5 ways to find out if your business is at risk for a cyberattack

Most small businesses assume their antivirus is doing enough. They believe their IT provider has everything locked down. The truth is that attackers are using common tools like PowerShell, Office macros, and unapproved software to gain control, and most businesses never see it coming.  

If your IT provider isn’t testing your systems, you're operating on blind trust. Here we suggest a practical checklist that every SMB should follow. These steps will show you, in real time, whether you're wide open to an attack.

1. Does PowerShell have access to the internet?

If you don’t need PowerShell, you shouldn’t be able to run it. But even if you need access to PowerShell, it probably doesn’t need full access to the internet. You can check if it does by simply opening PowerShell and running the following command:

Invoke-WebRequest -Uri https://www.google.com 

If you can open PowerShell and reach out to the internet, you should consider blocking PowerShell outright if it’s not needed. If it is needed, restrict it from the internet, your files, etc.

2. Can unapproved software run?

It’s common for cybercriminals to pose as IT and ask you to download software to allow them remote access to your computer. See if you can download and run one of these. Some common ones are TeamViewer and AnyDesk. Just download either of these and see if you can run them.

If you can unapproved applications, especially remote desktop tools, you should look into application allowlisting to only allow approved applications to run. After testing this, make sure to close and remove the program.

3. Are macros enabled in Office?

Each Office application can have macros enabled or disabled, so make sure to check any that you use. There are 2 quick ways to check this: Through the registry or through the application itself.

To check if macros are enabled in Microsoft Word, you can open the registry and go to Computer\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security. In there, you should see a registry value called “VBAWarnings” and it should be set to 4. If it’s not, that means that macros can run.

The other method to check is to open any Office application and go to File -> Options -> Trust Center -> Trust Center Settings -> Macro Settings. In there, it should be set to Disable VBA macros without notification.

If macros are enabled, you can quickly disable them through Group Policy or ThreatLocker Configuration Manager. Some users, like your CFO, may need access to macros; however, this should be decided on a case-by-case basis.

4. Is data exfiltration blocked?

Data exfiltration is a huge risk—both for insider and outsider threats alike. You should have a block for when a large number of files are accessed or uploaded in a short period of time. The limit will be different for each organization, but users should not have unfettered access to everything. You can quickly test this by seeing if you can upload a large number of files to a cloud file-sharing service, like Dropbox, SharePoint, etc.

If you are able to upload a large number of files, you need to look into setting up automated response policies for suspected data exfiltration.

5. How quick is your incidence response?

If everything is configured correctly and unapproved applications are blocked, it’s still important to get alerted to suspicious activity. For example, network scanning tools are commonly used by IT, but are also one of the first tools used by cybercriminals in a breach. A blocked network scanner may signal that someone tried to scan your system without approval. That is a strong indicator of compromise.

You can test your incidence response time by doing something that should trigger it—such as downloading and running Advanced IP Scanner. Once it’s (hopefully) blocked, your SOC or MDR should be giving you a call or alerting you within minutes. If they’re not, consider that if it was a real breach, cybercriminals may have had full control over the system during the wait.

If any of these tests fail, and many will, it is not a small issue. It is proof that attackers could already have a way in. You do not need a big budget to stay secure, but you do need clear policies, strict controls, and fast response. If your team is not blocking risky behavior and watching for signs of compromise, it is time to make changes. Run these tests now. Fix what is broken. Then get back to work with fewer risks hanging over your head.

See how you can lock down PowerShell, macros, and unapproved software.

Fix gaps fast with ThreatLocker Configuration Manager.