I get this question more than almost any other, usually from a business owner who's seen one too many headlines about ransomware: "Sammy, am I actually secure, or do I just think I am?"
It's a fair question, and an uncomfortable one, because most small businesses I visit around Arlington and Northern Virginia fall somewhere in the middle. You're not wide open, but you're not as locked down as you assume either. So instead of selling you a scary lecture, let me walk you through the same quick gut-check I'd run in my own head before I ever plug in a single tool. Grab a coffee. This takes about ten minutes, and it's all in plain English.
1. Can you name everyone who can log in?
Seriously, pull up a mental list. Every employee, every contractor, every "I'll just share my password with the new hire" situation. If you can't name them all in under a minute, that's your first red flag. The most common way small businesses get burned isn't some Hollywood hacker, it's a former employee's login that nobody ever turned off, or a shared password that's been floating around for three years.
Quick win: make a list today of every account and who owns it. If you find logins for people who left, that's not a someday project, that's a this-week project.
2. Is your most important data backed up somewhere you can't accidentally delete?
Notice I didn't ask "do you have a backup." Almost everyone says yes. The real question is whether that backup is separate from your day-to-day systems. If ransomware locks your main computer and your backup drive is plugged into that same computer, you've got one problem that just became two.
The rule I live by is the 3-2-1 approach: three copies of anything you can't lose, on two different types of storage, with one of them off-site (cloud counts). If that sounds like overkill, ask yourself what happens to the business if your QuickBooks file vanishes tomorrow.
3. Does everyone have their own login, or do you share one?
Shared logins feel efficient until something goes wrong and you have no idea who did what. Individual accounts aren't just about security, they're about accountability. When each person has their own login, you can turn off access the moment someone leaves, and you can actually see who touched what.
4. Is two-factor turned on for the stuff that matters?
Your email, your banking, your payroll, your cloud files. If a password is the only thing standing between a stranger and your business email, you're one phishing click away from a very bad week. Two-factor authentication (that text code or app prompt) is the single highest-value, lowest-cost thing most businesses skip. It's free and it takes an afternoon.
5. When did you last update everything?
Not just Windows. Your router, your point-of-sale system, that old printer with Wi-Fi, the cameras. Outdated devices are the unlocked back door most owners forget exists. If you can't remember the last time something got an update, assume it's overdue.
So... how'd you do?
Here's my honest scoring, neighbor to neighbor:
- Confident yes on all five? You're in better shape than most. Keep it up, and maybe have someone verify it once a year.
- A few "uhh, I think so"? That's normal, and it's exactly the gap I see most often. You're not in crisis, but those soft spots add up.
- More than two "no"s? Don't panic, but don't sit on it either. These are the gaps that turn a small incident into a closed-for-a-week disaster.
The tricky part is that a self-check only tells you what you already know to look for. The real risks are usually the ones you don't know are there, an exposed service, a misconfigured firewall, a device quietly broadcasting to the whole street. That's the difference between a self-check and an actual assessment.
When I do a small business vulnerability assessment, I'm looking at your network the way an outsider would, finding the doors you didn't know were unlocked, and handing you a plain-English report with a prioritized fix list, not a 40-page PDF you'll never read. For businesses that want the deeper dive, the full cybersecurity audit goes further into policies and access. And if you just want to tighten the basics yourself first, my small business cybersecurity checklist for NoVA is a great free starting point.
One thing I'll always be straight with you about: I won't sell you security theater. If your basics are solid, I'll tell you that and send you on your way. I'd rather have a neighbor who trusts me than a one-time invoice.
If those five questions left you with a knot in your stomach, that knot is worth a ten-minute phone call. No pressure, no jargon, just an honest conversation about where you stand.
Give me a call at 571-680-5334 and we'll figure out whether you actually need anything, or whether you're already in good shape.
— Sammy