About this assessment tool
Small businesses (5–50 people)
Local, in-browser helper

Small Business Security Assessment

This page explains how the Small Business Security Assessment works, which areas it evaluates, and how to use the results safely. The assessment runs as a guided questionnaire in your browser so you can quickly score your current posture, identify quick wins, and capture evidence you can reuse with clients, insurers, and auditors.

🧭 Open Small Business Assessment
Overview

What this assessment is designed to do

The Small Business Security Assessment is a local-only helper that walks you through a concise set of security questions tailored to small organizations. It focuses on the most common gaps that appear in insurance questionnaires, client security reviews, and basic audit checklists.

  • Collects answers about people, devices, data protection, vendors, and incident readiness.
  • Calculates simple scores for each area so you can see strengths and weak spots at a glance.
  • Generates a prioritized action list you can turn into a roadmap or improvement plan.
  • Helps you capture plain language evidence that aligns with common audit and insurance questions.
Insurance and client questionnaires Security health check for owners Roadmap starter for small teams

Nothing is sent back to CyberLife Coach or to any third party. All logic runs in your browser, and any exported reports stay on your systems.

Quick start

How to use the assessment results

The assessment guides you through a series of questions and then produces a summary view of your scores and next steps. You decide how to use that output in your own environment.

  • Open the tool and choose the profile that best matches your situation, for example very small team or growing team.
  • Work through each section, answering questions as honestly as possible based on current practices.
  • Review the score breakdown and short narrative summary for people, devices, data, vendors, and response.
  • Export the results to a file, for example smb-security-assessment.json or smb-security-summary.md.
  • Use the prioritized action list as a lightweight project plan and track items to completion.
  • Refer back to the assessment periodically so you can measure progress over time.

Treat this as a planning and communication aid. It does not make configuration changes and it does not replace technical testing or professional consulting for complex environments.

Coverage areas

What this assessment looks at

The assessment focuses on a practical subset of topics that repeatedly show up in security questionnaires for small businesses. Questions are written in plain language so owners, office managers, and non technical staff can participate.

People and access

  • Use of unique accounts and basic account hygiene for staff and contractors.
  • Multi factor authentication coverage on email, finance, and key business tools.
  • Onboarding and offboarding steps for new hires, departures, and role changes.
  • Staff awareness of phishing, social engineering, and basic data handling rules.
  • Use of written policies for acceptable use, remote work, and device ownership.

This area gives you a quick view of how well your human processes support secure access to critical systems and data.

Devices, data, and vendors

  • How laptops, desktops, and mobile devices are protected and kept up to date.
  • Use of disk encryption, backups, and basic data classification for sensitive records.
  • Coverage of endpoint security tools such as antivirus and basic hardening baselines.
  • Vendor and cloud service usage, including how access and data location are tracked.
  • Presence of a simple incident playbook for ransomware, account compromise, or data loss.

These questions help you understand where business data lives, how it is protected, and how reliant you are on third party services.

Safe use and boundaries

Before you rely on this assessment

  • Confirm who in your organization is allowed to answer on behalf of the business.
  • Involve both technical and non technical stakeholders where possible so answers are balanced.
  • Document assumptions and notes for any questions that feel ambiguous or context dependent.
  • Pair this assessment with at least basic technical checks such as patch status and backup tests.
  • Revisit and refresh answers whenever there are major changes in staff, tools, or data flows.

Good next steps

  • Turn your prioritized actions into a small backlog or task list with clear owners and dates.
  • Store exported reports securely so you can reference them during insurance or client reviews.
  • Use the questions as a starting agenda for board, owner, or leadership level discussions.
  • Map key findings to frameworks such as NIST CSF or CIS Controls if you need a more formal view.

This assessment provides a curated set of questions inspired by common insurance and audit themes and by controls found in frameworks such as NIST CSF and CIS Controls. It is not a full compliance program, but a practical starting point for small businesses that want to understand and improve their security posture.

Important notice & Legal disclaimer
This assessment and any exported summaries are provided for educational and informational use only. They do not replace professional advice and they do not guarantee compliance with DISA STIGs, NIST CSF, CIS Controls, GDPR, cyber insurance requirements, or any other framework or contract. All logic runs locally in your browser and any output stays on your systems, yet you are fully responsible for how you interpret and use the results. Always verify findings against your own environment, involve qualified professionals where appropriate, and make sure you have reliable backups and incident response plans in place before making significant changes. Do not treat this tool as a formal audit, penetration test, or certification of security.