The five questions
- Governance: Does your board or leadership formally review cyber and IT risk at least twice a year?
- Incident response: Do you have a documented, tested incident response plan (e.g. tabletop in the last 12 months)?
- Backup: Are backups tested at least quarterly and stored so they cannot be encrypted by ransomware?
- Access: Is multi-factor authentication (MFA) required for all cloud and remote access?
- Compliance: Do you hold or are you working towards Cyber Essentials or an equivalent framework?
Next step
If you answered "no" to two or more, prioritise those areas. For a full benchmark and sector comparison, use our StrategyOS Digital Maturity Assessment—it takes about 2 minutes and gives you a score you can use with your board or insurer.