A 10-question AI Reality Check for small business owners.
This is not a sales tool. It is a reality check.
The 10 questions on the next page were designed so a business owner — someone that is running a medical practice, a recruiting firm, a small accounting shop, or a real-estate office — can answer them honestly without anybody from our company in the room. Each question is plain English. Each one reflects something we have personally watched go wrong for a small business in the last two years.
When you finish, you'll have a count of how many you answered Yes. That count tells you, roughly, where you stand. There's no perfect score — most of the small businesses we know score somewhere in the middle. The point is to know where you actually are, not where you assume you are.
Time required: about 10 minutes.Who should answer: the business owner. No technical knowledge required. No IT person needed.
To start, please tell us a little about yourself so we can email you your detailed report.
Answer these questions to better understand where your business stands against today’s AI-driven cyber threats. Once you’ve completed the assessment, click the Get your score button below.
Backup proof. When is the last time you proved you could actually restore your data — not just that backups ran, but that you could open the files and they were the right ones? Have backups been tested in the last twelve months?
Multi-factor authentication on every account. Does every person in your business — including you, your bookkeeper, the part-time admin — have to use a code or app on their phone, in addition to a password, to log into applications including your email and bank sites? And there are no exceptions to this.
Payment verification rule. Do you have a written rule that wire transfers, ACH changes, or invoice payment changes always require a phone call to a known number to verify — even when the request looks like it came from you, or another owner, or a long-time vendor?
Cyber insurance reality check. Do you have an active cyber liability insurance policy? And in the last twelve months has anyone read the application or renewal questionnaire and confirmed you actually have the controls it requires?
AI use in your business. Do you know which of your employees are using AI tools — ChatGPT, Microsoft Copilot, Claude, Gemini, others — for work? Are they inputting company or client information into these tools? Do you have a written policy detailing what is and isn't allowed in regards to AI usage?
Password discipline. Could you say with confidence that none of your employees are reusing the same password across email, your industry-specific software, and personal accounts? And that no one writes passwords on sticky notes or shares them by text or chat?
Lost laptop. If an employee left their laptop in an Uber tonight, would you (a) know about it within 24 hours, and (b) be confident that the data on the laptop cannot be accessed by whoever finds it?
Offboarding discipline. When someone has left your business — voluntarily or not — in the last twelve months, do you have a record showing that every system they had access to was revoked within 24 hours? Email, software, phone system, building access?
Regulatory scope. Could you write down right now which regulations apply to your business — HIPAA, GLBA, PCI, your state's privacy law, others — and could you produce evidence you're complying with them if a regulator or your insurance carrier asked you tomorrow?
Crisis plan. If you discovered tomorrow morning that your patient or client data had been stolen, do you know — without looking anything up — who your first three phone calls would be, and what you would say to your patients, clients, and staff?
Time's up
