15 Questions to Ask About Cybersecurity

This article contains affiliate links. We may earn a commission at no cost to you. Learn more

A small accounting firm I know got hit with ransomware last April. They lost access to every client file for 11 days. The ransom was $45,000. The recovery costs, including IT forensics, client notification, legal consultation, and lost revenue, pushed past $120,000. They had 14 employees. No cybersecurity policy. No incident response plan. No employee training beyond “don’t click suspicious links.”

Here’s what most small business owners don’t realize: you don’t need to be a Fortune 500 company to be a target. In fact, 43% of cyberattacks target small businesses, according to Verizon’s Data Breach Investigations Report. The reason is simple. Small businesses have valuable data and weak defenses. They’re the path of least resistance.

You don’t need to become a security expert. But you do need to ask the right questions, whether you’re evaluating your own security posture, hiring an IT security provider, or simply trying to understand where your risks are. These 15 questions will get you started.

Before You Assess Your Cybersecurity

Some groundwork makes the evaluation process much more productive.

Know what data you have and where it lives. Customer information, financial records, employee data, intellectual property. You can’t protect what you haven’t inventoried. List your data types and where they’re stored (cloud services, local servers, laptops, phones).
Identify your compliance requirements. Depending on your industry, you may be subject to HIPAA (healthcare), PCI DSS (payment processing), SOX (publicly traded), GDPR (EU customers), or state-level privacy laws. Compliance isn’t optional, and non-compliance carries real penalties.
Understand your current setup. What security tools are already in place? Antivirus? Firewall? Password manager? Multi-factor authentication? Knowing your starting point prevents you from paying for things you already have.
List everyone who has access to your systems. Employees, contractors, vendors, former employees who never had their access revoked. Access control gaps are one of the most common vulnerabilities.
Know your budget range. Cybersecurity spending for small businesses typically runs 5 to 10% of the IT budget. If you’re spending nothing, you’re behind. If you’re overspending on the wrong things, you’re also behind.

What to Mention or Send Beforehand

If you’re talking to a cybersecurity provider or IT consultant, share these details upfront:

Your business size (number of employees, locations, remote workers)
The types of data you handle (customer PII, financial data, health records)
Your current security tools and policies (even informal ones)
Any compliance requirements for your industry
Whether you’ve experienced a breach or security incident in the past

Foundational Security

1. Do we have multi-factor authentication enabled on all critical accounts?

Multi-factor authentication (MFA) stops an estimated 99.9% of automated attacks. That’s not a typo. If someone steals a password (which happens constantly through phishing and data breaches), MFA prevents them from using it because they’d also need a second factor: a phone code, an authenticator app, or a physical security key.

Every business account should have MFA enabled: email, cloud storage, banking, CRM, accounting software, and admin panels. No exceptions. And SMS-based MFA (text message codes) is the weakest option. Authenticator apps (Google Authenticator, Authy) are better. Hardware security keys like YubiKeys are the gold standard, especially for admin accounts.

2. How are passwords managed across the organization?

“We all know our passwords” is not a password policy. Neither is a shared spreadsheet with login credentials. A proper password management strategy includes: unique, strong passwords for every account (no reuse), a business-grade password manager (1Password, Bitwarden, Dashlane), a policy requiring passwords of 16+ characters, and regular audits for compromised credentials.

Ask: Does everyone on your team use a password manager? Have any business credentials appeared in known data breaches? (Check at haveibeenpwned.com.) Are there shared accounts with passwords that “everyone just knows”? Each yes to that last question is an open vulnerability. For a deeper understanding of password security principles, a cybersecurity fundamentals book is a worthwhile investment.

3. Is our software and all our devices kept up to date?

Unpatched software is the open window that attackers walk through most often. When a vendor releases a security update, it means they’ve discovered a vulnerability. Attackers reverse-engineer those patches to exploit organizations that haven’t applied them yet. The window between patch release and mass exploitation is shrinking, sometimes to hours.

Ask about: automatic update policies for operating systems, browsers, and business applications. Who’s responsible for ensuring updates are applied? Are there any systems running end-of-life software (Windows 7, old server OS versions) that no longer receive security patches? Those systems are ticking time bombs.

Data Protection

4. How is sensitive data encrypted, both at rest and in transit?

Encryption at rest means data stored on drives, servers, and cloud services is scrambled without the decryption key. Encryption in transit means data being sent between systems (over the internet, between servers) is protected from interception.

