Is your IT actually protecting you? Find out in 7 questions →
← Back to all tools Security

Cyber Risk Assessment

10 questions. Find out exactly where your business is exposed to ransomware, data breaches, and IT failures — before an attacker finds it first.

1. Is multi-factor authentication (MFA) required for all employees to log in to email and business applications?

2. What endpoint protection does your business use on employee computers?

3. How often are operating systems and software updated on employee devices?

4. What email security does your business have in place?

5. When did someone last test whether your backups can actually be restored?

6. Does your business use a password manager for all employees?

7. Does your business have a documented incident response plan for a ransomware attack or data breach?

8. How does your business handle employee departures — are accounts and access immediately revoked?

9. Have your employees received any security awareness training or phishing simulation in the past 12 months?

10. Has your business had a formal security review, vulnerability scan, or IT audit in the past 2 years?

🛡️
Low Risk

Your Security Posture Is Strong

Based on your answers, your business has the core security controls in place. MFA, endpoint protection, tested backups, and basic employee training put you ahead of most small businesses. The remaining risk is in the gaps — make sure your controls are actually working, not just technically deployed.

What to focus on next:

  • Schedule an annual third-party security assessment to find what internal reviews miss
  • Test your incident response plan with a tabletop exercise
  • Review user access quarterly — least privilege erodes over time

Want a free benchmark from a vetted security-focused MSP in your area?

Take the Full IT Sanity Check
⚠️
Moderate Risk

Some Controls Are in Place — But There Are Gaps

You have a partial security foundation, but key gaps leave your business exposed. Attackers don't need to find every weakness — just one. The gaps in your current setup (likely patching cadence, backup testing, or MFA coverage) are the specific things that show up in incident reports.

What to address first:

  • Enforce MFA on all users — not just some
  • Run a backup restore test and document the result
  • Ensure patch management is automated, not manual
  • Run a phishing simulation to baseline your employee risk

Get a free security gap analysis from a vetted local MSP — no obligation.

Read: What Actually Protects You
🚩
High Risk

Significant Vulnerabilities Identified

Your security posture has multiple serious gaps. The combination of missing controls in your answers represents the exact profile that ransomware operators and phishing campaigns target. This isn't a matter of if — it's a matter of when, and how bad. The good news: the most important controls are fixable within 30 days with the right IT support.

Immediate priorities:

  • Today: Enable MFA on email and Microsoft 365 / Google Workspace for all users
  • This week: Verify backups are running and schedule a test restore
  • This month: Deploy EDR on all endpoints; document an incident response plan
  • Next 30 days: Run a phishing simulation; audit who has access to what

Your business needs help closing these gaps — the sooner the better.

We'll connect you with screened local MSPs who specialize in exactly this. Free. No spam.

Ransomware Response Guide Build an IT RFP
🔴
Critical Risk

Your Business Is Highly Exposed

Your answers indicate your business is operating without the fundamental security controls that protect against today's most common attacks. No MFA, no tested backups, no EDR, no incident plan — this is the exact profile that shows up in ransomware incident reports. This isn't alarmism: 60% of small businesses that experience a serious breach close within 6 months. You need to act now, before something forces the issue.

Do these today — no IT person required:

  • Go to your Microsoft 365 or Google Workspace admin center and enable MFA for all users right now
  • Check whether your files are backed up to an offsite location (not just the same computer)
  • Write down the 3 phone numbers you'd call if your computers were locked by ransomware tomorrow
  • Then get a real IT provider involved — this week, not next quarter

Your business needs IT help — now, not next quarter.

Tell us where you are and we'll connect you with screened local MSPs. Free. No spam.

Start Here: Security Basics