Insights

January 16, 2026

The Quiet Cyber Security Checklist Most Businesses Ignore

Posted by

Jez Nolan

Introduction

Most cyber attacks don’t start with ransomware.

They start weeks or months earlier, quietly, in the gaps nobody has time to look at.

This checklist isn’t about blame.
It’s about visibility.

If you can’t confidently tick these off, your business is exposed – whether you realise it or not.

Quiet Cyber Security Checklist
Ask yourself honestly:

SECTION 1 – PERIMETER & ACCESS CONTROL

Do we know exactly who has administrative access to our firewall?
Are all firewall and edge devices fully patched and supported?
Is remote management of core infrastructure locked down or disabled?
Do we review admin accounts regularly – not just add new ones?
Could someone download our firewall configuration today if it was compromised?
Reality check:
Most breaches start here, not on a laptop.

SECTION 2 – VPNs & REMOTE ACCESS

Do we know how VPN users authenticate (and what happens if that credential is compromised)?
Are VPN users restricted by role, not convenience?
Is MFA enforced everywhere it should be – not just “where possible”?
Could a “temporary” or “guest” account access the internal network?
Reality check:
VPNs are a favourite entry point because they look legitimate.

SECTION 3 – PATCHING & “QUIET” MAINTENANCE

Are operating systems patched within a defined timeframe?
Are firewalls, switches, and network appliances patched as well?
Do we have a clear owner for patching – it doesn't just “happen”?
Are updates postponed because they’re inconvenient?
Reality check:
Attackers rely on organisations being busy.

SECTION 4 – BACKUPS (THE MOST OVERLOOKED RISK)

Do we have offsite or immutable backups?
Are backups isolated from the main network?
Do we regularly test restoring data – not just check that backups exist?
Could ransomware encrypt our backups at the same time as production data?
Reality check:
Backups that can be encrypted are not a safety net.

SECTION 5 – MONITORING & DETECTION

Would we know if someone logged in at 2am?
Are logs reviewed or monitored – not just stored?
Would unusual behaviour trigger an alert?
Do we rely on users noticing problems?
Reality check:
Most attackers aren’t noisy. They wait.

SECTION 6 – INCIDENT READINESS

Do we know who to call in the first hour of a breach?
Do we know when to involve insurers or authorities?
Could we make decisions calmly under pressure?
Have we ever rehearsed a real incident?
Reality check:
Panic costs more than preparation.

FINAL QUESTION (THE ONE THAT MATTERS)

If attackers were already inside your network today…

Would you know if they were in?

If the answer isn’t a confident “yes”, this isn’t about fear – it’s about responsibility.

You don’t need to fix everything at once.
But you do need to know where you stand.

A proper, independent security review will tell you that – without panic, without sales pressure, and without guesswork.

N.B. You need to score 100% - anything else is a risk

Name
Name
First Name
Last Name

Speak to us to see how we can look
after all your business and IT needs

020 3745 6630
CONTACT US
GET AN ONLINE QUOTE

Chat with us now - bottom right

Author:
Jez Nolan

Posted:
January 16, 2026

Jez is an avid solution finder, working with your business to find the most sensible tech and non-tech answers that result in less stress, more time and more profit. He is the Managing Director of Ingenious and has been in the IT Industry for nearly 30 years. He has extensive business and IT experience, starting in large corporates and now applying best practices to the SMB/SME.

Get An
Online Quote

No waiting or sales calls needed. To get an instant online quote just complete a few details and choose between our three support packages to suit your needs best.

Get A Quote