Every post we've published in the last month has pointed at the same gap: most small businesses assume they're reasonably protected without ever actually checking. The password policy exists. The MFA was set up at some point. The firewall is on. But nobody has verified that any of it is working — and the tools to do so are free, take minutes each, and are available to anyone right now.
This audit covers the five checks that matter most. No technical background required. No vendor to call. No cost. Just five checks that will tell you whether the things you think are protecting your business actually are.
Set a timer for 30 minutes. Start now.
This audit surfaces what's externally visible and checkable. It won't catch everything — but it will catch the gaps responsible for the majority of SMB breaches: exposed credentials, spoofable email domains, MFA gaps, and open perimeter doors. Each finding is actionable the same day you find it.
Check 1 — Are your credentials already exposed?
⏱ 5 minutes · Free
🔍
Credential breach check — Have I Been Pwned
5 min
Check your own work email address
→ haveibeenpwned.com
Enter your work email. Red = appeared in at least one breach. Note every breach listed and what data was exposed.
Check your top 3–5 key employees' work emails
→ haveibeenpwned.com
CFO, IT admin, office manager, anyone with access to financial systems or client data. These are the accounts attackers target first.
Set up free domain monitoring
→ haveibeenpwned.com/DomainSearch
Enter your company domain, verify ownership via email. You'll be notified whenever any address at your domain appears in a future breach. Takes 5 minutes. Set it and forget it.
If you find a breach: Any password from the breached account that is still in use — anywhere — should be changed today. Credentials from 2019 are still being tested against business systems in 2026.
Check 2 — Can your email domain be spoofed?
⏱ 5 minutes · Free
📧
Email authentication check — SPF, DKIM, DMARC
5 min
Check your SPF, DKIM, and DMARC records
→ mxtoolbox.com/SuperTool.aspx
Enter your domain. Run the "Email Health" check. You'll see whether SPF, DKIM, and DMARC records exist and whether they're configured correctly.
Check your DMARC policy level
→ mxtoolbox.com/DMARC.aspx
Enter your domain. Look for the "p=" value. p=none means you're monitoring but not protected. p=quarantine or p=reject means you're enforcing. Over half of domains with DMARC are stuck at p=none.
Why this matters: Without DMARC enforcement, anyone can send an email that appears to come from yourcompany.com — to your clients, your bank, your employees. In 2026, Google, Microsoft, and Yahoo now actively reject emails from domains without proper authentication. This affects both security and deliverability.
Check 3 — Does your MFA actually cover everything?
⏱ 5 minutes · Free
🔐
MFA coverage audit — manual check
5 min
List every system your business uses — email, CRM, accounting, cloud storage, VPN, project management
Write them all down. Not just the ones you think are important.
Check whether MFA is enforced on every system — not just available, but required
Log out of each system and attempt to log back in. Does it require a second factor? "Available" and "enforced" are not the same. Attackers look for systems where MFA is available but not required.
Specifically check admin accounts — every one, without exception
Admin accounts are the highest-value target. Organizations have 3–5x more admin accounts than they realize. If any admin account can be accessed with just a password, that's your most urgent finding.
Check whether push notifications require number matching
→ In your identity provider settings (Microsoft Entra / Google Workspace / Okta)
Without number matching, push bombing can bypass MFA entirely. CISA explicitly recommends number matching for all push-based MFA deployments.
The number that matters: 41% of organizations with MFA deployed were still breached via MFA bypass in Q3 2025. Partial coverage is the most common cause. The systems you didn't check are the ones attackers will find.
Check 4 — What's visible on your perimeter?
⏱ 10 minutes · Free
🌐
External attack surface check — Shodan
10 min
Search your company domain on Shodan
→ shodan.io (free account)
Create a free Shodan account. Search your domain or public IP. You'll see every port and service visible from the public internet — including things you may not know are exposed.
Look specifically for RDP (port 3389), SMB (port 445), and Telnet (port 23)
These are near-automatic red flags in cyber insurance assessments and among the most exploited ports. If any are open to the public internet, treat it as an immediate finding.
Check for any admin panels or login pages indexed publicly
Shodan indexes publicly accessible login pages and admin interfaces. If your server management console or router admin panel is visible from the internet without VPN protection, it's an open door.
What attackers use Shodan for: Exactly this. Shodan is the same tool attackers use to find exposed RDP ports, admin panels, and misconfigured services. You should see your own perimeter the way they do — before they do.
Check 5 — Are former employees' accounts still active?
⏱ 5 minutes · Free
🚪
Offboarding audit — access revocation check
5 min
Pull your active user list and compare against your current employee roster
Microsoft 365: Admin Center → Users → Active Users. Google Workspace: Admin → Directory → Users. Anyone who no longer works there should be disabled immediately.
Check for active email forwarding rules to external addresses
Microsoft 365: Admin Center → Exchange → Mail Flow → Rules. Look for any rule forwarding to an external address. This is a common persistence mechanism set up by attackers or departing employees.
Check third-party SaaS tools for accounts that weren't caught in standard offboarding
CRM, project management, cloud storage — check the user lists. Former employees frequently retain SaaS access that wasn't connected to your main directory.
Why this matters now: Every active account belonging to someone who no longer works for you is an unmonitored access point — regardless of whether they left on good terms.
Score yourself honestly
After running all five checks, count how many pass cleanly:
0–1
checks pass cleanly
Critical. Address findings immediately. Don't wait for a scheduled review.
2–3
checks pass cleanly
Significant gaps. Create a remediation list this week and work through it in priority order.
4–5
checks pass cleanly
Strong baseline. Schedule this audit quarterly to catch drift before it becomes a gap.
Most SMB owners who run this audit for the first time find at least two significant findings. Not because their business is unusually exposed — but because nobody has checked before. The businesses that get breached aren't necessarily less secure than those that don't. They're less aware. This audit is the difference between those two states.
What this audit doesn't catch — and what does
This five-check audit surfaces the most common and most impactful gaps. It doesn't replace a professional vulnerability assessment. It doesn't check internal network segmentation, backup restore processes, or employee phishing resistance. And it's a point-in-time snapshot — your posture changes every time you add a tool, update software, or a new credential appears in a breach database.
The businesses that stay ahead of attackers run this audit quarterly, treat every finding as urgent, and have a continuous view of their external attack surface between manual checks.
Platforms like Veriti Spottr give SMBs the continuous version of this audit — automated, always-on scanning of your external attack surface that surfaces credential exposures, email authentication gaps, open perimeter doors, and access anomalies as they appear, not quarterly when you remember to check. This manual audit is the starting point. Continuous visibility is what keeps you there.
The 30 minutes you've been putting off
Every post in this series has ended with a version of the same message: the businesses that get hit aren't unlucky. They're unaware. And unawareness is a choice — specifically, the choice not to spend 30 minutes running the checks that would tell you exactly where you stand.
The five checks above are free. They take 30 minutes. The findings are actionable today. And if you do find something — and the odds are strong that you will — you'll have found it before an attacker did.
Set the timer. Start with Check 1.
Comments
Post a Comment