IT Maturity Assessment Quiz

IT Assessment

Your Details 1 / 9

/10

E8 %

Tell us about your business

We'll personalise your report. Takes 30 seconds.

Business name *

Your name *

Email *

Phone

Industry *

Staff count *

Passwords and Multi-Factor Authentication1/8

When staff log in to email, accounting software, or other business systems, what do they need beyond their password?

MFA = multi-factor authentication: a second step after the password, like a code from a phone or an authentication app.

Every login requires a code from the staff member's phone or an authentication app. No exceptions, every business system, every staff member. This is called multi-factor authentication (MFA). MFA is on for some systems (usually email) but not others, or it's on for some staff but not all. Setup happened a while back and hasn't been revisited. MFA is available but optional. Some staff have set it up because they wanted to; others haven't bothered. There's no policy requiring it. Staff just type their password and they're in. No second step. I don't know whether staff need anything beyond a password to log in.

How do staff manage their passwords day-to-day?

Every staff member uses a password manager. It generates a unique strong password for each system, and staff don't need to remember any of them. Logging in is "open the vault, click the entry, you're in." There's a written password policy (minimum length, no reuse, change every few months). Most staff follow it most of the time, but no-one's actively checking. No formal policy. Staff pick their own passwords. Some are probably strong, some are probably "Companyname2024" or a small variation reused across systems. Several staff are still using passwords from when they joined years ago, reused across personal and work accounts. I don't know how passwords are managed in our business.

Who in your business has administrator (admin) access, meaning the ability to install software, change system settings, or access everyone else's data?

Only one or two designated people have admin access, and they have separate "admin" accounts they only use when they need to make changes. For day-to-day work (email, documents, web browsing) they use a normal staff account. Two or three people have admin access but they use it for everyday work too. Their daily login is also their admin login. Most staff have admin access on their own laptops. They can install software or change settings whenever they need to. Pretty much everyone is an admin. There's no real separation between staff accounts and admin accounts. I don't know who has admin access.

Application Control and Software Management2/8

Can staff install software on their work computers whenever they want?

No: only software approved by management or IT can be installed. If a staff member tries to install something that isn't on the approved list, it's blocked automatically. Officially staff need to ask before installing software, but in practice most people just install what they need without asking. Staff install whatever they need to do their job. There's no approval step. Anyone can install anything: free trials, browser extensions, downloads from random websites. We've found unfamiliar software on devices when we've looked. I don't know whether there are any restrictions on what staff can install.

Is there a list somewhere of the software your business actually uses and approves?

Yes, there's a documented list of approved software. It's reviewed and updated regularly. New requests get added (or refused) through a clear process. We have a rough idea of what's in use across the business, but it's not written down anywhere formal. No list. People use whatever tools they think they need for their job. The business has been using the same handful of apps for years, but if you asked us to list everything actually installed across all our devices, we couldn't. I don't know whether we have a list of approved software.

Are staff able to run downloaded files or unfamiliar programs on their computers without anything stopping them?

No: any program that isn't on the approved list gets blocked when staff try to run it. Random downloaded files, free utilities, and unknown programs simply won't open. Some restrictions exist (antivirus checks, warnings, prompts) but a staff member who really wants to run something can usually click through them. Staff can download and run programs freely. Antivirus might catch the obvious stuff, but otherwise nothing's checking what they run. Staff regularly install or run things they've downloaded: free utilities, browser plugins, trial software, scripts. Whatever they want. I don't know what restrictions are in place on what staff can run.

Patching and Updates3/8

When a software vendor releases a critical security update, how quickly does it get installed on your computers?

Critical security updates are installed across all devices within 48 hours. There's a process that ensures it happens. Updates are applied regularly (weekly, monthly, or whenever IT gets to it) but there's no specific deadline, and some devices may lag behind. Updates happen when someone notices a prompt on their screen, when something breaks, or when there's a reminder. Most devices are running with whatever updates were on them six months or a year ago. Update prompts get dismissed routinely. I don't know whether or how our computers get security updates.

Are the operating systems on your computers (Windows, macOS) still officially supported by Microsoft or Apple, meaning they still get security updates?

Every computer runs a current, supported operating system. We replace or upgrade devices before they fall out of support. Most devices are current, but a few older laptops or a back-office machine are running older versions we haven't gotten around to upgrading. Several devices are running operating systems that are no longer supported. They still work, so they're still in use. Some of our computers are running Windows 7, Windows 8, or very old macOS versions. They haven't received updates from the vendor in years. I don't know which Windows or macOS versions our computers are running.

How do updates actually get pushed out across your business?

A central management system (run by us or our IT provider) automatically pushes updates to every device, monitors which devices have applied them, and chases up any laggards. Our IT person or provider manually pushes updates out, usually on a schedule, but there's no system catching devices that miss it. Each staff member is responsible for installing updates on their own device when prompted. Some do it diligently, others ignore the prompts. Updates aren't really managed. They happen if Windows decides to install them automatically, otherwise not at all. I don't know how updates get installed across our devices.

