Mini IT Security Audit Results:
What Your Score Means

What is it?

General security policies are the ground rules for how your team protects data and systems. Essentially, these are documented guidelines everyone in your agency should follow for things like password management, device use, and data handling.

Why does it matter?

Policies set the standard for security-conscious behaviour. Without clear policies, people tend to rely on their own judgment (which can lead to mistakes).

For example, one employee might reuse a weak password while another installs unapproved software – both creating risks. Having a formal IT security policy ensures everyone is on the same page, reducing inconsistent practices that hackers could exploit. (Don’t worry if you don’t have a policy yet – about 80% of small businesses still lack a formal cybersecurity policy. Recognising this is the first step toward improvement.) Strong policies also show clients and regulators that you take security seriously, which can protect your reputation and help with compliance requirements.

What is it?

Network security means protecting your office network and internet connection from unauthorised access or attacks. It includes things like your firewall (the device that blocks unwanted traffic), secure Wi-Fi setup (with strong passwords and encryption), and network monitoring. Think of it as the locks and alarm system for your digital office space.

Why does it matter?

Your network is the backbone of your operations – if it’s compromised, everything from client deliverables to emails could be at risk. A secure network keeps hackers out and sensitive data in.

For instance, a properly configured firewall will block hackers and malware at the door, and a securely set up Wi-Fi ensures that only the right people (with the right password) can connect. Without these protections, an attacker could eavesdrop on your communications or spread viruses across your agency. In short, good network security keeps your agency’s daily work running safely and smoothly.

Tip

If you have team members working remotely or freelancers accessing systems, consider using a VPN (Virtual Private Network). A VPN creates an encrypted tunnel for remote connections, so data stays protected when someone is working from home or a café. It’s an extra layer to keep snoops out of your network traffic.

What is it?

Access control is about who gets to access what in your IT systems. In practice, it means setting up user accounts with appropriate permissions and using principles like “least privilege” (each person only accesses the data and systems they need for their job). It also covers how you add or remove access when people join or leave your agency.

Why does it matter?

Imagine your agency’s data as a series of locked rooms – access control is managing who has the keys. Good access control ensures sensitive information is only seen by the right people. For example, your junior designer shouldn’t have admin access to financial records, and ex-employees shouldn’t retain any access at all. By carefully managing permissions, you reduce the risk of internal mistakes or misuse and limit damage if an account is compromised. Combine strong access rules with the next item (MFA) for a one-two punch: people only have minimal access, and even that access is well protected.

Tip

Regularly review user accounts and their roles. It’s healthy to audit accounts a few times a year to disable any that are outdated and confirm everyone’s access is still appropriate.

What is it?

Multi-Factor Authentication is a security step that requires users to provide an extra proof of identity beyond just a password when logging in. Typically, it means after entering your password, you must also enter a one-time code from your phone or confirm a notification. In short, it checks “Are you really you?” before letting you in.

Why does it matter?

MFA dramatically improves login security. Why? Because even if a password is stolen or guessed, an attacker can’t get past the second step without your phone or other verification method. It’s one of the simplest, most effective ways to prevent unauthorised access to email, files, and other sensitive systems. For an agency handling client data, enabling MFA on accounts (email, cloud storage, finance systems, etc.) is like having a deadbolt in addition to a lock – it significantly lowers the chance of a break-in. If you’re not using MFA everywhere it’s available, this is a quick win to boost security.

Note:

MFA can take many forms. Common ones are a text/app code, a mobile app prompt, or a fingerprint/face scan. It might add a few seconds to login, but the peace of mind is well worth it.

What is it?

Data backup means keeping copies of your important data in a safe place, so you can restore it if the original is lost or damaged. A cloud backup specifically means those copies are stored off-site in secure cloud servers (rather than just on a local hard drive or server in your office). Often, businesses use a mix of on-site backups and cloud backups for extra protection.

Why does it matter?

