Is Your Business Actually Cyber Secure?
7 Questions Every Business Owner Should Ask
There’s one sentence I’ve heard from more than one business owner:
“I didn’t think it would happen to us.”
Different industries. Different sizes. Same sentence.
And honestly? I get it.
When you’re running a small business, especially in a place like Te Anau, you’re thinking about customers, bookings, stock, staff, weather… not cyber threats.
But the cyber issues I see aren’t dramatic hacks.
They’re small gaps.
Shared passwords.
No multi-factor authentication.
Old accounts still active.
Backups no one has actually tested.
Nothing dramatic.
Until it is.
So instead of talking about “cyber security strategies”, here are the kinds of questions I naturally end up asking when I sit down with a business owner.
“Have you got MFA turned on everywhere important?”
Email. Microsoft 365. Xero. Banking.
If someone guesses or steals a password, MFA is often the only thing standing between “annoying” and “expensive”.
It’s one of the simplest things small businesses in NZ can do to improve their cybersecurity, and it’s still surprisingly inconsistent.
“Who actually owns your systems?”
If your key staff member left tomorrow, would you still have control?
Do you know:
Who owns your domain name?
Who is the global admin in Microsoft 365?
Where the main logins are stored?
This isn’t about mistrust. It’s about visibility.
“Are passwords shared between staff?”
I see this a lot.
It feels practical in small teams.
But shared passwords mean no accountability, and if something goes wrong, it’s very hard to trace.
“When was the last time you tested your backups?”
Not just “we use OneDrive.”
If ransomware or accidental deletion happened tomorrow, could you confidently restore your data?
“Would your team recognise a phishing email?”
Invoice redirection scams are increasing in New Zealand.
Often it’s not a technical breach, it’s one convincing email sent at the wrong moment.
Cyber security for small businesses isn’t just about software. It’s about awareness.
“If something did go wrong, what would you do first?”
Who do you call?
What gets shut down?
Who needs to be informed?
Most businesses don’t have a cyber response plan because they assume they won’t need one.
Until they do.
“And have you checked what your cyber insurance actually requires?”
This is something that’s starting to come up more.
A lot of business owners assume insurance will cover a cyber incident.
But many policies now require things like:
MFA enabled
Secure admin access
Backup procedures
Staff awareness policies
If those basics aren’t in place, claims can get complicated.
I’ll write more about cyber security insurance soon because it deserves its own conversation but it’s definitely something worth understanding properly.
Running a small business is already enough.
You shouldn’t have to lose sleep wondering whether your systems are secure.
If you’re unsure where you stand, that’s completely normal. Most business owners are.
That’s where I come in to simplify it, tidy it up, and make sure nothing obvious is being missed.
If reading this made you pause even slightly, that’s usually the best place to start.
—
Marleen Wilson
Founder, Tech Aid
Your Digital Safety Net