SMB Cybersecurity Confidence Assessment

Q: Email Security & Phishing Protection

Most breaches start in the inbox. Filtering and scanning every message stops spam, scams and malicious attachments before they reach your team.

Q: Access Controls & Multi-Factor Authentication

Strong login rules block stolen passwords and stop over 90% of account-takeover attempts.

Q: Endpoint Detection & Response (EDR)

Seeing activity on every device lets you catch and stop attacks fast—before they spread and disrupt your operations.

Q: Vulnerability Scanning & Patch Management

Unpatched software is hacker gold. Automated scans and updates close holes before criminals can exploit them.

Q: Cloud Application & Data Security

One mis-set in SaaS or cloud can leak your data. Continuous monitoring stops misconfigurations and unauthorized access instantly.

Q: Asset Inventory & Configuration

You can’t secure what you don’t see. A live device list ensures every PC, phone and printer is up-to-date and protected.

Q: Incident Response Planning & Testing

When seconds count, a practiced playbook stops panic, cuts damage and gets you back to normal fast.

Q: Staff Training & Phishing Simulations

Your team is your first line of defense. Short drills and simulations turn employees into cyber-aware allies.

Q: Data Backup & Recovery

Lost data can shut you down. Automated backups and restore tests ensure you recover quickly and fully.

Q: Compliance & Framework Mapping

Following CIS, NIST or ISO shows you exactly which steps matter and simplifies audits or insurance reviews.

Email Security & Phishing Protection

Why it matters: Malicious attachments and links remain the top initial vector for breaches. An email gateway that filters spam, blocks malicious attachments, and enforces URL rewriting stops most phishing attempts before they ever hit your inbox.

Which best describes your organization?

We trust employees to spot every phishing email.

We have basic spam filters but no advanced scanning.

We run AI-driven email scanning with attachment sandboxing.

I am unsure, I assume our MSP or IT Provider manages our Email Security and Phishing protections

Access Controls & Multi-Factor Authentication

Why it matters: Passwords alone can be stolen or guessed, but adding a quick second check—like a code on your phone—blocks most hackers outright. Enforcing MFA everywhere stops over 90% of account-takeover attempts. It’s a small step that delivers big protection for every user in your organization.

Which best describes your controls?

No MFA or password policies in place.

MFA on some critical systems only.

MFA and strong password rules for all users.

I am unsure, I assume our MSP or IT Provider requires MFA on our most important systems

Endpoint Detection & Response (EDR)

Why it matters: EDR isn’t just a smarter antivirus—it also collects detailed activity data from every computer so your incident response team can see exactly what happened, where, and how to stop it. That means if something slips through, you have the full story at your fingertips to contain the issue quickly and get everyone back to work. For an SMB, EDR delivers both proactive protection and the insights you need to recover fast from any security event.

Which best describes your endpoint security?

Only basic antivirus installed on most devices.

EDR installed but unsure if it is actually monitored.

EDR on all devices and actively monitored 24/7.

I am unsure, I assume our MSP or IT Provider has EDR installed everywhere and is monitoring it

Vulnerability Scanning & Patch Management

Why it matters: Software updates regularly fix security holes that criminals love to exploit. Daily scans show you exactly where those gaps are, and timely patching closes them before bad actors get in. Staying up to date keeps your systems one step ahead of the simplest, most common attacks.

Which best describes your process?

No regular scans or updates.

Monthly scanning; manual patching.

Daily scans and automated patches deployed.

I am unsure, I assume our MSP or IT Provider is scanning our systems for vulnerabilities

Cloud Application & Data Security

Why it matters: Cloud services make collaboration easy—but a single misconfigured setting can expose your files to the world. Regular checks ensure your online apps and storage are locked down and any strange activity is caught right away. That peace of mind protects customer information no matter where you work.

Which best describes your cloud security?

No cloud monitoring or alerts.

Partial monitoring; gaps remain.

Full 24/7 monitoring of all cloud environments.

I am unsure, I assume our MSP or IT Provider has properly secured our Cloud services and is providing monitoring

Asset Inventory & Configuration

Why it matters: You can’t secure what you don’t know you have. A real-time list of every laptop, phone, printer, and server means nothing slips through the cracks. Having full visibility lets you enforce consistent settings and ensures every device is properly protected.

Which best describes your asset management?

No centralized asset inventory.

Inventory exists but not real-time.

Real-time discovery and config management in place.

I am unsure, I assume our MSP or IT Provider has an updated asset list

Incident Response Planning & Testing

Why it matters: When an attack happens, uncertainty costs time and money. A clear, practiced plan tells everyone exactly what to do—who to call, what steps to take, and how to recover. Regular drills build confidence so you can contain an incident quickly and get back to business.

Which best describes your IR readiness?

No documented incident response plan.

Plan exists but not regularly tested.

IR plan is documented and tested quarterly.

I am unsure, I assume our MSP or IT Provider will provide incident response assistance if needed

Staff Training & Phishing Simulations

Why it matters: Your team is your first line of defense, but without guidance even smart people can fall for a trick email. Short, engaging training and harmless phishing tests teach everyone to spot scams. That awareness dramatically cuts the chance of a breach caused by human error.

Which best describes your training program?

No formal cybersecurity training for staff.

Training offered but lacks phishing drills.

Regular training and simulated phishing campaigns conducted.

I am unsure, I assume our MSP or IT Provider is providing regular phishing testing of our employees

Data Backup & Recovery

Why it matters: Ransomware or server crashes can lock you out of critical files overnight. Automated backups plus occasional recovery tests ensure you can restore data fast, with minimal loss. For an SMB, that reliability is the difference between a brief hiccup and a business-ending disaster.

Which best describes your backup strategy?

Backups are manual and inconsistent.

Automated backups but recovery untested.

Automated backups and recovery drills performed regularly.

I am unsure, I assume our MSP or IT Provider regularly performs system backups

Compliance & Framework Mapping

Why it matters: Aligning with proven guides like CIS, NIST or ISO isn’t just red tape—it shows you exactly which safeguards matter most. Mapping your practices to a framework highlights weaknesses and steers your next improvements. Staying on track builds customer confidence and makes any audit or insurance process smoother.

Which best describes your compliance posture?

No alignment with any security framework.

Partial mapping but no formal program.

Fully aligned and reviewed quarterly.

I am unsure, I assume our MSP or IT Provider is following some security framework

SixCyber