You don’t need to be a cybersecurity expert to run a secure business — but you do need to know the right questions. If you can’t answer these ten, your company may be more exposed than you think.
Q 01
Do you know exactly what data you collect, where it lives, and who can access it?
Many businesses collect far more data than they realise — customer records, payment details, employee files, supplier contracts — scattered across cloud drives, laptops, email inboxes, and third-party tools. Without a clear data inventory, you cannot protect what you don’t know you have.
What you need: A data map. Even a simple spreadsheet that lists data categories, storage locations, and who has access rights is a meaningful starting point.
If you cannot answer this question confidently, you also cannot comply with GDPR. Data you don’t track is data you cannot protect — or delete when required.
Q 02
When did you last test your data backups?
Almost every business has backups. Far fewer have ever actually restored from one. A backup that has never been tested is not a backup — it is an assumption. Ransomware attackers count on exactly this gap.
Best practice: Follow the 3-2-1 rule. Keep three copies of your data, on two different storage types, with one copy stored offsite or in an isolated cloud environment. And run a restore drill at least once per quarter.
Recovery time matters as much as recovery success. Do you know how long it would take to get your systems back online after a ransomware incident?
Q 03
Is Multi-Factor Authentication (MFA) enabled across all critical systems?
Compromised passwords are the single most common entry point for attackers. MFA adds a second verification step — a one-time code, an authenticator app, a hardware token — that makes stolen credentials alone nearly useless.
Where to enforce it immediately: Email accounts, VPNs, cloud storage, accounting software, your CMS, and any admin panel. If a system holds sensitive data or controls business operations, MFA is non-negotiable.
A single employee account without MFA is often all an attacker needs.
Q 04
What would you actually do in the first hour of a cyberattack?
Most businesses have no written incident response plan. When an attack occurs — and it’s a matter of when, not if — the cost of confusion in the first hour is enormous. Who gets called? Who has authority to shut systems down? Which regulator must be notified, and within what timeframe?
Your plan should define: roles and responsibilities, a clear escalation path, communication templates for customers and regulators, and a prioritised list of systems to isolate or protect first.
Under GDPR, a personal data breach must be reported to the relevant supervisory authority within 72 hours of discovery. If you don’t have a plan, you will almost certainly miss this window.
Q 05
Have your employees received cybersecurity awareness training in the last 12 months?
Over 80% of successful breaches involve a human element — a clicked phishing link, a weak password chosen for convenience, a USB stick plugged in without a second thought. Technology can only take you so far. Your people are either your strongest defence or your most exploited vulnerability.
Effective training covers: how to recognise phishing and social engineering, password hygiene, safe use of public Wi-Fi, what to do when something looks suspicious, and the specific risks relevant to your industry (e-commerce, fintech, healthcare).
Simulated phishing campaigns — where you send fake phishing emails to your own team — are one of the most cost-effective training tools available. Failure rates often surprise even well-informed managers.
Q 06
Do your employees follow the principle of least privilege?
Every user in your organisation should have access to exactly what they need to do their job — and nothing more. When accounts are over-privileged, a single compromised login can give an attacker keys to your entire infrastructure.
In practice: Review access rights regularly, especially when employees change roles or leave the company. Revoke permissions on the day of departure, not weeks later. Admin rights should be reserved for those who genuinely require them.
The principle of least privilege is one of the most impactful controls you can implement, and it costs almost nothing.
Q 07
How rigorously do you vet the cybersecurity practices of your vendors and suppliers?
Your security posture is only as strong as the weakest link in your supply chain. Third-party vendors — payment processors, logistics partners, SaaS platforms, IT providers — often have access to your systems or data. Their breach becomes your breach.
What to ask your vendors: Do they hold relevant certifications (ISO 27001, SOC 2)? How do they handle data encryption? What is their own incident response process? Do they undergo regular penetration testing?
Supply chain attacks — where attackers compromise a trusted vendor to reach their actual target — have grown significantly in recent years. Don’t assume that a well-known brand means a well-secured system.
Q 08
Are all your systems, software, and devices kept up to date with security patches?
Unpatched software is one of the most consistently exploited attack vectors. When a vulnerability is disclosed and a patch is released, attackers move fast — often within hours — to target organisations that haven’t yet applied the fix.
This includes: operating systems, web browsers, server software, CMS platforms (WordPress, Shopify plugins), mobile devices, and network equipment such as routers and firewalls. „It still works fine“ is not a reason to delay a security patch.
Where possible, enable automatic updates for critical systems. For larger environments, implement a patch management policy that defines maximum acceptable windows between patch release and deployment.
Q 09
Do you have cyber liability insurance, and do you understand what it actually covers?
Cyber insurance has become an essential risk management tool for businesses of all sizes. But policies vary significantly — and many business owners discover gaps in their coverage only after an incident. Does your policy cover ransomware payments? Business interruption losses? Regulatory fines? PR and crisis communication costs?
Before you sign: Understand the exclusions. Many insurers now require proof of certain controls — MFA, encrypted backups, staff training — as a condition of coverage. Failing to maintain these can void a claim.
Insurance does not replace a security programme. It is a financial safety net for residual risk, not a substitute for controls.
Q 10
When did you last conduct a formal cybersecurity risk assessment?
A risk assessment is the foundation of any meaningful security programme. It identifies your most valuable assets, the threats most relevant to your business, existing vulnerabilities, and the controls needed to reduce your exposure to an acceptable level.
A structured assessment answers: What could go wrong? How likely is it? What would the impact be? What are we doing about it today, and is that enough? It transforms cybersecurity from a vague concern into a set of prioritised, actionable decisions.
For mid-sized businesses, a risk assessment need not be a months-long project. A focused engagement with an experienced consultant can produce clear, actionable findings in a matter of days — and the clarity it provides is invaluable.
How Did You Score?
Count the questions you could answer confidently and completely.
Not Sure Where to Start?
A professional cybersecurity assessment will give you a clear picture of your exposure and a prioritised roadmap to address it.
