These are not technical questions. They don’t require an IT background to answer. They’re the things a business owner should be able to say with confidence about their own company.
Most can’t. That’s not a criticism — it’s a gap that takes a few weeks to close, once you know it’s there.
Work through each one. Note where you hesitate.
1. If a senior employee left today, which systems would they still have access to by tomorrow?
Think about your practice management software, your cloud drives, your email platform, your accounting system. If someone resigned this afternoon, how long would it take to remove their access from each one?
For most firms, the honest answer involves words like “we’d have to ask” or “I’m not sure who manages that.”
The risk is not just disgruntled ex-employees. It’s that unused accounts are quiet entry points. They don’t trigger alerts. They sit there indefinitely.
A basic offboarding checklist fixes this. You don’t need sophisticated tooling. You need a list of every system and one named person responsible for running through it on someone’s last day.
2. Do you know which AI tools your staff are using with client data?
Not what you’ve approved. What’s actually being used.
ChatGPT, Gemini, Grammarly, Notion AI, the AI assistant built into Microsoft Word. These are tools people add to their workflow quietly, because they’re useful and nobody said not to.
Some of these tools, on free or basic accounts, process the text you give them under data policies that most business owners have not read. If your staff are summarising client financials, drafting privileged correspondence, or preparing reports in these tools, that data is leaving your environment.
You don’t need to ban AI tools. You need to know which ones are in use and decide which require a business account or a usage boundary.
3. When did you last check whether your business email accounts appear in a breach database?
Business email credentials are bought and sold. They appear in data breaches from third-party services your staff have signed up for over the years, and those credentials are tested against corporate systems automatically.
You can check your own email address on haveibeenpwned.com in about thirty seconds. Most business owners who do this find at least one match.
The follow-on question: does your team reuse passwords across personal and work accounts? If the answer is probably yes, that’s the more important thing to address.
4. If someone sent your finance team a convincing email from your MD’s address asking for an urgent transfer, what would happen?
AI-generated phishing has changed what these emails look like. They no longer have the typos and grammatical oddities that made them easy to spot. A well-constructed message can reference real context, use the right tone, and arrive from a spoofed address that looks legitimate at a glance.
The question is not whether your staff are smart. It’s whether they have a protocol. Is there a verbal confirmation step for financial transactions above a certain amount? Is there a policy for what to do when an email feels urgent?
This category of fraud, called business email compromise, cost Indian businesses thousands of crores last year. The businesses that avoid it are not the ones with the best spam filters. They’re the ones with a simple process that doesn’t rely on anyone making the right judgment call under pressure.
5. Do you know whether the encrypted data your business stores today is safe against threats that don’t exist yet?
This one is less urgent than the others, but it’s worth knowing about.
There is a practice called “harvest now, decrypt later.” State-level actors and sophisticated criminal groups collect encrypted data today, knowing that advances in computing in the coming decade may give them the ability to decrypt it. If your firm stores sensitive long-term data — financial records, IP, privileged client information — that data may already be in someone’s collection.
NIST, the US standards body, finalised post-quantum cryptography standards in 2024. Indian regulatory guidance is following. For most small businesses, action on this is still years away. But knowing whether your current encryption practices use any of the deprecated algorithms is a reasonable thing to find out.
What these questions tell you
If you hesitated on two or more of these, you have the kind of gaps that a structured audit is designed to find and close.
The goal is not to know everything about security. It’s to have clear answers to the questions your clients, your regulators, and your insurance providers may eventually ask you.
StackGuard works through all of this systematically: tool inventory, credential review, access mapping, threat briefing. Five to ten business days, written report, leadership debrief. If you want to know where your firm actually stands, that’s where to start.