Does remote access to your network and email require Multi-Factor Authentication (MFA)? If an employee's login credentials are stolen, can the thief still get in? With MFA, stolen credentials alone aren't enough — a second step (phone code, app, token) is required.
Are your backups protected by MFA, kept offline, or stored in immutable (unchangeable) storage? If ransomware locks up your live systems, can the attacker also reach and destroy your backups? If yes, you have no real way to recover without paying.
Do you have endpoint protection (EDR or advanced anti-malware) on laptops, desktops and servers? Basic antivirus catches known viruses; EDR watches for suspicious behaviour and can stop an attack while it's happening — not after.
Do you have enterprise email security in place (sandbox, gateway or filtering)? Does something inspect links and attachments before they land in an inbox? Most breaches start with a single click on a phishing email.
Could a breach require you to notify more than 500,000 individuals? This is about how much customer or employee data you hold, not how secure you are. More records held means greater potential exposure if a breach occurs.
Does the company hold any of the following security certifications: ISO 27001, NIST, PCI DSS, SOC 2?