How exposed are you, really?
Fourteen questions calibrated against what underwriters check in 2026. Answer honestly. See where you stand. Board-ready summary in your inbox.
- ✓ Under six minutes, no login required
- ✓ Score against Critical Controls, High Impact, and Important tiers
- ✓ Ranked recommendations, not a 40-item shopping list
First five questions unlock without email. Enter your details after question five to see your full score.
When someone in your company requests a wire transfer, or a vendor asks to change their payment details, do you verify the request through a separate channel - a phone call to a known number - before acting?
If you discovered a breach at 2am tonight - who do you call first, what gets shut down, who tells your team and your customers? Is any of that written down somewhere people can actually find it?
Does everyone in your company have to confirm logins with a code from their phone or an authenticator app (sometimes called “MFA”) - with no exceptions for executives, remote staff, contractors, or specialized roles?
Do you have backups of your important data stored somewhere an attacker can’t reach or encrypt - and have you actually tested the restore process in the last 90 days?
Do the systems that run your core operations (control networks, industrial equipment, medical devices, specialized workstations, or client-privileged platforms) live on the same network as email and general file shares? Or is there a real boundary between operations and everyday IT, tested inside the last year?
If something bad happened on a Saturday night - accounts taken over, data being stolen, systems acting strange - would a monitoring service catch it and start responding within minutes?
Do your computers, servers, and equipment - including any devices at remote sites or embedded in operations - get their critical security updates installed within 30 days of release?
When was the last time someone checked your remote access - the way people connect to your systems from outside the office - to make sure nothing is exposed, outdated, or still using default passwords?
Do you know exactly who has the highest level of access - the “admin” accounts that can change anything on your systems? And is that list short, current, and reviewed regularly?
For the vendors who touch your systems (MSP, accounting platform, ERP, practice-management or industry-specific platforms, client portals), do you require them to meet baseline cyber standards, and do you know when they’ve had incidents that could affect you?
When someone leaves your company, are their accounts and access removed completely within 24 hours - email, shared drives, accounting systems, vendor portals, everything?
When your team uses personal phones or laptops to access work email or files, do you have a way to remotely remove that access if the device is lost or the person leaves?
Has anyone specifically set up your email to catch phishing - the fake messages pretending to be your CEO, your bank, or a vendor? (Microsoft 365 and Google have stronger filters available, but they’re off by default.)
Do you carry cyber insurance with good coverage? And in the last 18 months, has your policy been stable - no decline, no cancellation, no sharp premium increase?
Unlock your full scorecard
Calculating…
You have mapped your Critical Controls posture. The remaining nine questions score your High-Impact and Important controls to complete the picture. Enter your details to continue.
—
Calculating your posture…
Category breakdown
Where to focus first
Next step
Book a 30-minute diagnostic with a Vencer partner. We’ll walk your specific gaps, prioritize what closes first, and estimate what each fix takes. No pitch. No obligation.
Book the 30-minute diagnostic →A self-assessment tool, not a certified audit. Results reflect self-reported inputs and pattern-matched benchmarks from operator experience. For a verified assessment, our formal engagement is the appropriate step.