Do staff use multi-factor authentication (MFA) to log in?

MFA means a second step after your password, like a code on your phone or a fingerprint. It stops someone who steals a password from getting in.

How do staff manage their passwords?

Think about whether your team uses a tool like LastPass or 1Password, or whether everyone just picks their own passwords.

Who has admin access to your systems?

Admin access lets someone install software, change settings, or access everything. Think about who can make changes to your computers and systems.

Can staff install any software they want on work devices?

This is about whether someone could download a random app from the internet and run it on their work laptop without anyone approving it first.

Do you maintain a list of approved software?

A simple list of what apps your business uses. Think MYOB, Xero, Microsoft Office, your practice management system.

Can staff run scripts, macros, or downloaded programs freely?

Macros are small programs that run inside documents (like Excel spreadsheets). Attackers often hide malware inside them.

How quickly are security patches applied?

Patches are fixes that software companies release when they find security holes. Think of it like fixing a broken lock. The longer you wait, the more exposed you are.

Are your operating systems still supported by the manufacturer?

If your computers run Windows 10 or older, check whether Microsoft still releases security updates for that version. Unsupported means no more fixes.

How are updates managed across the business?

Is there one system pushing updates to all devices, or does each person click "update later" on their own laptop?

How is email protected against phishing and impersonation?

Phishing is when someone sends a fake email pretending to be a trusted person or company to trick you into clicking a link or sharing information.

Is your email domain protected with SPF, DKIM, and DMARC?

These are settings on your domain that stop attackers from sending fake emails that look like they come from your business. Your IT provider or domain host would have set these up.

Do you track your Microsoft 365 Secure Score?

Secure Score is a number Microsoft gives you based on how well your M365 is configured. It's like a health check built into your subscription. Higher is better.

Are Office macros restricted on your devices?

Macros are mini-programs inside Word and Excel files. Attackers use them to install malware when someone opens an infected document.

How often is your business data backed up?

If your server or cloud storage was wiped tomorrow, how much work would you lose? The answer depends on how often backups run.

Where are your backups stored?

If backups are on the same network as your files, ransomware can encrypt both at once. Offsite or cloud backups survive because they're not connected.

When did you last test restoring from backup?

Having backups is one thing. Knowing they actually work is another. A backup that's never been tested might fail when you need it most.

Are all work devices centrally managed?

Central management means someone can see all your business laptops and phones from one screen, push updates, enforce security settings, and remotely wipe a lost device.

What endpoint protection is on your devices?

This is the security software on your laptops and desktops. Basic antivirus scans for known threats. More advanced protection can detect and stop attacks in real time.

Are devices built to a standard configuration?

When a new laptop arrives, does it get set up the same way every time? Same apps, same security settings, same rules? Or does everyone configure theirs differently?

How old is your firewall, router, and Wi-Fi equipment?

Your firewall is the device that controls what traffic enters and leaves your network. Like any technology, it needs regular updates and eventually replacing.

Is guest Wi-Fi separated from your business network?

If visitors, clients, or personal phones connect to the same Wi-Fi as your business computers, a compromised device could reach your servers and files.

How do staff connect when working remotely?

When staff work from home or on the road, how do they access business files and systems? Is the connection secure, or are they just logging in from any network?

Do staff receive cybersecurity awareness training?

Training teaches staff to spot fake emails, avoid suspicious links, and report anything unusual. Even one session a year makes a measurable difference.

What happens to IT access when someone leaves?

When a staff member resigns or is let go, are their email, VPN, and system logins turned off immediately? Or could they still log in days or weeks later?

If someone reported a suspicious email, what would happen?

The question is: does your team know what to do when something looks wrong? Is there a person or process, or would they just delete it and move on?