How to Run a Cybersecurity Assessment for Your Business (Without Overpaying)

Your network is the perimeter through which most attacks enter. Assess whether your firewall is current and properly configured, whether Wi-Fi networks are segmented (guest traffic separated from internal traffic), whether remote access uses a VPN, and whether unused ports and services have been disabled. An unpatched firewall, an open RDP port, or a flat network where any device can reach any other device are high-priority findings.

What to look for: Firewall model and firmware age, guest Wi-Fi isolation, VPN policy for remote workers, port scan of internet-facing assets (tools like Shodan show what is publicly visible).

Every laptop, desktop, server, and mobile device that touches your business data is a potential attack surface. Assess whether endpoint detection and response (EDR) software is deployed on all devices, whether operating systems and applications are current on patches, and whether there is visibility into what devices are connecting to your network. "No antivirus" was acceptable 20 years ago. Today, unmanaged endpoints are the most common ransomware entry point.

What to look for: EDR coverage across all devices (not just laptops), patch management process and cadence, mobile device management (MDM) for phones and tablets used for work, device inventory — do you know every endpoint on your network?

Who can access what — and could they access more than they need? Weak access controls are behind a significant portion of data breaches, including both external attacks and insider incidents. Assess whether multi-factor authentication (MFA) is enforced for email, cloud applications, and remote access. Review whether users have least-privilege access (no one has admin rights they don't actually use). Check whether former employees' accounts have been disabled promptly.

What to look for: MFA enrollment rate, admin account count and justification, offboarding process for account termination, privileged access to sensitive systems (finance, HR, customer data), password policy and whether a password manager is in use.

Backup is your primary defense against ransomware. But many businesses discover their backup is inadequate — or nonexistent — only after an incident. Assess whether business-critical data is backed up, how frequently, where backups are stored (offsite or cloud backups isolated from production systems), and whether backups have been tested by actually restoring from them. An untested backup is not a backup — it is a hope.

What to look for: Backup frequency for critical systems (daily minimum, hourly for high-value data), offsite/cloud backup isolation from production (ransomware encrypts network-connected backups), restore testing cadence, recovery time objective (how long to restore) vs. actual business tolerance for downtime.

Phishing is responsible for the majority of successful breaches — and phishing succeeds because employees click. Assess whether your organization runs security awareness training, how recently it was conducted, and whether training is accompanied by simulated phishing tests to measure actual click rates. One-time annual training is better than nothing but falls short of what the threat environment requires.

What to look for: Training frequency and format (once-a-year compliance training vs. ongoing micro-training), phishing simulation results and trend over time, coverage of high-risk scenarios (invoice fraud, impersonation of executives, fake IT support calls), and whether employees know how and where to report suspicious activity.

When something goes wrong — and eventually something will — does your business have a documented plan for how to respond? An incident response plan (IRP) defines who makes decisions, who gets notified (including legal counsel, cyber insurer, and affected customers), how systems get isolated to prevent spread, and who handles external communications. Businesses without a plan spend the first hours of an incident figuring out who is in charge while the damage compounds.

What to look for: Written IRP that has been reviewed in the last 12 months, defined roles and contact list (including cyber insurance carrier), tested tabletop exercise — has the team practiced the plan? — regulatory notification timelines documented (some regulations require notification within 72 hours).

Your security is only as strong as the weakest link in your vendor chain. Third-party breaches — where a vendor is compromised and that compromise extends to your business — are an increasing share of total incidents. Assess what access your vendors have to your systems and data, whether your MSP or IT provider uses MFA and privileged access management, and whether vendors with access to sensitive data have completed a security review or provided a SOC 2 report.

What to look for: Vendor inventory with access levels, MSP security practices (your MSP typically has admin access to everything — their security is your security), data processing agreements (DPAs) with vendors who handle client data, and review of any third-party integrations with admin access to your cloud applications.

Many businesses have compliance obligations they are only partially aware of. Healthcare organizations handling patient data must meet HIPAA requirements. Businesses that accept credit cards fall under PCI DSS. Organizations handling European personal data must satisfy GDPR. Government contractors face CMMC. State-level requirements — like New York's SHIELD Act — apply broadly. Assess which frameworks apply to your business and where your current controls fall short.

What to look for: Industry and client contract obligations, state privacy law applicability, any data breach notification requirements you're subject to, and whether your current controls map to the relevant framework — even partially. Compliance gaps identified before an audit are correctable; gaps discovered during an audit carry penalties.

Cybersecurity assessments often stop at the digital perimeter, but physical access to systems and devices is a legitimate attack vector. A visitor who can walk into the server room, an unlocked laptop left unattended, or a USB drive left in a parking lot are physical security problems with digital consequences. Assess whether server and networking equipment is physically secured, whether clean desk and screen-lock policies are in place and enforced, and whether office access controls are appropriate for the sensitivity of the data handled.

What to look for: Physical access controls on server rooms and network closets, screen-lock auto-timeout on workstations, device encryption on laptops and mobile devices (so stolen hardware doesn't become a data breach), visitor access policies.

Cyber insurance is not a substitute for security controls — but it is the financial backstop when controls fail, and they eventually do. Assess whether you have cyber insurance, whether the coverage limits are appropriate for your revenue and data exposure, and whether you understand what is and isn't covered. Insurers increasingly require specific controls (MFA, EDR, backup isolation) as prerequisites for coverage or for claims to be honored. An unchecked gap in your controls can void a claim at the worst moment.

What to look for: Policy limits relative to breach response costs in your industry, coverage inclusions (ransomware, business interruption, regulatory defense, notification costs), insurer's security control requirements and whether you currently meet them, and whether your policy covers third-party liability if a breach affects clients.