How Secure Is Your IT Infrastructure? A Practitioner's Self-Audit

Most SMB owners only learn how secure their IT actually is during an incident. By then, the answer matters less than the cost. Here’s an honest self-audit you can run in 30 minutes that surfaces the gaps before an attacker does — 25 questions across five domains.

Domain 1: Identity & access

1. Is MFA enforced for ALL users (including admins, third-party access, executive accounts)? The single highest-value security control. If MFA isn’t on for 100%, fix this week.

2. Do you have a documented offboarding process? When someone leaves, do their accounts and device access get revoked within 24 hours?

3. Are admin accounts separate from daily-use accounts? Admin work should require explicit sign-in to admin accounts, not “I’m the IT person, my normal account has all rights.”

4. Are there documented break-glass accounts on FIDO2 keys? For emergency access when normal systems fail. Two accounts, two physical keys, stored separately.

5. Do you review user access rights quarterly? Ghost users, stale permissions, over-privileged accounts — caught by review, never by accident.

Domain 2: Endpoint security

6. Do you have EDR (not just AV) on every endpoint? Modern endpoint detection and response. Defender for Business (with M365 Business Premium) is the SMB baseline.

7. Are critical patches applied within 30 days? And measured: what’s your compliance percentage? If you can’t answer with a number, you’re not measuring.

8. Are personal devices accessing company data controlled (MAM)? Intune App Protection for BYOD. Without it, departing employees retain company data.

9. Is there a documented response process for compromised endpoints? What happens at 11pm Saturday when an alert fires?

10. Are macros and risky behaviours blocked by ASR rules? Microsoft’s Attack Surface Reduction rules block the most common attack vectors.

Domain 3: Email & web

11. Is Defender for Office 365 / equivalent deployed with Safe Links? Email is still the #1 attack vector. URL rewriting and click-time analysis matters.

12. Are DMARC, DKIM, SPF properly configured? Domain spoofing prevention. DMARC at p=quarantine or p=reject.

13. Does the team know how to report phishing? The “Report Phish” button in Outlook + a documented response process.

14. Is web filtering / DNS protection in place? Blocks known-malicious URLs before they’re clicked. Cloudflare Gateway, Cisco Umbrella, equivalent.

15. Is the team trained on phishing regularly? Annual training plus quarterly phishing simulations (KnowBe4, Phish Threat).

Domain 4: Data & backup

16. Do you have backup that’s tested? “We have backups” isn’t enough. When was the last successful documented restore test?

17. Is data classified (Confidential / Internal / Public)? With Sensitivity Labels, data location and access controls become automatic.

18. Are Sensitivity Labels deployed with Microsoft Purview? Confidential content protected from oversharing, Copilot summarisation, external paste.

19. Is data retention aligned with regulatory requirements? KVKK / tax law / industry-specific. Old data deleted; required data retained.

20. Are critical SaaS apps included in backup strategy? M365 native retention isn’t backup. Veeam / Acronis / Datto for proper M365 backup.

Domain 5: Operations & governance

21. Do you have an incident response plan in writing? Not “we call the IT person.” Documented playbook with roles, communications, regulator notification windows.

22. Have you run a tabletop exercise in the last 12 months? Practice the incident response when stakes are low.

23. Is cyber insurance in place with current declared posture? Carrier knows what controls you actually have. Otherwise claim denial risk.

24. Are vendors / suppliers vetted for security posture? Supply-chain attacks come through trusted vendors. SOC 2, ISO 27001, contractual obligations.

25. Is there an annual external security review? Internal audit + external review (penetration test or assessment) — depending on scope.

Scoring your self-audit

Each “yes” = 4 points.

• 85+ points: strong posture. Continue tuning.
• 65–84 points: adequate, with gaps to close.
• 40–64 points: material gaps. Prioritise remediation in next 90 days.
• Below 40: you’re a target. The next incident is likely catastrophic.

What to do next

If your score reveals gaps, the typical priority order:

1. MFA on all users (week 1).
2. EDR on all endpoints (month 1).
3. Backup test and verify (month 1).
4. Patch compliance baseline (month 2).
5. Email security uplift (month 2).
6. Sensitivity Labels deployment (month 3).
7. Documented incident response plan (month 3).
8. Tabletop exercise (month 4).
9. External assessment (month 6).

Frequently asked questions

How much does closing the gaps cost? For a 50-person SMB starting from “modern AV only” to a mature posture: typically 5,000–15,000 USD for tooling (much already in M365 Business Premium) + 10,000–25,000 USD consulting for proper deployment.

Should we hire a CISO? For mid-market (200+ employees) typically yes — fractional or full-time. For SMB: outsource via virtual CISO (vCISO) services.

What if we’re a small target? Modern attackers don’t pick targets manually — they automate scanning for vulnerabilities. Small isn’t a defence; weak controls are the attractor.

Is cyber insurance enough? No. Insurance handles residual financial risk. The operational controls have to actually exist first.

Bottom line

Most SMBs are 2–3 controls away from significantly better security. The audit is free; running through it takes 30 minutes. To translate audit results into a concrete remediation plan, contact us for a free initial consultation.