How exposed is your business, really?

1. Is multi-factor authentication (MFA) enabled on all accounts — email, cloud tools, line-of-business applications, and remote access?

MFA blocks over 99% of automated account takeover attempts. If any critical system is missing it, that system is the weakest link.

2. Are your backups tested and verified at least once per quarter — not just scheduled, but actually confirmed to restore?

Unverified backups are not backups. The only thing that matters is whether a restore actually works when you need it.

3. Is endpoint protection (antivirus, EDR, or equivalent) installed and actively monitored on every employee device, including personal devices used for work?

Unmanaged devices are the most common entry point for ransomware. "It's their personal laptop" is not a security boundary.

4. Have all employees completed security awareness training in the past 12 months that covered phishing, social engineering, and safe credential practices?

The majority of successful breaches start with a human action, not a technical failure. Training reduces that surface area significantly.

5. Are former employee accounts (email, cloud tools, VPN, building systems) disabled within 24 hours of departure?

Inactive accounts with valid credentials are a persistent and often-overlooked risk. This is a process gap as much as a technical one.

6. Do you have a documented, tested plan for what your business does in the first 24 hours of a ransomware attack or significant data breach?

Incident response under pressure is harder than it looks. Businesses without a plan lose significantly more time and money when an incident occurs.

7. Are third-party and vendor access points (remote support tools, MSP access, contractor accounts) reviewed and limited to the minimum necessary?

Vendor access is one of the most common vectors for supply chain attacks. Most businesses never audit it after the initial setup.