Operational Risk Assessment | GET-IT Cyber Division

About Your Business

Basic details so we can route your summary correctly and give it meaningful context.

Company name *

Please enter your company name.

Your name *

Please enter your name.

Your email address *

We'll send your summary here. If you return to update your answers, we'll match on this address.

Please enter a valid email address.

Website address

Optional — helps us identify any publicly visible risks on your domain.

What industry are you in? *

Please select your industry.

How many people work in your business? *

Include full-time, part-time, and regular contractors.

1–5 6–15 16–50 51–100 Over 100

Please select a headcount band.

Approximate annual turnover

Banded — no exact figure needed. Helps us give financial risk exposure context.

Under £250,000 £250,000 – £500,000 £500,001 – £2,000,000 £2,000,001 – £10,000,000 Over £10,000,000 Prefer not to say

People & Awareness

How your team handles security day to day.

Who is primarily responsible for IT and cyber security? *

A member of staff (not their main role) A dedicated internal IT person or team An external IT company or managed service provider (MSP) No one specifically — handled ad hoc Me (the business owner)

Please select an option.

Do your staff receive any cyber security awareness training?

This includes anything from a brief induction session to formal annual training.

Yes — formal training at least once a year Yes — informal or ad hoc No Not sure

Does your business use multi-factor authentication (MFA)? *

MFA — also called two-step verification or 2FA — means staff need a second check (like a code on their phone) in addition to their password to log in.

Yes — on all accounts including email and cloud services Yes — on some accounts but not all No Not sure what this is

Please select an option.

How are passwords managed in your business?

A password manager is an app (like Bitwarden, 1Password, or the one built into your browser) that stores and fills your passwords securely.

We use a dedicated password manager Staff use the browser's built-in password saver Staff choose and remember their own passwords No consistent approach Not sure

Does your business have a process for verifying unusual payment requests?

For example: calling a supplier on a known number to confirm a change of bank details before making a payment. This type of fraud — Business Email Compromise — is among the most costly attacks on UK SMEs.

Yes — we always verify by phone or in person before changing payment details Yes — sometimes, depending on the amount No Not applicable — we don't handle outgoing payments

Devices & Software

What your team uses to work, and how it's protected.

Roughly how many devices does your business use? *

Include all PCs, laptops, and Macs used for work — including personal devices used to access business email or systems.

Please enter a device count.

Does your business use any smart or connected devices that aren't standard computers?

For example: smart TVs, IP cameras, door access systems, printers, smart speakers, or industrial control equipment connected to the internet or your network.

Yes No Not sure

Roughly how many of these connected devices do you have?

1–5 6–20 More than 20 Not sure

Is the software on your devices kept up to date? *

This includes Windows or macOS updates, and updates to apps like Office, browsers, and any software your business relies on.

Yes — updates are applied automatically or within a few days of release Yes — but updates are often delayed or done manually when we get round to it No consistent approach Not sure

Please select an option.

Does your business use antivirus or endpoint protection software? *

This includes standard antivirus (like Windows Defender, Norton, or McAfee) and more advanced tools sometimes called EDR — endpoint detection and response.

Yes — a paid or managed solution on all devices Yes — free or built-in only (e.g. Windows Defender) Some devices are protected, some aren't No Not sure

Please select an option.

Are all the software applications your business uses properly licensed?

Unlicensed software is often a source of malware and doesn't receive security updates — making it a common entry point for attackers.

Yes — everything is licensed Mostly — there may be some gaps No — some software is unlicensed Not sure

Have default passwords been changed on your business devices and systems?

Routers, printers, cameras, and other devices often ship with a default admin password like "admin" or "1234". These should be changed before use and are a Cyber Essentials requirement.

Yes — all devices have had default passwords changed Probably — but we haven't checked systematically No Not sure

Do you have a separate guest Wi-Fi network for visitors, kept away from your business systems?

A guest Wi-Fi gives visitors internet access without letting them reach your internal files, servers, or connected devices. Mixing the two on a single network is a common and easily exploited gap.

