How to Evaluate Your Company's Cyber Risk in 30 Minutes

Every company should know its cyber risk level. But most Italian SMEs have never done a cyber risk assessment - often because they think it is too expensive or too complex. In reality, an initial cyber risk assessment can be done in 30 minutes with the right method. It does not replace a professional assessment, but it gives you a clear map of where you stand and where you need to act.

10 questions that reveal your risk

• Do you have an updated inventory of all devices and software on your network?
• Is multi-factor authentication enabled on all critical access (email, VPN, admin)?
• Are backups tested regularly (not just done, but tested with actual restores)?
• Do you have a patch management process with defined timelines for critical vulnerabilities?
• Is there a written incident response plan that was tested in the last year?
• Do employees receive security training more than once a year?
• Do you have centralized visibility into security events (SIEM or equivalent)?
• Are privileged credentials managed and monitored?
• Are critical vendors evaluated for cyber risk?
• Do you know how long it would take to restore operations after ransomware?

How to interpret the results

If you answered "no" to 7+ questions: critical risk - you need a professional assessment and an urgent remediation plan. 4-6 "no": high risk - you have the basics but significant gaps. 1-3 "no": medium risk - you are doing well but there are areas to improve. All "yes": congratulations, but get verified by an external party - self-certification has its limits.

This method is based on NIST CSF and CIS Controls frameworks, simplified for a quick evaluation. In 30 minutes it gives you a snapshot that can guide investment priorities. In my experience, most Italian SMEs fall in the "high risk" range - not for lack of will, but for lack of awareness about what is actually needed. If you want to turn this self-assessment into a concrete action plan, I am available for a conversation.