A plain-English 12-question self-check for small businesses that do not have a full-time IT or security person. You can read it here in your browser — no attachment or PDF download required.
This is not a security audit. Nothing is tested, scanned, attacked, or verified by a third party. You answer questions about how your business runs: accounts, backups, passwords, admin access, devices, email, vendors, and what happens in the first hour if something goes wrong.
Best way to use it: do it once, alone, in one sitting. Then do it again two weeks later with whoever else helps run the business. The questions that make you pause are usually the ones worth fixing first.
Check email admin accounts, banking/payment accounts, domain registrar, website hosting, social accounts, cloud storage, password manager, and accounting/bookkeeping tools.
Good sign: every owner/admin account uses app-based MFA or a security key.
Check whether people use admin accounts for normal email and browsing, whether old admin users exist, and whether more than one trusted person can recover the business if the owner is unavailable.
Good sign: admin access is limited, named, and reviewed.
No shared passwords in spreadsheets, text files, email threads, or chat apps. Each person has their own login where possible.
Good sign: every critical account has a unique password.
Know what gets backed up, where it backs up to, who gets alerts if backup fails, and when the last restore test happened.
Good sign: someone has restored a file from backup in the last 90 days.
Check Windows/macOS, browsers, Microsoft Office/Adobe/Zoom, router firmware, and any NAS or server firmware.
Good sign: updates are not months behind.
Check that Windows Defender or equivalent is running, malware alerts are not ignored, and staff know who to contact if they see a warning.
Good sign: antivirus/security status is visible and reviewed.
Check whether SPF, DKIM, and DMARC exist for the domain, staff know how to report phishing, and payment-change requests get verified out of band.
Good sign: a fake invoice or payment-change email would not get approved by one person alone.
List your email provider, website host, domain registrar, payment processor, accounting platform, cloud storage, CRM/client database, and MSP/IT provider if any.
Good sign: you know who holds the keys to the business.
Can you remove a departing contractor from email, cloud storage, social media, password vault, website, and finance tools in one sitting?
Good sign: there is a short offboarding checklist.
Know who decides what to do if email is compromised, who calls the bank/payment processor, who contacts clients if data may be involved, and where the recovery checklist lives if email is down.
Good sign: the first hour after an incident is not pure guessing.
Track staff laptops/desktops, shared devices, phones with business access, admin accounts, and software subscriptions.
Good sign: you can answer “what do we have and who has access?” without digging for hours.
Do not try to fix everything at once. Pick the biggest three: turn on MFA for admin accounts, move passwords into a vault, test one backup restore, remove old users, patch stale devices, or write a one-page incident plan.
This score is based on your own answers. It is not an audit, attestation, assurance engagement, certification, legal opinion, privacy opinion, insurance opinion, or something a third party should rely on as proof.
I would like to know one thing: which question made you stop and think?
Email hello@regiscyber.com with the number of that question. No pitch required.
If you want to keep going, Regis Cyber is testing a CAD $49 Starter Kit, a CAD $250 Working Hour, and a CAD $895 Guided Checkup. None of those are required to act on what you just learned.