Skip to main content

Free audit program · v1.0.0

Small Business Cyber Posture

A practical 30-question check for SMBs without a dedicated security team.

  • Small Business Cyber Posture target area
  • framework
  • 29 controls in this program
  • Cyentrix Cyentrix Trusted Author
Sign in to run → Back to library

About this program

Practical, no-jargon questions for businesses without a CISO. Score yourself across the controls that actually matter. After each answer, expand the “Auditor’s view” for how to test the control, what evidence to collect, and the ideal answer.

Controls (29)

  1. Is multi-factor authentication (MFA / 2-step verification) turned on for email and key business apps?

    Medium

    Is multi-factor authentication (MFA / 2-step verification) turned on for email and key business apps?

    How to test + evidence

    Risk: Most SMB compromises start with an account without MFA. Universal enforcement is the single highest-impact control.

    Testing procedure: Sign in as a test user. Confirm MFA challenge fires. Check admin console for MFA enforcement policy on email + accounting + key apps.

    Evidence to collect: MFA enforcement policy in M365 / Google admin Sample login record List of apps requiring MFA

  2. Does the team use a password manager (1Password, Bitwarden, etc.)?

    Medium

    Does the team use a password manager (1Password, Bitwarden, etc.)?

    How to test + evidence

    Risk: Reused passwords are the #2 SMB compromise vector. A managed password manager makes unique passwords trivial.

    Testing procedure: Check the password manager admin console for license seats vs employee count. Sample 5 users for active vault usage.

    Evidence to collect: Password manager subscription with seat count Active user report Policy requiring password manager use

  3. Are shared accounts (info@, admin@) avoided where possible?

    Medium

    Are shared accounts (info@, admin@) avoided where possible?

    How to test + evidence

    Risk: Shared accounts have no audit trail — you can't tell who did what. Modern email supports delegated access without sharing the password.

    Testing procedure: List all shared/group accounts in IDP + email tenant. For each, identify the accountable owner and how access is controlled.

    Evidence to collect: Shared account inventory Owner per shared account Access control method (delegation vs shared password)

  4. When someone leaves, are their accounts disabled the same day?

    Medium

    When someone leaves, are their accounts disabled the same day?

    How to test + evidence

    Risk: Same-day offboarding eliminates the most common SMB breach vector: the leaver still has access weeks later.

    Testing procedure: Sample 10 leavers from HR. For each, compare termination date to account-disabled date in IDP.

    Evidence to collect: HR leaver list IDP account disabled timestamps Offboarding checklist

  5. Are regular staff prevented from installing software on their work computers?

    Medium

    Are regular staff prevented from installing software on their work computers?

    How to test + evidence

    Risk: Local admin enables malware to disable AV + spread. Removing it adds significant friction to attacks.

    Testing procedure: Sample 5 endpoints. Check whether the user account has local admin rights.

    Evidence to collect: Endpoint admin policy Sample of account memberships JIT elevation tooling if used

  6. Do all work computers have antivirus / endpoint protection?

    Medium

    Do all work computers have antivirus / endpoint protection?

    How to test + evidence

    Risk: Modern EDR catches behaviours legacy AV misses. Defender for Business is sufficient for most SMBs.

    Testing procedure: Inspect EDR/AV coverage report. Confirm every active endpoint has agent installed + reporting.

    Evidence to collect: EDR / AV coverage report Asset inventory cross-check Sample of recent alerts

  7. Do work computers and phones get OS / app security updates promptly?

    Medium

    Do work computers and phones get OS / app security updates promptly?

    How to test + evidence

    Risk: Most malware exploits known, patched vulns. Auto-updates close the window.

    Testing procedure: Inspect MDM patch compliance report. Sample 5 devices for OS + browser + key app versions.

    Evidence to collect: MDM patch compliance dashboard Sample device version reports Patch policy document

  8. Is full-disk encryption (BitLocker / FileVault) on for laptops?

    Medium

    Is full-disk encryption (BitLocker / FileVault) on for laptops?

    How to test + evidence

    Risk: Lost laptops are the #1 SMB physical incident. Encryption makes the loss containable.

    Testing procedure: Pull encryption status report from MDM / domain. Sample 5 laptops + verify recovery key escrow.

    Evidence to collect: Encryption status report Recovery key escrow location Lost-laptop procedure

  9. Are screen locks with strong passwords / passcodes / biometrics enforced?

    Medium

    Are screen locks with strong passwords / passcodes / biometrics enforced?

    How to test + evidence

    Risk: Unattended unlocked screens = unauthorized access. Auto-lock at 5 min is the bar.

    Testing procedure: Inspect MDM auto-lock policy. Verify timeout (typically 5 min) + complexity requirements.

    Evidence to collect: MDM screen-lock policy Compliance report Sample device showing policy applied

  10. Is your office Wi-Fi secured (WPA2/WPA3, separate guest network)?

    Medium

    Is your office Wi-Fi secured (WPA2/WPA3, separate guest network)?