Microsoft 365 and Email Security4/8

What protection is in place against phishing emails (fake emails impersonating banks, suppliers, or your own colleagues)?

Multiple protection layers are active: filters that scan attachments before delivery, links that get checked when clicked, and warnings when an email pretends to be from someone in the business but isn't. Suspicious emails get quarantined or flagged. Some email security features are turned on but we couldn't tell you exactly what's configured. The defaults seemed to do something. We rely on whatever protection came turned on by default with our email service. We've never reviewed or adjusted it. Phishing emails reach the inbox regularly. Staff have been caught out before, or have nearly clicked something dodgy. I don't know what email security we have beyond basic spam filtering.

Are emails from your business reaching customers reliably, or do you regularly hear they ended up in junk?

Customers and suppliers receive our emails reliably. We rarely get "did you get my email?" follow-ups, and we've never had a deliverability incident. Occasionally a client mentions an email went to junk, but it's rare and seems like a one-off. We've never investigated why. Junk-folder issues come up often enough that staff routinely ring or text after sending important emails to confirm they landed. Deliverability is a known problem. We've changed how we send invoices, quotes, or proposals because too many were getting blocked or going to spam. I don't know whether our emails are reaching customers reliably.

Does anyone actively monitor the security of your email and document platform (Microsoft 365, Google Workspace, or similar) and work to tighten it over time?

Yes: someone reviews our platform's security score (or equivalent) every month and works through recommended improvements. We can demonstrate that the score has improved over time. Someone checked the security settings when we first set it up, but no-one's gone back to it since. We've never reviewed it. We're using whatever defaults came with the product when we signed up. We've never thought about platform-level security as something separate from the product itself. I don't know whether anyone monitors our platform security.

Specifically for Microsoft Word, Excel, and PowerPoint files: are macros (the automated code inside those files) restricted?

Yes: macros from files received via email or downloaded from the internet are blocked entirely. Only macros in trusted internal documents can run. Some macro restrictions are in place but we're not sure exactly what. Office shows a warning bar; whether staff click "enable" depends on the person. Macros run when staff click "enable content" on the Office warning bar. Most staff click it without thinking. No restrictions: macros from any source can run automatically. I don't know what happens with macros in Office files.

Backup and Recovery5/8

How often is your business data (files, emails, accounting data, customer records) backed up?

Every day, automatically. We don't think about it, it just happens. We could check the backup status if we needed to. Backups run weekly, automatically. Backups happen occasionally: maybe monthly, maybe when someone remembers, maybe when there's a scare. Honestly, we're not sure if our data is being backed up at all. We've assumed Microsoft 365 (or our cloud provider) handles it. I don't know whether or how often our data is backed up.

Where are your backups stored, and could ransomware reach them?

Backups are stored in multiple locations. At least one copy lives offsite or in cloud storage that's locked from being modified or deleted (called "immutable"). Even if ransomware hits the main systems, the backups can't be encrypted. Backups are stored offsite or in cloud storage, but we're not sure if they're protected against being modified or deleted by an attacker. Backups are stored on the same network as our main computers, or on a USB drive that's plugged in or kept in the office. Backups (if they exist) live on the same server or computer as the original data. If something happens to the main system, the backups are likely lost too. I don't know where our backups are stored.

When did someone last actually test restoring data from a backup to make sure it works?

Within the last month. We routinely test restores so we know they actually work, not just that the backup file exists. Within the last six months. We've done at least one successful restore test recently. More than six months ago. We assume the backups would work if we needed them. We've never tested a restore. The backup software shows "completed" each day and we trust that's enough. I don't know whether anyone has ever tested a restore.

Device and Endpoint Protection6/8

Are all your work computers (laptops, desktops, tablets) managed through a central system that lets IT push policies, install software, and lock down settings?

Yes: every device is enrolled in a management platform. IT can push updates, install software, enforce security settings, and remotely lock or wipe a device if it's lost or stolen. New devices follow the same setup automatically. Some devices are managed centrally, but not all. Maybe office laptops yes, remote workers' devices no. Devices are set up individually when they arrive. Once they're handed to a staff member, no central system is managing them. Each device is "the staff member's responsibility". If a device is lost or compromised, there's no way to lock it remotely or know what was on it. I don't know whether our devices are centrally managed.

What kind of security software is running on your computers to detect and stop threats like ransomware or viruses?

EDR = endpoint detection and response: like advanced antivirus. Watches for suspicious behaviour (not just known viruses) and can isolate a compromised device from the network automatically.

Every device runs modern threat-detection software (called EDR, short for endpoint detection and response). It detects suspicious activity in real time, can isolate a device from the network if it gets infected, and reports back to a central console. Every device has antivirus, but we're not sure if it's the modern kind that detects unusual behaviour, or the older kind that just scans for known viruses. Most devices have antivirus, but a few might not. We've never audited it. The free antivirus that came with Windows is what's running, if anything. We haven't checked. I don't know what security software is on our devices.

