Here is a statistic that should concern every small business owner in Northeast Ohio: only 14% of small businesses have adequate defenses against advanced cyber threats. The remaining 86% have significant security gaps that attackers know how to exploit.
Even more concerning, 80% of small businesses still do not have a formal cybersecurity policy. They are making security decisions ad hoc, often only after something goes wrong.
Which category does your Canton, Akron, or Massillon area business fall into?
This self-assessment will help you find out. Answer honestly, and you will have a clear picture of where you stand and what needs attention.
Section 1: Password and Access Management
These questions address how your business handles the keys to your digital kingdom.
1. Does every employee have their own unique login for each system they use?
If employees share accounts or passwords, you cannot track who did what. You also cannot revoke access for one person without affecting others.
2. Are passwords required to be strong and unique for each account?
"Password123" and variations of company names or birthdays are easily guessed. Password reuse means one breach compromises multiple systems.
3. Do you use a password manager to store credentials securely?
Employees who cannot remember unique passwords write them down, store them in spreadsheets, or reuse them. Password managers solve this problem.
4. Is multi-factor authentication (MFA) enabled on all critical systems?
MFA means stolen passwords alone are not enough to access accounts. It is the single most effective protection against credential theft.
5. Do you immediately revoke access when employees leave the company?
Former employees with active credentials are a serious risk, whether through malice or because their credentials get stolen later.
Scoring:
- 5 yes answers: Strong access management
- 3-4 yes answers: Moderate gaps that need attention
- 0-2 yes answers: Critical vulnerabilities requiring immediate action
Section 2: Email Security
Email is where most attacks start. These questions assess your defenses at this critical entry point.
1. Do you have email filtering beyond basic spam detection?
Advanced email security analyzes content, checks sender reputation, and blocks malicious attachments and links that basic filters miss.
2. Are employees trained to recognize phishing emails?
Training should cover current threats including AI-generated phishing, not just obvious scams from years ago.
3. Do you have a process for employees to report suspicious emails?
If employees do not know what to do with a suspicious message, they either ignore it or click it. Neither is good.
4. Have you configured SPF, DKIM, and DMARC for your domain?
These email authentication protocols prevent attackers from sending emails that appear to come from your domain.
5. When was the last time you tested employees with a simulated phishing email?
You cannot know if training works without testing. Simulated phishing reveals actual readiness.
Scoring:
- 5 yes answers: Strong email security
- 3-4 yes answers: Some protection but gaps exist
- 0-2 yes answers: High risk of successful phishing attack
Section 3: Backup and Recovery
Backups are your insurance policy against ransomware and data loss. These questions reveal if that policy will actually pay out.
1. Is all critical business data backed up regularly?
Identify your critical data: customer records, financial data, production files, emails, and anything you could not recreate. Is it all covered?
2. Are backups stored in at least two locations, including offsite or cloud?
Local backups can be destroyed by the same ransomware, fire, or flood that takes out your primary systems.
3. Is at least one backup copy stored offline, disconnected from your network?
Ransomware specifically targets connected backup systems. Offline copies survive even if attackers compromise your network completely.
4. Have you actually tested restoring from your backups?
Backups that have never been tested are backups you cannot trust. Test restores should happen regularly.
5. Do you know your recovery time objective and can your backups meet it?
How long can your business survive without access to systems and data? Can you actually recover that fast?
Scoring:
- 5 yes answers: Solid backup strategy
- 3-4 yes answers: Gaps that could prove costly during an incident
- 0-2 yes answers: Severe risk of unrecoverable data loss
Section 4: Endpoint Protection
Every computer, laptop, and phone is a potential entry point. These questions address device security.
1. Do all company devices have current endpoint protection software?
Traditional antivirus is no longer sufficient. Modern endpoint detection and response (EDR) tools monitor behavior and respond to threats automatically.
2. Are operating systems and software kept updated with security patches?
Unpatched systems are easy targets. Automatic updates should be enabled wherever possible.
3. Do you have policies for personal devices accessing company data?
If employees use personal phones or laptops for work, those devices need security too.
4. Are laptops encrypted so data is protected if devices are lost or stolen?
Full disk encryption means a stolen laptop does not automatically mean stolen data.
5. Can you remotely wipe a lost or stolen device?
When devices disappear, you need the ability to remove company data before it falls into wrong hands.
Scoring:
- 5 yes answers: Well-protected endpoints
- 3-4 yes answers: Moderate endpoint security with room for improvement
- 0-2 yes answers: Devices are a significant vulnerability
Section 5: Network Security
Your network connects everything together. Weaknesses here affect your entire organization.
1. Do you have a business-grade firewall (not just a consumer router)?
Business firewalls provide features like intrusion prevention, content filtering, and VPN support that consumer devices lack.
