Confirm Who Owns Access
I identify the people and accounts controlling Microsoft 365, domains, websites, file storage, network equipment, backups, and other systems the business depends on.
Small-business security usually breaks at ordinary places: an old administrator account, a former employee who still has access, email without strong sign-in protection, a backup no one has tested, or a computer that stopped receiving updates.
This is a practical review for an owner who wants to know where to start. It is not a certification or regulatory compliance audit.
I identify the people and accounts controlling Microsoft 365, domains, websites, file storage, network equipment, backups, and other systems the business depends on.
I review MFA, administrator roles, updates, endpoint settings, email safeguards, shared access, backup status, and the recovery information attached to important accounts.
You receive a short list separated into urgent fixes, near-term improvements, and items that can wait. I explain the business reason for each recommendation.
The categories follow the same practical sequence used by the NIST Cybersecurity Framework: govern, identify, protect, detect, respond, and recover.
Owners, administrators, vendors, and employees need clear responsibilities.
Critical accounts, devices, data, and customer-facing systems are identified first.
MFA, updates, least-needed access, safer email, and tested backup reduce avoidable exposure.
Alerts, account activity, endpoint warnings, and vendor notices need an owner.
The response list should include the owner, IT contact, bank, insurer, vendors, and legal help when applicable.
Backups, restore testing, replacement plans, and account recovery paths matter before an incident.
For owner education, I also point clients to the CISA small-business resources and the NIST small-business quick-start guidance.
The result is written for the owner, not buried in a long scan report.
No. This is an owner-friendly review of practical controls, account ownership, devices, Microsoft 365, backups, and response readiness. A regulated business may also need a qualified compliance assessor, insurer-approved provider, or specialized security test.
The first priorities usually protect the accounts and systems that could stop the business: administrator access, MFA, former-user access, supported and updated computers, email protection, and a backup that can actually be restored. The order depends on your operation.
Yes. I can review administrator roles, MFA coverage, licenses, sharing, mailbox access, recovery paths, email protection, and domain records. I document what needs attention instead of changing everything without an agreed plan.
Not always. Many businesses should first use the protections they already own correctly, remove unnecessary access, update devices, enable MFA, and verify backups. Additional products should solve a defined gap, not simply add another dashboard.
That should be reviewed promptly. The right steps may include blocking sign-in, revoking sessions, changing shared credentials, transferring files and mail, checking forwarding rules, and confirming the person no longer controls recovery information or vendor accounts.
Yes. Preserve the message and note what was clicked or entered. Depending on the event, the response may include changing a password from a trusted device, revoking sessions, reviewing mailbox rules, checking the computer, notifying affected vendors, and contacting a bank or insurer.
Tell me how many people, computers, locations, and Microsoft 365 accounts are involved. I can help define a practical first review.