1. Is Multi-Factor Authentication (MFA) enforced for all users on all critical systems (especially email)?

2. Do you use a professional, encrypted password manager for all company credentials (and not spreadsheets or sticky notes)?

3. Are your Microsoft 365 services (Email, SharePoint, OneDrive) backed up daily by a separate, third-party service?

4. Do you have an advanced threat protection service that scans incoming emails for malicious links and attachments?

5. Are all company laptops protected with disk encryption (like BitLocker for Windows or FileVault for Mac)?

6. Do you monitor for and get alerts about suspicious login activities (e.g., logins from unusual locations)?

7. Do you use intelligent access rules (Conditional Access) that can, for example, block logins from high-risk countries?

8. Are software updates and security patches automatically applied to all your computers in a timely manner?

9. Does your company have a system that blocks access to known malicious websites (DNS Filtering)?

10. Do your employees receive regular, ongoing security awareness training and simulated phishing tests?

11. Do you have a 24/7 security monitoring service (SOC/SIEM) that actively hunts for threats in your network?

12. Do you have a documented Incident Response Plan that outlines the specific steps to take in the event of a cyber attack?