Most business owners in Lancaster County will answer yes to that question without hesitating. They have antivirus software. They have a firewall. They back up their data. Their IT provider told them they are covered.
What most of them cannot answer is the follow-up question: how do you know?
When did you last test whether your backups would actually restore under real conditions? When did someone verify that your firewall is configured correctly for the way your business operates today, not the way it operated three years ago when the rules were last reviewed? When did you confirm that every account in your Microsoft 365 environment requires multi-factor authentication, including the ones that belong to employees who left six months ago?
These are not trick questions. They are the questions that separate businesses that are genuinely prepared from businesses that feel prepared. And in Central PA, where the consequences of a significant cyber incident can shut down operations for days or weeks, the difference between those two positions is worth examining honestly.
What it Means to be Prepared
There is a version of cyber preparedness that most small and midsized businesses in Central PA have achieved. It looks like this: the right tools are in place, the right vendor relationships exist, and the team has a general sense that IT is handled.
That version of preparedness addresses the question of whether you have the right technology. It does not address the question of whether that technology is working correctly, configured appropriately, and capable of protecting your business against the threats that are actually targeting organizations your size right now.
Genuine preparedness requires both. The technology layer and the verification layer. And the verification layer is where most businesses have the most significant gaps.
The Three Questions Worth Asking Right Now
Can you restore from your backups and how long would it take?
Backup systems fail silently. A backup process that appears to be running successfully can produce a recovery file that is corrupted, incomplete, or simply too old to be useful when a ransomware attack encrypts your production systems at 2:00 AM on a Tuesday.
The only way to know whether your backups work is to test them. Not to confirm that the backup job ran. To actually restore data from the backup to a test environment and verify that the result is complete, current, and functional.
For most Central PA businesses, a meaningful ransomware incident means 24 to 72 hours of downtime at minimum if recovery does not go smoothly. For a manufacturing operation, a construction firm with active project timelines, or a healthcare practice with patient appointments, that timeframe has a direct and significant cost. The backup test is what tells you whether that cost is in your future.
Is multi-factor authentication active on every account?
This is the single most impactful security control available to small and midsized businesses, and it is consistently one of the most incompletely deployed.
MFA deployed on 90 percent of accounts does not provide 90 percent of the protection. It provides an attacker with a map of the 10 percent of accounts that are unprotected, and attackers are methodical about finding and using those gaps.
The accounts most commonly missed in MFA deployment are service accounts, shared mailboxes, administrator accounts, and accounts belonging to former employees whose departures were not fully processed through the IT environment. A systematic review of your Microsoft 365 account list against your current employee roster often surfaces a number of active accounts that should have been disabled and secured months ago.
When did you last review who has access to what?
Permissions accumulate. Over time, employees gain access to systems and files they needed for a specific project or a temporary role, and that access is never removed. Former employees have accounts that were disabled but not fully offboarded, leaving permissions structures intact. Contractors and vendors have access that was granted for a specific engagement and never revoked.
In a static environment, these accumulated permissions create unnecessary risk. In an environment where you are deploying or considering AI tools, including Microsoft Copilot, they create a much more specific and immediate problem. AI tools surface content based on what users are permitted to see. Permissions that were never properly maintained become visible in ways they were not before.
A permissions review is not a complex project. It is a systematic look at who has access to what in your Microsoft 365 environment, compared against who should have access. For most Central PA businesses, it surfaces a number of issues that are straightforward to resolve, and that are far less expensive to address before an incident than after one.
The Verification Gap
To recover quickly you need to know your environment before something goes wrong.
Test backups. Review your permissions. Confirm your security controls are active and correctly configured. When an incident occurs, execute your recovery process against a known environment. Do not discover gaps in real time while the clock is running.
The businesses that struggle after an incident are almost always the ones that thought they were prepared without having verified it. The tools were in place. The vendor relationship existed. The backup job was running. And when the incident happened, the gaps that had never been examined became visible all at once.
Organizations with tested incident response plans reduce the average cost of a breach by over 35 percent compared to those without one. The testing is not a formality. It is what makes the plan work when it needs to.
How TCW-GAV Helps Central PA Businesses Verify Their Preparedness
At TCW-GAV, we have been helping Lancaster County and Central PA businesses understand what their technology environment actually looks like for more than 30 years. Our complimentary cybersecurity assessment gives you a factual picture of where your current security posture stands, not a general reassurance, but a specific review of the controls that matter most.
That includes:
- Backup and recovery verification — confirming your backups work under real conditions
- MFA review across all Microsoft 365 accounts including service accounts and former employees
- Permissions audit identifying access that does not reflect current business intent
- Security configuration review against current threat patterns
- A clear priority list of what to address first and what it takes to get there
The Right Time to Find the Gaps Is Before Something Forces the Issue
Cyber incidents do not announce themselves. Do not wait for an incident to find out you have gaps in your systems.
Schedule a complimentary cybersecurity assessment with TCW-GAV and find out where your business actually stands.