Yes — a separate guest network, isolated from our business systems No — visitors use the same Wi-Fi as staff We don't offer Wi-Fi to visitors Not sure

Do staff access business systems remotely — for example, from home or while travelling?

This includes accessing email, files, internal systems, or any business application from outside the office.

No — all access to business systems happens on site Yes — via cloud services only (e.g. Microsoft 365, Google Workspace) Yes — via a VPN (virtual private network) Yes — direct connection to our systems without a VPN Not sure how it works

Do staff ever work from public places — such as cafés, hotels, or trains — without any additional protection?

Public Wi-Fi is frequently unencrypted and can be monitored by others on the same network. A VPN or mobile data connection provides significantly better protection when working outside the office.

No — staff don't work from public places Yes — but they always use a VPN or mobile data Yes — sometimes, without additional protection Not sure

Resilience

Your ability to recover if something goes wrong.

Does your business take regular backups of its data? *

Yes — automated backups, tested regularly Yes — automated backups, but we haven't tested recovery Yes — manual backups, done periodically No Not sure

Please select an option.

Where are your backups stored?

Backups stored only on the same device or network as your main data won't protect you from ransomware. Offsite or cloud copies are important. Select all that apply.

On the same device or local drive On a separate device or server on site In the cloud (e.g. OneDrive, Google Drive, Dropbox, or a dedicated backup service) Offsite physical storage (e.g. tapes or drives stored elsewhere) Not sure

Does your business have a written plan for responding to a cyber incident or major IT failure?

This doesn't need to be formal — even a short document covering who to call and what steps to take counts.

Yes — a documented plan exists and staff know about it Informal — we know roughly what we'd do but it's not written down No Not sure

Cloud & Business Systems

The platforms and services your business depends on.

Which cloud-based services does your business use?

Cloud means the software runs over the internet rather than on your own computers. Select all that apply.

Microsoft 365 (Outlook, Teams, SharePoint, etc.) Google Workspace (Gmail, Drive, Meet, etc.) Cloud accounting (Xero, QuickBooks, Sage, etc.) Cloud CRM (Salesforce, HubSpot, Zoho, etc.) Cloud storage (Dropbox, OneDrive, Google Drive as standalone) Industry-specific software accessed via the internet We don't use cloud services

Does your business have cyber insurance?

Yes — a standalone cyber insurance policy Possibly — it may be included in our business insurance, but I'm not certain No Not sure

Data & Client Information

What you handle, and the obligations that come with it.

Does your business store or process personal data relating to clients, customers, or employees?

Personal data includes names, email addresses, phone numbers, financial details, health information, or anything else that could identify a living person. Most businesses handle at least some.

Yes — we hold significant volumes (e.g. a customer database, HR records, or health data) Yes — limited amounts (e.g. contact details for clients and staff) Minimal — only what's necessary for invoicing No

Does your business allow remote or hybrid working?

Yes — most or all staff work remotely some or all of the time Yes — some staff work remotely occasionally No — everyone works on site

Incident History & IT Support

Brief context on your current position.

Has your business experienced a cyber security incident in the last 24 months?

This includes phishing attacks, ransomware, data breaches, fraud, or any security event — even if it was caught early or didn't cause significant disruption.

Yes No Not sure / possibly

Does your business have a named external IT supplier or managed service provider?

For example: a local IT support company, an MSP, or a freelance IT consultant you use regularly.

Yes No We handle IT internally

Ready to submit?

We'll email a summary of your responses to the address you provided. A member of the GET-IT team may follow up if we spot anything worth flagging — but there's no pressure and no obligation.

[ Your data is handled in accordance with our privacy notice. ]

✓

Assessment submitted

Thank you. A summary of your responses is on its way to your inbox. If you don't see it within a few minutes, check your spam folder.

← Return to get-it.uk

OperationalRisk Assessment

About Your Business

People & Awareness

Devices & Software

Resilience

Cloud & Business Systems

Data & Client Information

Incident History & IT Support

Ready to submit?

Assessment submitted

Operational
Risk Assessment