2. Is your firewall firmware current and regularly updated?
Firewalls with outdated firmware often have known vulnerabilities that attackers exploit.
3. Is your Wi-Fi secured with WPA3 or WPA2-Enterprise?
Open or WEP-secured wireless networks are easily compromised. Guest networks should be separate from business networks.
4. Do remote employees connect through VPN rather than exposing systems directly to the internet?
Direct exposure of remote desktop, file shares, or applications creates easy targets for attackers.
5. Do you know all devices connected to your network?
Unknown devices could be rogue access points, compromised systems, or unauthorized equipment.
Scoring:
- 5 yes answers: Solid network security foundation
- 3-4 yes answers: Network has vulnerabilities that need attention
- 0-2 yes answers: Network security requires significant improvement
Section 6: Policies and Procedures
Technical controls only work when supported by clear policies and trained people.
1. Do you have a written cybersecurity policy that employees have acknowledged?
Policies document expectations. Without them, security is inconsistent and unenforceable.
2. Do you have a documented incident response plan?
When something goes wrong, who do you call? What steps do you take? Figuring this out during a crisis costs precious time.
3. Have employees received security awareness training in the past year?
Threats evolve constantly. Training from two or three years ago addresses threats that no longer exist while missing current ones.
4. Do you have security requirements for vendors and partners who access your systems?
Your vendors' security weaknesses become your security weaknesses when they have access to your data or systems.
5. Do you conduct regular reviews of user access and permissions?
Access accumulates over time. Regular reviews remove permissions people no longer need.
Scoring:
- 5 yes answers: Strong policy foundation
- 3-4 yes answers: Policies exist but need strengthening
- 0-2 yes answers: Policy gaps create significant organizational risk
Interpreting Your Results
Add up your yes answers across all sections for your total score out of 30.
25-30: Strong security posture
You are in the minority of small businesses with adequate defenses. Continue maintaining and improving your security program. Regular assessments help ensure you stay current as threats evolve.
18-24: Moderate security with notable gaps
You have some protections in place but meaningful vulnerabilities exist. Prioritize addressing gaps in sections where you scored lowest. Consider professional assessment to identify issues this self-assessment may have missed.
10-17: Significant security weaknesses
Your business has substantial exposure to common attack vectors. Multiple areas need immediate attention. A professional security assessment should be a priority, followed by a structured improvement plan.
Below 10: Critical security deficiencies
Your business operates with minimal cyber protection. You are highly vulnerable to attacks that regularly devastate similar organizations. Immediate professional assistance is strongly recommended.
What To Do Next
If this assessment revealed gaps, you have two choices: address them yourself or get help.
For businesses with internal IT capability, use your scores to prioritize improvements. Focus first on sections where you scored lowest, as those represent your greatest risks.
For businesses without dedicated IT staff, this is exactly where NHM Ohio helps. We work with small and mid-sized businesses throughout Northeast Ohio to implement practical cybersecurity that fits realistic budgets.
Our Security Assessment Goes Deeper
This self-assessment covers fundamentals, but a comprehensive professional assessment examines:
- Actual configuration of your systems, not just whether tools exist
- Vulnerability scanning to identify specific weaknesses
- Network analysis to discover unknown devices and connections
- Policy review to ensure documentation matches reality
- Employee testing through simulated phishing
- Compliance requirements specific to your industry
We Implement Solutions That Work
Assessment without action changes nothing. NHM Ohio helps you close gaps with:
- Managed endpoint protection deployed across all devices
- Email security configuration and monitoring
- Backup solutions with verified recovery
- Network security improvements and monitoring
- Security awareness training and testing
- Policy development and documentation
Ongoing Management Keeps You Protected
Cybersecurity is not a one-time project. Threats evolve, systems change, and new vulnerabilities emerge. We provide ongoing managed security services that maintain your defenses without requiring a dedicated internal security team.
Schedule Your Professional Assessment
Only 14% of small businesses have adequate cyber defenses. After taking this self-assessment, you have a better idea of where your business stands.
If you scored lower than you would like, that is actually good news. You now know where to focus, and you can address gaps before attackers exploit them.
NHM Ohio has helped businesses throughout Canton, Akron, Massillon, Alliance, and surrounding areas improve their security posture. We understand small business constraints and provide solutions that work within realistic budgets.
Contact us today to schedule a comprehensive security assessment. We will tell you exactly where you stand and what it would take to get to where you need to be.
The 14% with adequate defenses made a choice. You can make that choice too.
NHM Ohio provides managed IT services, cybersecurity assessments, and technology support for businesses in Stark, Summit, Tuscarawas, Carroll, and surrounding Ohio counties. Visit nhmohio.com or call to schedule your security assessment.