Business Security Review

Small Business Security Review

Small-business security usually breaks at ordinary places: an old administrator account, a former employee who still has access, email without strong sign-in protection, a backup no one has tested, or a computer that stopped receiving updates.

How I Can Help

Find The First Priorities

This is a practical review for an owner who wants to know where to start. It is not a certification or regulatory compliance audit.

Confirm Who Owns Access

I identify the people and accounts controlling Microsoft 365, domains, websites, file storage, network equipment, backups, and other systems the business depends on.

Check Everyday Protection

I review MFA, administrator roles, updates, endpoint settings, email safeguards, shared access, backup status, and the recovery information attached to important accounts.

Prioritize The Work

You receive a short list separated into urgent fixes, near-term improvements, and items that can wait. I explain the business reason for each recommendation.

Review Areas

Six Useful Questions

The categories follow the same practical sequence used by the NIST Cybersecurity Framework: govern, identify, protect, detect, respond, and recover.

Who makes security decisions?

Owners, administrators, vendors, and employees need clear responsibilities.

What must keep working?

Critical accounts, devices, data, and customer-facing systems are identified first.

What blocks common attacks?

MFA, updates, least-needed access, safer email, and tested backup reduce avoidable exposure.

Would anyone notice a problem?

Alerts, account activity, endpoint warnings, and vendor notices need an owner.

Who gets called first?

The response list should include the owner, IT contact, bank, insurer, vendors, and legal help when applicable.

Can the business recover?

Backups, restore testing, replacement plans, and account recovery paths matter before an incident.

For owner education, I also point clients to the CISA small-business resources and the NIST small-business quick-start guidance.

What You Receive

A Usable Priority List

The result is written for the owner, not buried in a long scan report.

  • Urgent account or access issues
  • Thirty-day security improvements
  • Account and vendor ownership notes
  • Questions requiring a specialist or insurer
Straight Answers

Security Review Questions

Is this a penetration test or compliance audit?

No. This is an owner-friendly review of practical controls, account ownership, devices, Microsoft 365, backups, and response readiness. A regulated business may also need a qualified compliance assessor, insurer-approved provider, or specialized security test.

What should a small business fix first?

The first priorities usually protect the accounts and systems that could stop the business: administrator access, MFA, former-user access, supported and updated computers, email protection, and a backup that can actually be restored. The order depends on your operation.

Can you review Microsoft 365?

Yes. I can review administrator roles, MFA coverage, licenses, sharing, mailbox access, recovery paths, email protection, and domain records. I document what needs attention instead of changing everything without an agreed plan.

Do we need expensive security software?

Not always. Many businesses should first use the protections they already own correctly, remove unnecessary access, update devices, enable MFA, and verify backups. Additional products should solve a defined gap, not simply add another dashboard.

What if a former employee still has access?

That should be reviewed promptly. The right steps may include blocking sign-in, revoking sessions, changing shared credentials, transferring files and mail, checking forwarding rules, and confirming the person no longer controls recovery information or vendor accounts.

Can you help after a phishing message was opened?

Yes. Preserve the message and note what was clicked or entered. Depending on the event, the response may include changing a password from a trusted device, revoking sessions, reviewing mailbox rules, checking the computer, notifying affected vendors, and contacting a bank or insurer.

Unsure Where To Start?

Tell me how many people, computers, locations, and Microsoft 365 accounts are involved. I can help define a practical first review.

Back to Services