For a small business, this means: full-disk encryption on all laptops and workstations (BitLocker for Windows, FileVault for Mac), HTTPS on your website and all internal tools, encrypted email for sensitive communications, and encryption enabled on your cloud storage (most major providers do this by default, but verify).

5. What is our backup strategy, and has it been tested recently?

Backups are your last line of defense against ransomware, hardware failure, and catastrophic mistakes. The 3-2-1 rule is the standard: three copies of your data, on two different types of media, with one copy stored offsite (cloud or a different physical location).

But here’s the question most people skip: When did you last test restoring from backup? An untested backup is a hope, not a plan. Schedule quarterly restore tests. Actually pull data from your backup and confirm it’s complete, current, and functional. Ransomware attackers increasingly target backups specifically, so make sure at least one copy is air-gapped (not connected to your network).

6. Who has access to what, and how is access controlled?

The principle of least privilege means everyone has access to exactly what they need and nothing more. Your marketing intern doesn’t need access to your financial systems. Your accountant doesn’t need admin access to your website server.

Conduct an access audit. List every system, every user, and their access level. Look for: former employees or contractors who still have active accounts, shared accounts with no individual accountability, admin access given to people who don’t need it, and sensitive data accessible to roles that shouldn’t have it. Clean up the gaps. Then set a schedule to audit access quarterly.

Threat Awareness and Training

7. Have employees received cybersecurity training, and how often is it updated?

Phishing emails remain the number one attack vector. All the technical security in the world doesn’t help if someone clicks a convincing link and enters their credentials. Training isn’t a one-time event. It needs to happen at hire and at least annually, with shorter refreshers quarterly.

Effective training covers: how to identify phishing emails and social engineering, safe browsing and download practices, proper handling of sensitive data, reporting procedures when something looks suspicious, and real-world examples of attacks (not just abstract concepts). Simulated phishing tests, where you send fake phishing emails to your own team and track who clicks, are one of the most effective training tools available.

8. Do we have a policy for personal devices used for work (BYOD)?

If employees access business email, files, or applications from personal phones, tablets, or laptops, those devices are part of your security perimeter whether you like it or not. A BYOD (Bring Your Own Device) policy should address: required security settings (screen lock, encryption, up-to-date OS), approved apps for accessing business data, what happens to business data when an employee leaves, and remote wipe capabilities for lost or stolen devices.

Without a BYOD policy, you have no control over the devices accessing your data. And a lost personal phone with unprotected access to your business email is a breach waiting to happen.

Incident Response

9. Do we have an incident response plan, and does everyone know their role?

An incident response plan isn’t just for large enterprises. It’s a documented set of steps your team follows when something goes wrong: a data breach, a ransomware attack, a compromised account, or a suspicious intrusion. Without a plan, you’re making critical decisions under extreme stress with no playbook.

A basic plan should cover: who to contact first (internal and external), how to contain the incident (isolate affected systems), how to assess the scope of the damage, communication protocols (who tells customers, regulators, law enforcement), and documentation requirements (for insurance, legal, and compliance). Review and rehearse the plan at least once a year. A plan that sits in a drawer unread is only slightly better than no plan at all.

10. Do we have cyber insurance, and what does it actually cover?

Cyber insurance covers costs associated with data breaches, ransomware, business interruption, regulatory fines, and liability from compromised customer data. Policies vary wildly, so read the details.

Ask your insurer: What’s the coverage limit? What’s the deductible? Does it cover ransomware payments? Does it cover business interruption (lost revenue during downtime)? Does it cover regulatory fines and legal defense? Are there specific security requirements you must meet for coverage to apply? That last point is critical. Many cyber insurance policies require you to have MFA, regular backups, and employee training in place. If you don’t meet those requirements, a claim can be denied.

Vendor and Third-Party Risk

11. How do we evaluate the security of our vendors and third-party services?

Your security is only as strong as the weakest link in your supply chain. If your accounting software provider gets breached and attackers access your financial data through them, it’s your problem. If your email marketing platform leaks your customer list, the damage is to your reputation.

For every vendor that handles your data, ask: What security certifications do they hold (SOC 2, ISO 27001)? How do they handle data encryption and access control? What is their breach notification timeline? Do they have cyber insurance? You don’t need to audit every vendor like a Fortune 500 company would, but you should at least ask these baseline questions for any vendor touching sensitive data. Webcam covers are a simple physical security measure that prevents visual eavesdropping through compromised cameras.

12. What security measures protect our cloud services and SaaS applications?

Most businesses rely on cloud services: Google Workspace, Microsoft 365, Salesforce, Slack, cloud storage, and dozens of SaaS tools. Each one is an access point that needs to be secured.