    How to test + evidence

    Risk: Open or weak Wi-Fi is local-network access for any nearby attacker. Guest isolation prevents visitor laptops from accessing internal resources.

    Testing procedure: Inspect Wi-Fi controller config. Verify WPA3 (or WPA2 minimum) + isolated guest VLAN.

    Evidence to collect: Wi-Fi controller config export Guest VLAN configuration Pre-shared key rotation policy

  11. Are spam and phishing filters on (Microsoft 365 / Google Workspace built-in or a paid filter)?

    Medium

    Are spam and phishing filters on (Microsoft 365 / Google Workspace built-in or a paid filter)?

    How to test + evidence

    Risk: Premium anti-phishing tiers catch impersonation + post-delivery threats default tiers miss.

    Testing procedure: Inspect email security tooling configuration. Verify Safe Attachments + Safe Links (or equivalent) enabled.

    Evidence to collect: Email security policy export Sample quarantined emails Anti-phishing policy with impersonation protection

  12. Are emails from outside your company marked with a clear external sender warning?

    Medium

    Are emails from outside your company marked with a clear external sender warning?

    How to test + evidence

    Risk: One-line config change with measurable click reduction. No reason not to enable it.

    Testing procedure: Send a test email from external. Confirm banner is visible and distinct.

    Evidence to collect: Mail flow rule / transport rule config Screenshot of received email with banner

  13. Has someone configured SPF / DKIM / DMARC for your email domain (anti-spoofing)?

    Medium

    Has someone configured SPF / DKIM / DMARC for your email domain (anti-spoofing)?

    How to test + evidence

    Risk: Without DMARC at p=reject, anyone can send "from" your domain. The DNS-only fix takes a day.

    Testing procedure: Run DNS lookup. Verify SPF + DKIM + DMARC at p=reject.

    Evidence to collect: DNS records (mxtoolbox / dig output) DMARC aggregate report (dmarcian / Postmark)

  14. Do you use modern browsers and keep them updated?

    Medium

    Do you use modern browsers and keep them updated?

    How to test + evidence

    Risk: Browsers patch quickly for in-the-wild vulns. Out-of-date browsers are exploit-ready.

    Testing procedure: Check browser version on sample endpoints. Verify auto-update enabled.

    Evidence to collect: MDM browser inventory Auto-update policy Sample device version

  15. Do you block known-malicious websites at the network or DNS level (1.1.1.1 for Families, NextDNS, etc.)?

    Medium

    Do you block known-malicious websites at the network or DNS level (1.1.1.1 for Families, NextDNS, etc.)?

    How to test + evidence

    Risk: DNS filtering is one of the cheapest broad-spectrum defences. Off-network coverage matters more for hybrid teams.

    Testing procedure: Test by attempting to resolve a known-malicious test domain (e.g. internetbadguys.com) — should be blocked.

    Evidence to collect: DNS filter / firewall config Test result showing block Coverage for off-network devices

  16. Are important business files (cloud + local) backed up?

    Medium

    Are important business files (cloud + local) backed up?

    How to test + evidence

    Risk: Local backups die with the building. Off-site + tested = the bar.

    Testing procedure: Inspect backup job logs + last restore test. Verify off-site / cloud retention.

    Evidence to collect: Backup job log Off-site / cloud retention policy Last restore test report

  17. When did you last actually restore something from backup to test it works?

    Medium

    When did you last actually restore something from backup to test it works?

    How to test + evidence

    Risk: Untested backups are faith. Quarterly tests catch tooling regressions.

    Testing procedure: Inspect last restore test report.

    Evidence to collect: Restore test report with date + scope + outcome

  18. Is sensitive data shared via secure tools (e.g. Drive/SharePoint with proper permissions) rather than emailed around?

    Medium

    Is sensitive data shared via secure tools (e.g. Drive/SharePoint with proper permissions) rather than emailed around?

    How to test + evidence

    Risk: Email attachments scatter copies of sensitive data. Controlled-storage links keep one source of truth + access controls.

    Testing procedure: Sample 10 mailbox sent items. Count instances of sensitive attachments vs links to controlled storage.

    Evidence to collect: Mailbox sample analysis DLP rules flagging sensitive attachments Sharing policy

  19. When you share files externally (e.g. with clients), are links restricted (expire, password, specific people)?

    Medium

    When you share files externally (e.g. with clients), are links restricted (expire, password, specific people)?

    How to test + evidence

    Risk: "Anyone with the link" leaks. Recipient-specific or password-protected links keep control.

    Testing procedure: Inspect sharing settings policy. Sample shared files + verify each has appropriate restrictions.

    Evidence to collect: External sharing policy Sample shared link report Default sharing permission

  20. Are paper documents with sensitive info (HR, finance, customer) physically secured and shredded when no longer needed?

