Free · 2 Minutes · No Obligation

See Your IT Risk Score

Eight quick yes/no questions covering the areas that cause 90% of business-disrupting incidents we see. Answer honestly and you’ll get an immediate score plus where you’re most exposed.

Question 1 of 8

1. Is all your critical business data backed up daily AND tested for restoration?

2. Is multi-factor authentication (MFA) enabled on email, admin accounts, and remote access?

3. Are operating systems and software patches applied within 30 days of release?

4. Do all endpoints (laptops, desktops, servers) have modern endpoint protection?

5. Do you have a written incident response plan and know who to call at 2am?

6. Is there email security beyond what your provider gives you out of the box (anti-phishing, link rewriting)?

7. Is your network segmented so that a compromised laptop can’t reach the file server, accounting system, and backups?

8. Have employees received any security awareness training in the last 12 months?


Why an IT Risk Score matters

The businesses that get hit by a serious cyber incident almost never see it coming. Ransomware, wire fraud, prolonged outages — the pattern behind all of them is the same handful of missing controls: no tested backup, no MFA on the accounts that matter, patches that lag, endpoints running whatever antivirus came with the machine. When those gaps line up, an incident that would have been contained becomes one that costs weeks of recovery and six figures in disruption.

Most owners can’t answer the question “how exposed am I right now?” with any confidence. The people who could — internal IT, a general-practice consultant, the outsourced provider — usually can’t either, because they’re grading their own homework. That’s the gap this assessment closes: a short, honest read on your posture that doesn’t need anyone to sell you anything to be useful.

What the 8 questions cover

Each question maps to one of the eight controls that show up over and over in post-incident forensics for small and mid-sized businesses:

  1. Backup and recovery — not just whether backups run, but whether they’ve been tested end-to-end recently enough to matter.
  2. Multi-factor authentication — on the accounts an attacker would actually target, not just the ones that were easy to turn it on for.
  3. Patch discipline — the window between a vendor release and it being installed across your fleet.
  4. Endpoint protection — whether the laptops, desktops, and servers run something modern (EDR/MDR) or something 2015 called and wants back.
  5. Incident response — whether there’s a written plan and the person who owns it can be reached at 2 AM.
  6. Email security — whether phishing gets filtered by more than the defaults your provider gave you.
  7. Network segmentation — whether a compromised laptop can reach the file server, the accounting system, and the backups.
  8. Security awareness — whether staff have seen any training in the last year, so the humans are as defended as the wires.

How to read your score

You’ll get a score out of 24, plus a plain-English band that tells you where you sit relative to the businesses we see. High scores don’t mean “buy nothing” and low scores don’t mean “emergency” — they mean the specific controls you should look at first. You see the score immediately. If you want the question-by-question breakdown with the moves that would lift each area the fastest, you can request the detailed report at the end.

Who this is for

Owners and operators of small and mid-sized businesses who want a straight answer on where they stand. IT managers who need something to hand a skeptical CFO. Operations leaders who inherited a stack they didn’t build and aren’t sure what’s in it. If you already have a mature security program, the score will confirm that. If you don’t, it’ll tell you exactly which gap to close first.

← Back to homepage