Security Assessments for Small Business: What to Check and How Often

## Why Security Assessments Matter Small businesses often assume they're too small to be targeted. In reality, small businesses are attractive targets precisely because they typically have weaker security than larger organisations. Regular security assessments help identify vulnerabilities before they're exploited. They don't need to be complex or expensive—systematic attention to key areas provides significant protection. ## Key Assessment Areas ### User Account Security User accounts are the primary target for most attacks. **What to check:** - Are all accounts using strong, unique passwords? - Is multi-factor authentication enabled where available? - Are there any unused accounts that should be disabled? - Do account permissions match current roles? - When did password resets last occur? **Frequency:** Quarterly review of user accounts. Immediate action when staff leave. ### Software and Patching Unpatched software is a major vulnerability. **What to check:** - Are operating systems current and receiving updates? - Is business software up to date? - Are web browsers current? - Is security software installed and updated? - Are there any end-of-life systems no longer receiving updates? **Frequency:** Monthly review of patch status. Critical security patches applied immediately. ### Backup Status Backups are your last line of defence against data loss and ransomware. **What to check:** - Are backups running successfully? - What data is being backed up? - How long would recovery take? - When was backup recovery last tested? - Are backups protected from ransomware (offline or immutable)? **Frequency:** Weekly verification that backups complete. Quarterly recovery testing. ### Email Security Email is the primary attack vector for most businesses. **What to check:** - Is email protected by spam and malware filtering? - Are staff aware of phishing risks? - Is email encryption used for sensitive information? - Are email authentication protocols (SPF, DKIM, DMARC) configured? - Who has access to shared mailboxes? **Frequency:** Monthly review of email security settings. Regular phishing awareness reminders. ### Network Security Your network is the foundation of your technology security. **What to check:** - Is the router/firewall properly configured? - Is the Wi-Fi network secured? - Is there separation between business and guest networks? - Are remote access methods secure? - What devices are connected to the network? **Frequency:** Quarterly network configuration review. Annual penetration testing for higher-risk businesses. ### Physical Security Physical access enables technical attacks. **What to check:** - Are servers and network equipment physically secure? - Are workstations in unsecured areas locked when unattended? - Who has keys/access to premises? - How are old devices disposed of? - Are visitors supervised? **Frequency:** Quarterly physical security review. Immediate action when keys are lost or staff leave. ### Data Handling How data is managed affects both security and compliance. **What to check:** - What sensitive data does the business hold? - Who has access to sensitive data? - How is sensitive data protected? - How long is data retained? - How is data securely disposed of? **Frequency:** Annual data audit. Immediate review when handling requirements change. ## Creating a Security Assessment Checklist Document your assessment in a simple checklist: **For each area:** 1. What specifically will you check? 2. What is the acceptable standard? 3. Who is responsible? 4. When will it be checked? 5. What happens if issues are found? Having a written process ensures consistency and accountability. ## Common Findings Typical issues found during small business security assessments: **Former employee access:** Accounts still active after staff departure. Check immediately when anyone leaves. **Weak passwords:** "Password123" or business name + year. Require stronger passwords or passphrases. **Missing MFA:** Available but not enabled. Prioritise enabling on email and critical applications. **Overdue updates:** Systems weeks or months behind on security patches. Establish regular patching schedule. **Backup assumptions:** Backups assumed working but never verified. Test recovery regularly. **Overprivileged users:** Everyone has admin access. Apply least-privilege principles. **Unsecured Wi-Fi:** Weak passwords or outdated encryption. Upgrade to WPA3 with strong passwords. ## Acting on Findings Assessment is pointless without action: **Prioritise by risk:** Address highest-risk issues first. An exposed admin account matters more than an outdated printer driver. **Assign responsibility:** Someone needs to own each remediation item. **Set timeframes:** When will issues be resolved? Follow up. **Verify fixes:** Confirm issues are actually resolved, not just marked done. **Document changes:** Record what was found and what was done. ## When to Get External Help Internal assessments have value but also limitations: **External assessments help when:** - You lack internal expertise - Fresh perspective is needed - Compliance requires independent assessment - Higher assurance is required **Options include:** - Vulnerability scanning services - Penetration testing - Compliance audits - General security assessments The right level depends on your risk profile, compliance requirements, and budget. ## Building a Security Culture Technical assessments matter, but culture matters more: **Staff awareness:** Do people understand security risks? **Reporting:** Are staff comfortable reporting concerns or mistakes? **Leadership support:** Does leadership visibly prioritise security? **Continuous improvement:** Is security a regular topic, not a one-time project? Regular assessment combined with security-conscious culture provides practical protection for small businesses without enterprise resources.