    Medium

    Are paper documents with sensitive info (HR, finance, customer) physically secured and shredded when no longer needed?

    How to test + evidence

    Risk: Paper doesn't go away just because most things are digital. HR + finance still produce paper that needs handling.

    Testing procedure: Walk the office. Check for unattended sensitive paper. Inspect shredding service contract.

    Evidence to collect: Locked storage for sensitive paper Shredding service contract / cross-cut shredder Document retention policy

  21. Do you check the security practices of vendors handling your data (basic questions, certifications)?

    Medium

    Do you check the security practices of vendors handling your data (basic questions, certifications)?

    How to test + evidence

    Risk: Vendors process your data — their security is your security. Even basic questions catch the worst offenders.

    Testing procedure: Inspect vendor list + security documentation collected per vendor.

    Evidence to collect: Vendor register Security questionnaires + responses SOC 2 / ISO 27001 reports for critical vendors

  22. Do you require a phone-call verification before paying a new bank account or changing supplier payment details?

    Medium

    Do you require a phone-call verification before paying a new bank account or changing supplier payment details?

    How to test + evidence

    Risk: BEC is the highest-loss scam for SMBs. The callback rule consistently saves the money.

    Testing procedure: Inspect AP procedure. Sample 10 payment changes; verify each has documented out-of-band verification.

    Evidence to collect: Payment-change verification procedure Sample of completed verifications Training record for finance team

  23. Are invoice / payment fraud awareness habits in place for whoever handles money?

    Medium

    Are invoice / payment fraud awareness habits in place for whoever handles money?

    How to test + evidence

    Risk: Finance staff are targeted directly. Their awareness + a callback habit is the difference between a saved $50k and a lost one.

    Testing procedure: Interview AP / finance staff. Test scenario knowledge ("what would you do if the CEO emailed urgently?").

    Evidence to collect: Finance team training records BEC scenario tabletop Examples of caught attempts

  24. Do you have cyber insurance?

    Medium

    Do you have cyber insurance?

    How to test + evidence

    Risk: Insurance funds response when prevention fails. Coverage gaps + missed required controls void payouts when needed most.

    Testing procedure: Inspect cyber insurance policy. Verify coverage for ransomware + BEC + business interruption.

    Evidence to collect: Insurance policy schedule Sub-limits per category Required controls per insurer

  25. Is there one person clearly responsible for "cyber" in your business (even if it’s not their full job)?

    Medium

    Is there one person clearly responsible for "cyber" in your business (even if it’s not their full job)?

    How to test + evidence

    Risk: Without ownership nothing improves. Even a part-time owner produces measurable improvement.

    Testing procedure: Ask "who owns cyber here?" — multiple staff should give the same answer.

    Evidence to collect: Job description with cyber duties Time allocation for cyber tasks Reporting line to leadership

  26. Has the team had any cyber awareness training in the last year?

    Medium

    Has the team had any cyber awareness training in the last year?

    How to test + evidence

    Risk: Phishing simulations move the needle on real click rates. Training-only is a checkbox; combined is a control.

    Testing procedure: Pull training completion + simulated phishing reports for last 12 months.

    Evidence to collect: Training completion report Phishing simulation results Remedial training for clickers

  27. Do staff know what to do if they get a suspicious email or click something they shouldn’t have?

    Medium

    Do staff know what to do if they get a suspicious email or click something they shouldn’t have?

    How to test + evidence

    Risk: Speed-to-report determines containment. A culture where staff hide mistakes is the worst-case scenario.

    Testing procedure: Ask 5 random staff: "If you click a suspicious link by accident, who do you tell first?"

    Evidence to collect: Reporting channel with SLA Communication / poster making it visible Sample of recent reports + outcome

  28. For remote work, is access via secure channels (VPN, ZTNA, or modern SaaS with MFA) — not RDP exposed to the internet?

    Medium

    For remote work, is access via secure channels (VPN, ZTNA, or modern SaaS with MFA) — not RDP exposed to the internet?

    How to test + evidence

    Risk: Internet-exposed RDP is the #1 ransomware initial access vector. ZTNA / VPN with MFA is the modern alternative.

    Testing procedure: Run an external port scan. Verify no RDP / SMB / management port is publicly exposed.

    Evidence to collect: External scan result (Censys / Shodan) Remote access architecture (VPN / ZTNA) No 3389/445 in firewall rule set

  29. If you got hacked tomorrow, do you have a basic plan: who calls who, what’s your IT/IR contact, who tells customers?

    Medium

    If you got hacked tomorrow, do you have a basic plan: who calls who, what’s your IT/IR contact, who tells customers?

    How to test + evidence

    Risk: A one-page plan beats a 50-page binder nobody reads. The first 30 minutes of an incident are when good decisions matter most.

    Testing procedure: Ask the owner: "Walk me through what happens in the first hour of a major cyber incident."

    Evidence to collect: One-page incident plan IR contact + insurance broker numbers Communication template