Smart solutions
How to do a small-business cyber security audit in six steps
A cyber security audit is an important part of making sure your business is protected. Follow our six-step guide to help you understand where and how you might be vulnerable and identify measures to put in place.
September 03, 2025
5 minutes
Smart solutions
How to do a small-business cyber security audit in six steps
A cyber security audit is an important part of making sure your business is protected. Follow our six-step guide to help you understand where and how you might be vulnerable and identify measures to put in place.
September 03, 2025
5 minutes
A cyber security audit is a crucial step for small businesses to protect themselves from cyber crime. Start by taking an inventory of all your hardware, software and data.
Consider the security you already have in place and then review the risks, both human and digital. Make sure employees have had training on cyber threats and conduct a vulnerability scan, a process which identifies security weaknesses.
Rate cyber threats based on the chance of them happening, and the potential business impact. Use this information to prioritise your next steps. And don’t forget to review your risk assessment regularly.
List all your digital assets. This is vital, as you can only protect what you know is there, so make sure nothing slips through the net. It’ll enable you to identify critical assets, manage and mitigate vulnerabilities, ensure regulatory compliance, and respond effectively to incidents. Plus, it’s an essential component to allow you to complete a successful cyber security audit.
You can break everything down into categories. For example:
- Hardware: List desktop computers, laptops, shared servers, printers, mobile devices and network equipment such as routers and switchers. Be sure to include devices that belong to your employees, such as their phones, if they use them for work.
- Software: This is anything installed on your hardware, such as operating systems (e.g. Windows or MacOS on computers, Android or iOS on mobiles), programs such as Microsoft Office, accounting applications and anti-virus software. Don’t forget any cloud-based software you use (also known as Software as a Service, or SaaS). These are programs you access via the internet.
- Data: The information stored on your systems. This should include things such as financial records, employee information, customer data and your business’s own intellectual property. Highlight the data that is sensitive, including any information you have a legal obligation to protect.
Step 2: Assess your current security measures
Once you have a list of all your digital assets, you then need to do a cyber security assessment.
Review your current policies and consider how your technology is currently being used.
Think about:
- Access controls: Who can access what data? For example, is sensitive customer information accessible to everyone who works for you?
- Passwords: Are you confident your employees use strong passwords? Do you use multi-factor authentication?
- Contingency: What plans are in place if you were to lose essential data? For example, is it backed up, and if so, where and how often? Is that data encrypted?
Top tip: Schedule regular checks on your backed-up data to make sure it’s up to date. Test how you would use your back-ups in the event of a cyber incident – you don’t want the first time you carry out the plan to be in an emergency.
Evaluate your software, systems and technology
How secure is the tech itself? Important questions to ask are:
- Is all your software updated regularly? Software providers will release new versions with additional security frequently, to cover known vulnerabilities.
- Do your devices have anti-virus software installed, and is it kept up to date?
- Is your WiFi safe and secure? The aim should be to ensure that your network remains only accessible to users and devices that you authorise.
- Do you have firewalls in place and turned on?
Top tip: Doing basic security hygiene well doesn’t have to be complicated. A simple solution is better than no solution.
Step 3: Evaluate the human risk
Humans can be your greatest vulnerability when it comes to protecting your business from cyber crime, but with the right practices they can also be your greatest strength. You and your employees are often your company’s first defence, so it’s important that everyone adheres to good security standards.
Some things to consider are:
- Employee training: Have your team had some basic cyber security awareness training? Do they use strong, unique passwords on their work devices?
- Phishing: Does everyone understand what phishing is and what it might look like? Are you confident your employees can identify suspicious emails or links?
- Account hygiene: How regularly do you review all active accounts and permissions? Be sure to remove old accounts or unused permissions regularly.
Top tip: Consider running a phishing simulation to test awareness. Encourage your employees to report any security problems or suspicions openly.
Step 4: Identify threats and vulnerabilities
This is where you need to think about what cyber criminals might want from your business and how they might access your systems and data. The aim is to find your weak spots before they do otherwise you may risk the ability to take payments and keep a record of customer orders, as well as experience disruption and delays with your supply chain.
To start, make sure you and your employees understand the main ways cyber criminals could cause trouble for your business. The most common threats are:
- Phishing: The most frequent type of cyber attack. It involves tricking an employee into revealing sensitive information, such as passwords or bank details, often via fake emails or convincing phone calls.
- Malware: Malicious software that’s often used to steal sensitive information or cause your computer to malfunction. It’s usually hidden in email attachments or comes from accessing insecure websites. Malware can lurk on your computer without you knowing it’s there and spread to other devices.
- Ransomware: A specific type of malware that encrypts your business’s files and data to prevent you from being able to get into them. The attackers then demand a ransom to restore access.
- Insider threats: These may come from disgruntled employees or simple human error.
Then conduct a vulnerability scan. This is an automated process using specialised software that finds and reports on cyber security weaknesses. Think of it as a kind of health check that provides a diagnosis of vulnerabilities and how to fix them.
Step 5: Carry out a security risk assessment and create an action plan
Once you’ve identified the vulnerabilities of and threats to your business, conduct a cyber security risk assessment.
Ask yourself two simple questions, measuring the potential likelihood and impact to your business:
- What is the likelihood of any of the threats or security breaches happening to my business? Is it low or high?
- What would be the impact on the business? Is it low or high?
1. High likelihood and high impact
These are the top priority risks. Examples include:
- Phishing attacks (very common and can lead to data breaches).
- Ransomware (can halt operations and cause financial loss).
- Weak passwords (easy to exploit and can compromise systems).
- Unpatched software (frequently targeted and can be devastating).
2. High likelihood and low impact
These should be addressed if mitigation is cost-effective. Examples include:
- Spam emails.
- Minor malware infections
3. Low likelihood and high impact
Plan for these with contingency measures. Examples include:
- Natural disasters.
- Insider threats.
- Major data breaches.
4. Low likelihood and low impact
These can be monitored periodically but don’t require immediate action.
You should now have everything in place to create a clear and simple plan to improve the cyber security of your business. Focus on the high-risk, high-impact issues first. You can then work through everything else as time allows.
Top tip: Making cyber security a part of your core business processes, to keep your company protected and able to go from strength to strength.
Step 6: Review regularly and keep improving
A cyber security audit isn’t a one-off task. Threats evolve all the time, so it’s important to update your security risk assessment frequently.
Create a regular audit schedule. Once you’ve done it the first time, it’ll become quicker and easier. You should also consider writing an incident response plan so that you’re well prepared should a cyber attack take place. Remember, cyber security doesn’t need to be complex, but it does need to be consistent. So, take the first step today.
Cyber security audit checklist
Download our cyber security audit checklist today and follow the six steps to protecting your business from digital threats.
You may also be interested in
ESSENTIALS EXPLAINED
September 03, 2025
ESSENTIALS EXPLAINED
September 03, 2025