Think about the work your agency does – client campaigns, creative assets, financial records. Now imagine if all that data suddenly disappeared due to a hardware failure, ransomware attack, or even an accident like fire or flood. Cloud backups ensure your data is secure, accessible, and safe from such disasters. Because the backups are off-site, an incident at your office won’t wipe out your only copy. In plain terms, a solid backup system is your safety net.

It means that even if the worst happens, your business can recover quickly without losing clients or credibility. If your audit showed a gap here (for example, no regular off-site backups), this should be a top priority to address – it’s often straightforward to set up and can literally save your company.

Tip

Test your backups periodically. It’s not enough to have backups; you should be confident you can actually restore from them. A backup that can’t be restored is no backup at all. We recommend doing a test restore at least a couple of times a year.

What is it?

“Endpoints” are basically any devices that connect to your network – laptops, desktops, smartphones, etc. Endpoint security is protecting those devices. Key elements include installing reputable anti-virus/anti-malware software on them, keeping their software updated with the latest patches, and using encryption where appropriate (like full-disk encryption on laptops).

It also means having secure configurations on devices (for example, requiring a password or PIN, and auto-locking when idle).

Why does it matter?

Almost all cyber attacks involve at least one device. For instance, an employee might accidentally click a malicious link in an email, downloading malware onto their PC. Up-to-date anti-malware software would catch or block that threat in many cases, preventing a small mistake from turning into a big breach. Patching (updating) is equally critical – many attacks exploit known bugs in software, and manufacturers often release fixes.

If your devices install those updates, you close the door on those attacks. Additionally, if a laptop is lost or stolen, having it encrypted means outsiders can’t read the data on it. In short, secure devices = a secure business. By ensuring every laptop and phone in your team is well-protected, you greatly reduce your risk of incidents.

What is it?

Physical security in IT refers to protecting the hardware and physical access to your systems. It can be as simple as locking the server room or as routine as making sure employees don’t leave laptops unattended in public places. It also includes things like alarm systems, door entry controls, or CCTV in areas where critical IT equipment is stored.

Why does it matter?

Not all threats are online – an intruder or a misplaced device can cause trouble too. If someone can just walk into your office and plug into your network, or pick up a staff member’s laptop at a coffee shop, they might steal data without any fancy hacking.

By evaluating and limiting physical access to your equipment and files, you add another layer of defence. For example, keeping servers in a locked cabinet means outsiders (or even curious visitors) can’t tamper with them. Encouraging staff to secure their laptops (cable locks at the desk, not leaving devices in cars) reduces the chance of theft.

Physical security is often about common-sense policies and a bit of foresight – and it complements your cyber protections. An investment in a lock or an access card system can prevent costly incidents down the line.

What is it?

An incident response plan is like a fire drill for cyber incidents. It’s a predefined plan that outlines how your team will react to a security breach or cyber attack. This plan typically covers who is on the response team (internal and/or external experts), what steps to take immediately (e.g., disconnecting affected systems, resetting passwords), how to communicate internally and externally, and how to recover operations.

Why does it matter?

When a cyber incident strikes, every minute counts. Having a clear, practiced plan means you can contain the damage faster and get back to normal sooner. Without a plan, teams often panic or waste time figuring out what to do and who should do it – which can make the damage worse.

For example, if ransomware hits, an incident plan would tell you how to isolate infected machines, whether to power them down, who to call for help, and how to notify any affected clients or authorities. This not only limits the impact of the attack but also shows outsiders (like clients or regulators) that you handle crises responsibly.

We hope you never have to use an incident response plan, but like insurance, it’s crucial to have. If your audit indicated you don’t have one, it’s a good idea to start drafting one – even a basic plan is better than none, and we can help tailor it to your agency’s needs.

What is it?

This area checks how well you adhere to industry regulations or standards that relate to cybersecurity. For many agencies, a big one is data protection laws like GDPR (for personal data) or perhaps NDAs/client contract requirements. It also includes frameworks or certifications like Cyber Essentials (a UK security certification) that clients might expect you to have. Essentially, it’s about meeting any external rules that say how you must protect data.

