Is Your Business Actually Cyber Secure?
7 Questions Every Business Owner Should Ask
There’s one sentence I’ve heard from more than one business owner:
“I didn’t think it would happen to us.”
Different industries. Different sizes. Same sentence.
And honestly? I understand.
When you’re running a small business, especially somewhere like Te Anau you’re thinking about customers, bookings, staff, cashflow, weather… not cyber security.
But the issues I see in small businesses aren’t dramatic hacks.
They’re small gaps.
Shared passwords.
No multi-factor authentication.
Old admin accounts still active.
Backups no one has actually tested.
Nothing dramatic.
Until it is.
So instead of talking about “cyber security strategies,” here are the questions I naturally ask when I sit down with a business owner.
1. Have you turned on Multi-Factor Authentication everywhere important?
Email. Microsoft 365. Xero. Banking. Social media.
If someone gets hold of a password, MFA is often the only thing standing between “slightly inconvenient” and “very expensive.”
For small business cyber security in NZ, this is one of the simplest and most powerful protections and it’s still often inconsistent.
2. Who actually owns and controls your systems?
If your key staff member left tomorrow, would you still have access to everything?
Do you know:
Who owns your domain name?
Who is the global admin in Microsoft 365?
Where your master logins are stored?
This isn’t about mistrust. It’s about visibility and control.
3. Are passwords shared between staff?
“I’ll just log in as you.”
It feels practical in small teams.
But shared passwords remove accountability and if something goes wrong, it’s incredibly hard to trace.
4. When was the last time you tested your backups?
Not just “we use OneDrive.”
If ransomware or accidental deletion happened tomorrow, could you confidently restore your business data?
5. Would your team recognise a phishing email?
Invoice redirection scams are increasing in New Zealand.
Often it’s not a technical breach. It’s one well-written email sent at exactly the wrong time.
Cyber security for small businesses isn’t just technical. It’s behavioural.
6. If something went wrong tomorrow, what would you do first?
Who do you call?
What gets shut down?
Who needs to be informed?
Most small businesses don’t have a simple cyber response plan because they assume they won’t need one.
Until they do.
7. Have you checked what your cyber insurance actually requires?
This is starting to matter more.
Many cyber insurance policies now require:
Multi-factor authentication enabled
Secure admin access
Proper backup procedures
Staff awareness policies
If those basics aren’t in place, claims can become complicated.
I’ll write more about cyber security insurance soon because it deserves its own conversation but it’s definitely something worth understanding properly.
Running a small business is already enough.
You’re managing people, clients, deadlines, finances often all at once.
Cyber security shouldn’t be another invisible stress sitting in the background.
If you’re unsure where your business stands, that’s completely normal. Most owners are.
That’s where I come in to simplify it, tidy it up, and quietly make sure nothing obvious is being missed.
If even one of these questions made you pause, that’s usually the best place to start.
—
Marleen Wilson
Founder, Tech Aid
Your Digital Safety Net