Ask about: SSO (Single Sign-On) to centralize authentication, MFA on every cloud service (not just email), access logging and monitoring, data loss prevention (DLP) policies, and regular reviews of connected third-party apps and integrations. Shadow IT, where employees sign up for cloud services without IT approval, is a growing risk. You can’t secure what you don’t know about.

Monitoring and Ongoing Improvement

13. Are we monitoring our systems for suspicious activity?

Prevention is important, but detection is essential because no prevention is 100% effective. You need to know when something unusual is happening: a login from a strange country, a massive data download at 3 a.m., or multiple failed login attempts on an admin account.

For small businesses, this doesn’t require a full security operations center. Start with: enabling audit logs on critical systems, setting up alerts for unusual login activity, monitoring network traffic for anomalies, and reviewing logs at least weekly (or using a managed detection service that does it for you).

14. When was our last security assessment, and what did it find?

A security assessment (also called a vulnerability assessment or penetration test) identifies weaknesses before attackers do. Even a basic assessment can reveal unpatched software, misconfigured firewalls, weak passwords, and unnecessary open ports.

For small businesses, an annual vulnerability scan is a reasonable starting point. More mature organizations should do quarterly scans and annual penetration tests. Ask who performed the last assessment, what they found, and whether the issues were resolved. If the answer is “we’ve never had one,” that’s your first action item.

15. What is our plan for staying current with evolving threats?

Cybersecurity isn’t a project with a finish line. It’s an ongoing practice. Threats evolve constantly. New vulnerabilities are discovered daily. Attack techniques that didn’t exist last year are common this year.

Someone in your organization (or your IT provider) should be responsible for: tracking emerging threats relevant to your industry, updating security tools and configurations, reviewing and updating policies annually, and staying current with regulatory changes. If nobody owns this responsibility, nothing happens until something breaks.

Typical Cost Range and Factors

Here’s what cybersecurity typically costs for small to mid-sized businesses in 2026:

Basic security tools (DIY): $50 to $200/month. Includes antivirus/endpoint protection, password manager, basic firewall, and cloud backup. Suitable for businesses under 10 employees with minimal compliance requirements.

Managed security services (outsourced): $500 to $3,000/month. Includes 24/7 monitoring, incident response, vulnerability scanning, managed firewall, and regular reporting. Fits businesses with 10 to 100 employees who need professional oversight.

Full security program (in-house + tools): $3,000 to $10,000+/month. Includes dedicated security staff or fractional CISO, advanced threat detection, compliance management, regular assessments, and employee training. For businesses with significant compliance requirements or high-value data.

One-time costs:

Security assessment/penetration test: $2,000 to $15,000+
Incident response retainer: $2,000 to $10,000/year
Employee training program: $500 to $5,000/year
Cyber insurance: $1,000 to $7,500/year for small businesses

What drives costs:

Business size (employees, locations, devices)
Data sensitivity (PII, financial, healthcare)
Compliance requirements (HIPAA, PCI DSS, SOX)
Industry (financial services and healthcare cost more)
Current maturity (starting from scratch costs more initially)

Red Flags vs. Green Flags

Red Flag	Green Flag
No MFA on any business accounts	MFA enabled on all critical systems, preferably with hardware keys for admin accounts
Passwords shared in spreadsheets or sticky notes	Business-grade password manager deployed across the organization
No one knows when systems were last updated	Automatic updates enabled with a documented patch management policy
No backup strategy, or backups exist but have never been tested	3-2-1 backup strategy with quarterly restore testing
Former employees still have active accounts	Access reviewed quarterly with immediate deprovisioning at offboarding
No employee security training beyond “be careful with email”	Annual training with simulated phishing tests and quarterly refreshers
No incident response plan	Documented plan reviewed annually and practiced through tabletop exercises
No cyber insurance	Active cyber insurance policy with understood coverage and requirements

Money-Saving Tips

Start with the free or low-cost basics. MFA is free on most platforms. Built-in encryption (BitLocker, FileVault) is free. Strong password policies cost nothing. These three steps alone stop the vast majority of common attacks.
Use built-in security features before buying add-ons. Microsoft 365 and Google Workspace include significant security features (MFA, DLP, audit logs) that many businesses aren’t using. Enable what you already have before buying more tools.
Prioritize by risk, not by fear. Spend money where your actual risks are highest. If you handle payment data, PCI compliance is more urgent than advanced threat hunting. Match your spending to your threat profile.
Invest in training over tools. A $500/year training program that stops employees from clicking phishing links prevents more breaches than a $5,000/year security tool that nobody configures properly.
Bundle services from one provider. A managed security provider offering monitoring, backup, and vulnerability scanning together is usually cheaper than buying each service separately.
Apply for cyber insurance early. Premiums are lower when you can demonstrate existing security measures. Getting insured before a breach (obviously) is both cheaper and possible.

