Kosh Solutions’ 10-Question Cyber Resilience Check

Most business leaders think they’re doing enough to stay safe online. They’ve got antivirus, maybe backups, and they assume Microsoft 365 “has security built in.”

But “good enough” might be the most dangerous posture of all.

Kosh Solutions has been called in too many times after the fact — after payroll systems were locked, files encrypted, or customers emailed from a compromised account. Every single time, the story starts the same way:

So instead of another checklist, let’s do something more useful. Walk through these 10 quick questions — the same ones we use when performing discovery for a new customer — and see how confident you really feel about your setup.

1. When was the last time your backups were verified — not just created?

Backups fail silently all the time. We’ve seen clients with beautiful backup logs… of corrupted data. A real test means restoring something — not just trusting green lights.

If you can’t remember the last test date, assume you’re vulnerable.

2. Do you have MFA (multi-factor authentication) on every critical account?

MFA is the digital equivalent of locking your doors. Yet many companies only use it on Microsoft 365, leaving remote access, firewalls, and cloud consoles wide open.

Attackers love inconsistency. They only need one unguarded door.

3. Are your systems patched and verified monthly?

“Automatic updates” isn’t a plan — it’s a hope. When ransomware gangs exploit old vulnerabilities, they’re targeting systems that should have been patched months ago.

Good IT management doesn’t wait for a breach to prove a point.

4. Has your team had security awareness training in the last 12 months?

Technology can’t protect an employee who clicks the wrong link. Phishing is still the number one cause of compromise because it targets what can’t be patched — human instinct.

Training at least once a year isn’t about checking a compliance box; it’s about rewiring reflexes. We recommend weekly micro-training to keep staff up to date on the latest threats.

5. Who actually manages your Microsoft 365 security settings?

If your answer is “Microsoft,” it’s time for a reality check. Microsoft gives you tools — not configuration. We routinely find unmonitored admin accounts, unreviewed sharing permissions, and inactive users still holding licenses.

A properly managed M365 tenant is one of the cheapest ways to cut risk and waste at the same time.

6. Do you know how long it would take to recover after a cyber incident?

Most organizations don’t. They have backups but no process. When disaster strikes, hours matter. A tested recovery plan can mean the difference between “back up by noon” and “out of business by Monday.”

7. How often do you review who has remote access?

During the pandemic, nearly every company opened new doors for remote work. Few have closed or audited them since. That’s how ex-employees, vendors, and unknown IPs linger quietly — until someone uses those credentials for something you’ll regret.

8. Do you have a documented incident response plan?

Not a vague idea. Not “we’ll call IT.” A written plan — names, steps, and thresholds for escalation. Because in a real incident, panic is louder than reason. Having a plan silences the chaos.

9. Are you paying for software or licenses nobody uses?

This one stings. We recently helped a client uncover $16,000 in wasted licenses — software that had been paid for monthly but never used.

License waste isn’t just about money; it’s about unmanaged sprawl. Every orphaned account is a potential attack surface.

10. When was the last time you asked your IT partner for proof — not promises?

Reports, audits, test restores, patch logs — they all exist for a reason. Trust is good. Verification is better.

The best IT relationships thrive on transparency, not assumptions.

Your (Unofficial) Score

If you were able to answer positively to most of the questions above, congratulations — you’re among the few SMBs taking cybersecurity seriously. If you hesitated on more than two or three, you’ve just built your own to-do list.

But don’t stop there. You can take the full Cyber Resilience Readiness Quiz to see where your business truly stands and get a personalized report with recommendations based on your answers.

👉 Start the 3-Minute Quiz Here →

It’s free, fast, and might save you from the most expensive downtime you’ll ever face.

Why This Matters

Cyberattacks don’t target big names anymore — they target easy targets. And in most cases, those “easy targets” are smart, growing businesses that simply assumed their tech was being handled.

At Kosh, we’ve seen both sides — the preventable and the painful. Our goal isn’t to scare you; it’s to give you a clear picture before an attacker does.

Ready to Find Out Where You Stand?

[Take the Cyber Resilience Quiz →] Practical next steps. No sales pitch.