
Rate Your Cyber Security in 2 Minutes: A Self-Assessment for Growing Businesses
Most breaches exploit a handful of missing basics — MFA, backups, patching, training. Here are the nine controls that matter most, weighted by real-world risk.
Most small and mid-size businesses are not breached by sophisticated, targeted attacks. They are breached because a basic control was missing — no multi-factor authentication, backups that were never tested, a server that went unpatched for a year. The good news is that the same short list of fundamentals blocks the large majority of incidents.
The controls that move the needle
Not every control carries equal weight. These are the ones that, in practice, separate a near-miss from a headline.
- Multi-factor authentication on email, VPN, and admin accounts — the single highest-impact control.
- Automated, tested backups stored offsite or immutable (the 3-2-1 rule) — your last line of defense against ransomware.
- Managed endpoint protection (EDR) monitored on every device.
- A real patch cadence for operating systems and third-party apps.
- Regular security-awareness and phishing training for staff.
Score, then fix in priority order
A self-assessment is only useful if it turns into a punch list. The point is not the number — it is knowing which two or three gaps to close first, ranked by how much risk each one removes.