Why does it matter?

Compliance isn’t just red tape – it’s there to ensure you’re doing the right things security-wise. If you ignore applicable laws or standards, you risk legal penalties and fines, or even losing the ability to work with certain clients. For instance, GDPR mandates protecting personal data; a breach could lead to hefty fines and damage to your reputation.

On the positive side, being compliant can be a selling point. When you can tell clients “we follow GDPR best practices and are Cyber Essentials certified,” it builds trust that you’re a professional partner who won’t put them at risk. Use your audit results to identify any compliance gaps – many agencies discover they need policies or technical measures to meet requirements. We can guide you on prioritising these so that your agency stays on the right side of the law and industry best practices.

Note

If some of this sounds unfamiliar, don’t worry. Part of our partnership approach is helping you navigate these requirements. We keep up with the changing regulations so you don’t have to go it alone.

What is it?

Cybersecurity awareness is all about educating your team on how to spot and avoid common threats. This can involve formal training sessions, phishing email drills, or even just sharing tips regularly. The goal is to build a culture where everyone, from interns to executives, understands their role in keeping the company safe.

Why does it matter?

Even with all the fancy security tools, your people are the first line of defence. One click on a bad link or one mistaken download can bypass a lot of tech safeguards. By training your staff, you empower them to make safer decisions: to recognise a suspicious email, to use strong passwords and MFA, and to follow the policies you’ve put in place. Agencies often deal with social engineering attacks (like phishing aimed at tricking someone into giving up credentials). Awareness training significantly lowers the chance of these tricks succeeding.

Plus, it creates a shared sense of responsibility – security isn’t just “the IT person’s job,” it’s everyone’s job. If your audit score was low here, it’s an easy area to start improving: consider short, engaging training sessions or modules that teach employees what to look out for. Many of these can be done online and even made fun. Over time, you’ll likely see fewer close calls and an increase in staff reporting “something phishy” before it becomes an incident.

Tip

Make it continual. One-off training has limited effect, but periodic refreshers and updates about new scams keep security top-of-mind. Even quick email newsletters with a “security tip of the month” can maintain awareness.

What is it?

This covers the technical solutions you use to protect your IT environment. It overlaps a bit with other areas but focuses on whether you have the right tools in place and kept up to date. Examples include: next-generation firewalls, intrusion detection systems, security software on devices (EDR/antivirus), email filtering tools, and patch management systems. It also means using technology appropriately – for instance, not running outdated software that no longer gets security updates.

Why does it matter?

The cybersecurity landscape is always evolving, with new threats emerging. Modern security tools are designed to tackle these threats proactively. For example, an advanced firewall can detect suspicious network activity in real time, and an anti-malware program with behaviour analysis can catch ransomware before it encrypts everything. If your audit indicated gaps here, you might be missing crucial defences.

Using up-to-date security technology acts as a force multiplier for your IT team – it can automate threat detection and even response in some cases, catching issues that a human might miss. Conversely, relying on outdated or minimal tools is like defending against today’s cyber criminals with yesterday’s locks.

The good news is that many enterprise-grade security tools are now accessible to smaller businesses via cloud services or managed services (which we provide). This area of your results helps highlight if there’s a tech upgrade or addition that could significantly reduce your risk.

Note

Technology alone isn’t a silver bullet (people and process matter too), but it’s a critical foundation. We can help assess which security solutions fit your specific needs and budget, so you get maximum protection without unnecessary complexity.

What is it?

Cloud & email security focuses on protecting your cloud-based services and email accounts. For agencies, this often means things like securing Office 365 or Google Workspace accounts, implementing email spam/phishing filters, and ensuring cloud file-sharing (like Dropbox, OneDrive, etc.) has proper access controls. It’s about making sure that the convenience of cloud and email isn’t a gateway for attackers.

Why does it matter?

