. We’ll review it before our meeting so the more we know beforehand, the better we’ll be able to help you!

Submit and Request Your Free Assessment