Are all your computers set up the same way, or has each one grown into its own configuration over time?

Every device is built from a standard image. Same operating system, same approved apps, same security settings. A new laptop arrives, gets the standard build, hands to the staff member ready to go. New devices follow a rough setup checklist that's used most of the time, but it's not strictly enforced and has drifted over the years. Each device is set up individually when it arrives. Whoever's setting it up installs what they think is needed. The fleet is a mix of devices accumulated over years: different operating systems, different apps installed, no two configured the same way. I don't know how our devices are set up.

Network Security7/8

How old is your network equipment (firewall, router, WiFi access points), and is anyone keeping its software up to date?

All network equipment is less than three years old, on current firmware, and actively managed (either by us or our IT provider). Manufacturer security updates get applied as they're released. The equipment is three to five years old. It still works. Firmware updates have been done occasionally but not on a schedule. The equipment is more than five years old, or we don't actually know when it was last updated. The router is whatever the internet provider gave us when we signed up. We've never logged into it. If there's a separate firewall, we're not sure where it is. I don't know what network equipment we have or how old it is.

Is the WiFi that visitors and clients use kept separate from the WiFi your staff use for work?

Yes: there's a dedicated guest WiFi network that's fully separated from the business network. Visitors can get internet access but can't reach any business systems, files, or printers. There's a guest network, but we're not sure if it's actually separated or if it's just a different password on the same network. Everyone (staff, visitors, clients) connects to the same WiFi network with the same password. The WiFi password hasn't been changed in years. Past clients, ex-staff, and people who've been to the office still have it on their phones. I don't know whether our guest WiFi is separated from our business network.

When staff work from home or on the road, how do they connect back to business systems?

VPN = virtual private network: a private, encrypted tunnel between the staff member's device and your business network, so data can't be intercepted on public WiFi.

Staff connect through a secure remote access system (VPN or equivalent) that requires multi-factor authentication. We can see who's connected and from where. Staff log into cloud apps directly with their normal username and password. There's no special remote access setup. Staff use their personal home computers and home WiFi to access business systems. There's no specific remote work security in place. Remote staff connect however they need to: personal devices, public WiFi, shared computers. No-one's actively managing it. Staff don't work remotely, or I don't know how they connect.

Staff Practices and Security Awareness8/8

Do staff get any cybersecurity training: recognising phishing, what to do with suspicious emails, password hygiene?

Yes: at least annual training, plus periodic simulated phishing tests so we can see who's clicking and reinforce learning. New starters get trained as part of onboarding. There was training when staff first joined or when we set up our IT a few years ago, but no refreshers since. No formal training. Occasional reminders in staff meetings or emails when something happens in the news. Staff have never had any cybersecurity training. They're expected to use common sense. I don't know whether staff have had any cybersecurity training.

When a staff member leaves the business, what happens to their access to email, files, accounting software, and other business systems?

Their access is removed the same day they leave, following a documented offboarding checklist. Email is forwarded or archived, accounts are disabled, devices are returned and wiped. Their access is removed within a few days. There's no formal checklist, but it gets done. It depends on who remembers. Sometimes accounts get disabled, sometimes they stay active for weeks or months. Old staff accounts probably still exist somewhere. We've had cases where someone realised an ex-staff member still had access months after leaving. I don't know what happens to staff accounts after they leave.

If a staff member received a suspicious email right now (a fake invoice, a "your account is locked" message, an odd request from the boss), what would happen?

There's a clear process: staff know exactly who to forward suspicious emails to (or there's a "report phishing" button in their email). The report is reviewed promptly and the sender is investigated. Most staff would forward it to a manager or to IT, but there's no formal process and the response would depend on who's available. Most staff would just delete it and move on. They might mention it casually if it was particularly weird. Honestly, staff would probably click it first to see what happens, or reply to ask if it's genuine. We've had close calls. I don't know what staff would do with a suspicious email.

A copy of this report will be emailed to

Prepared for ·

Book an IT Audit Schedule a meeting

Book IT Audit Schedule a meeting

Overall IT Maturity

0 /10

Critical

0 – 2.5

At Risk

2.6 – 5.0

Managed

5.1 – 7.5

Optimised

7.6 – 10

0/10

Essential Eight Level 1 Readiness

0 %

Want these explained?

Book a quick meeting and we'll walk you through what each Essential Eight control means for your business and where to start.

Book a meeting

Section Breakdown

Sorted by risk. Click to expand.

Want the full picture?

This assessment shows where the gaps are. A CIO Tech IT Audit ($990) goes deeper. On-site, across your entire environment, with a prioritised remediation roadmap.

Book an IT Audit

Or call (02) 8089 0217