Email is still the #1 entry point for cyber attacks – phishing emails, malicious attachments, scam links, you name it. Having robust email security (like filtering out spam and dangerous messages, and using email authentication protocols to prevent spoofing) can stop threats before they reach inboxes. Meanwhile, cloud platforms hold a treasure trove of your data. If they’re not configured securely, a hacker or even a former employee could exploit that.

Ensuring strong passwords and MFA on cloud accounts, limiting who can access what, and monitoring for unusual logins are all part of cloud security. If your audit score was low here, you’ll want to tighten up these areas to prevent data leaks or embarrassing incidents (like a hacker sending emails from your address or downloading your client list). The solution might be as straightforward as turning on built-in security settings in your email service, or as involved as adopting a cloud security tool – but each step will significantly reduce risk.

Tip

If you haven’t already, set up automatic alerts for your cloud accounts (e.g., get an alert if a new login comes from an unfamiliar location or if many files get downloaded rapidly). Early warning can make a huge difference in catching illicit access.

What is it?

Zero Trust is a modern security philosophy that says “never trust, always verify.” In traditional IT networks, anything or anyone inside the network was often implicitly trusted. Zero Trust flips that: every user, device, or application, inside or outside the network, must continually prove its legitimacy before getting access. In practice, implementing Zero Trust can involve segmenting your network, requiring MFA everywhere, and validating devices (ensuring a device meets security requirements before it connects).

Why does it matter?

This approach might sound extreme, but it’s very effective at limiting breaches. Imagine an attacker somehow steals an employee’s credentials or infects one computer. In a non-Zero Trust setup, that might let them move freely through your network. In a Zero Trust setup, that compromised account or device would still face barriers at each step, because the system is always asking “are you allowed to do this?” and “have you been authenticated and verified recently?”. It ensures that every access request is thoroughly vetted, greatly reducing the chance that one breach turns into a full network compromise.

For many agencies, adopting Zero Trust is a journey – you don’t do it overnight. It starts with small changes, like tightening access and enabling MFA (which you may already be doing!). If Zero Trust was a new concept in your audit, don’t be intimidated. It basically ties together many of the things above into a unified strategy. Over time, moving toward a Zero Trust model will strengthen your overall security posture and give you peace of mind that even if something does go wrong, it’s quickly contained.

What is it?

Mobile Device Management is a system or software that helps you manage and secure mobile devices (like smartphones, tablets, and even laptops) used for work. With MDM, your IT team (or provider) can do things like enforce security settings on devices, push updates, and remotely lock or wipe a device if it’s lost or stolen. It’s essentially a way to keep control over all the gadgets that handle your company’s data.

Why does it matter?

Nowadays in agencies, people will often work on the go using personal phones for email, or taking laptops home. Mobile devices are increasingly used instead of PCs, and that presents challenges for data security. Without MDM, it’s hard to ensure every phone or tablet accessing company email is encrypted, has a PIN code, or can be cleaned if someone leaves the firm. MDM makes this manageable.

For example, if an employee’s phone with client emails gets stolen, MDM allows you to remotely erase those emails before someone can misuse them. It also helps set up new devices securely in a consistent way (so you don’t rely on each user to, say, enable a screen lock or update their OS – the system can ensure it). If your audit results showed a gap in MDM, consider it an important area if your team uses mobile tech heavily. It’s about protecting your data on devices you don’t always physically control. We can help implement an MDM solution that balances security with employee privacy and convenience, keeping your agency flexible but safe.

Tip

If you haven’t already, set up automatic alerts for your cloud accounts (e.g., get an alert if a new login comes from an unfamiliar location or if many files get downloaded rapidly). Early warning can make a huge difference in catching illicit access.

You’re not alone. Our team at Cubit Technology can help you address the areas you want to improve.

Explore our Resources Hub for practical checklists, guides, and articles on all things cybersecurity.

Each month we share agency business IT insights, free resources and advice on preventing IT catastrophies.