Glossary

Multi-Factor Authentication (MFA): A security method requiring two or more forms of verification to access an account. Typically combines something you know (password) with something you have (phone, security key) or something you are (fingerprint, face recognition). Stops 99.9% of automated attacks.

Phishing: A social engineering attack where criminals send fake emails, texts, or messages designed to trick recipients into revealing credentials, clicking malicious links, or downloading malware. Phishing is the number one initial attack vector in data breaches.

Ransomware: Malware that encrypts your files and demands payment (ransom) for the decryption key. Attacks typically spread through phishing emails or unpatched vulnerabilities. Average ransom demands in 2026 range from $10,000 for small businesses to millions for large enterprises.

Zero-Day Vulnerability: A software flaw that is unknown to the vendor and has no patch available. “Zero-day” means the vendor has had zero days to fix it. These are the most dangerous vulnerabilities because they can be exploited before any defense exists.

SOC 2 (Service Organization Control 2): A security framework and audit certification for service providers that handle customer data. SOC 2 compliance demonstrates that a vendor has implemented proper controls for security, availability, processing integrity, confidentiality, and privacy.

Endpoint Protection: Security software installed on individual devices (laptops, phones, tablets) to detect and prevent malware, unauthorized access, and other threats. Modern endpoint protection goes beyond traditional antivirus to include behavioral analysis, threat intelligence, and automated response.

Helpful Tools and Resources

Our Pick

YubiKey Security Key

The strongest form of MFA available. A physical key that plugs into USB or taps via NFC. Virtually eliminates phishing attacks on accounts that support it. Start with admin accounts and work outward.

Our Pick

Cybersecurity for Small Business Guide

You don't need to become a security expert, but understanding the basics helps you make informed decisions and ask better questions of your IT providers.

Our Pick

Webcam Privacy Cover

A simple sliding cover for your laptop camera. Costs a few dollars and eliminates the risk of visual eavesdropping through compromised cameras. Physical security you can see and control.

Have I Been Pwned: Free tool to check if your email addresses or passwords have appeared in known data breaches. Run your business email addresses through it today.
CISA Cybersecurity Resources: The Cybersecurity and Infrastructure Security Agency provides free guides, assessments, and best practices tailored for small and medium businesses.
NIST Cybersecurity Framework: The gold standard framework for building a cybersecurity program. Organized around five functions: Identify, Protect, Detect, Respond, Recover. Free and scalable to any business size.

Quick Reference Checklist

Use this to assess your cybersecurity posture:

Frequently Asked Questions

How much should a small business spend on cybersecurity?

A common benchmark is 5 to 10% of your total IT budget. For a small business spending $50,000/year on technology, that’s $2,500 to $5,000 annually on security. But the right amount depends on your risk profile. Businesses handling sensitive data (healthcare, financial, legal) should invest more. The most cost-effective first steps (MFA, password management, training) are also the cheapest.

What’s the single most important thing I can do to improve security?

Enable multi-factor authentication on every business account that supports it. It’s free, takes minutes per account, and blocks the vast majority of attacks. If you do nothing else from this entire article, do this one thing. Today.

Do I need a dedicated IT security person?

Most businesses under 50 employees don’t need a full-time security hire. A managed security service provider (MSSP) or a fractional CISO (a security expert you hire part-time) provides expertise without the full-time salary. Above 50 employees with complex systems, a dedicated security role becomes more justifiable.

How do I know if we’ve been breached?

Warning signs include: unexpected password reset emails, unfamiliar login locations in your account activity, unusually slow systems or network, employees receiving phishing emails that reference internal information, and unexpected charges on business accounts. If you suspect a breach, disconnect affected systems from the network immediately and contact your IT provider or a cybersecurity incident response firm.

Is cybersecurity training really effective, or is it just a checkbox?

When done well, it’s highly effective. Organizations that run regular simulated phishing tests see click rates drop from 30%+ to under 5% over 12 months. The key is frequency (not just once a year), relevance (using realistic scenarios from your industry), and accountability (not punishment, but making sure people understand the stakes).