What is a network security assessment?

A network security assessment is a structured evaluation of your IT network infrastructure to identify vulnerabilities, misconfigurations, and security gaps. It typically covers perimeter defences, identity and access controls, endpoint protection, data backup, and security awareness — producing a scored report with prioritised remediation recommendations.

How long does the VP Audit assessment take?

The VP Audit assessment takes approximately 5 minutes. You answer 15 targeted questions across 5 security domains. Once complete, your scored report is generated instantly — no waiting, no account required.

Is VP Audit free to use?

Yes. VP Audit is completely free. There is no account, subscription, or payment required. Your answers never leave your browser — the scoring happens entirely client-side.

What security domains does VP Audit cover?

VP Audit covers five security domains: Perimeter & Connectivity (firewall, VPN, remote access), Identity & Access Management (passwords, MFA, privilege), Endpoint Security (patching, AV, MDM), Data & Backup (backup frequency, encryption, recovery testing), and Awareness & Response (staff training, incident response, phishing).

Can I export my security assessment results?

Yes. VP Audit generates a personalised PDF report with your organisation name, score breakdown, findings by severity, and remediation recommendations. The PDF is generated in your browser and can be downloaded immediately.

Identity & Access

Identity and Access Management for SMBs — A Practical Guide for 2026

3 May 2026 · 8 min read · VantagePoint Networks

Identity and access management (IAM) is the framework of policies and controls that determines who can access which systems and data in your organisation. For SMBs, effective IAM means: enforcing MFA on all internet-facing services, separating privileged accounts from standard user accounts, managing the full lifecycle of user credentials, and maintaining a clean Active Directory or cloud identity environment. Identity-based attacks — credential phishing, account takeover, business email compromise — are responsible for the majority of SMB breaches. IAM is the direct defence.

According to the Verizon Data Breach Investigations Report 2025, compromised credentials are involved in over 60% of breaches. For SMBs, the attack pattern is almost always the same: phishing email captures credentials, attacker logs in with those credentials (no MFA), and then moves laterally through the environment using tools and accounts that were never properly restricted.

The 4 Core IAM Areas for SMBs

Multi-Factor Authentication (MFA)

Implement first

MFA is the single highest-impact IAM control available to SMBs. Microsoft research found that MFA blocks over 99.9% of automated account compromise attacks. Every internet-facing service — Microsoft 365, Google Workspace, VPN, remote desktop, and cloud consoles — must require MFA for all users.

Action Items

→Enable MFA on Microsoft 365 / Google Workspace for all users
→Require MFA for VPN and remote access — no exceptions
→Use authenticator app (Microsoft Authenticator, Google Authenticator) rather than SMS
→Disable legacy authentication protocols (SMTP AUTH, basic auth) that bypass MFA
→Enable Conditional Access policies to block sign-ins from unexpected locations

Privileged Access Management

High priority

Administrative accounts are the highest-value target for attackers. Domain admin, local admin, and cloud tenant admin credentials give an attacker complete control over your environment. Privileged access must be separated, controlled, and audited.

Action Items

→Each admin has two accounts: standard (daily use) and admin (admin tasks only)
→Admin accounts never used for email, browsing, or non-admin activity
→Domain admin accounts used only on dedicated admin workstations or via PAM solution
→All admin account activity logged and retained
→Local admin passwords unique per device (use LAPS for Windows environments)

Password Policy and Credential Management

Foundational

NCSC guidance moved away from regular forced password rotation — this practice leads to weak, predictable passwords (Password1!, Password2!). The current best practice is: long unique passphrases, no forced rotation except after suspected compromise, and a check against known breached password lists.

Action Items

→Minimum 12-character password policy (14+ for admin accounts)
→Password complexity required — upper, lower, number, special character
→No scheduled forced rotation unless compromise is suspected
→Passwords checked against Have I Been Pwned breach database at creation
→Organisation-wide password manager deployment (Bitwarden, 1Password) for unique passwords

User Lifecycle Management

Process discipline

Stale accounts — former employees, contractors, and service accounts that are no longer needed — are a persistent risk. Any active account represents a potential entry point. Access rights accumulate over time (permission creep) without active cleanup.

Action Items

→Formal offboarding process: disable accounts on last working day, not after
→Monthly audit of accounts inactive for 90+ days
→Quarterly review of privileged access — does each admin still need that level?
→Contractor and third-party access time-limited and revoked at contract end
→Service accounts inventoried, documented, and reviewed annually

Active Directory Hygiene Checklist

☐Domain admin group has fewer than 5 members (ideally 2–3)

☐No standard user accounts in Domain Admins group

☐Admin accounts follow naming convention (e.g., adm-jsmith)

☐Stale computer accounts (90+ days inactive) removed

☐Default domain password policy: 12+ characters minimum

☐LAPS deployed for local admin password management

☐Audit logs enabled for account logon, policy changes, and privilege use

☐Schema admins and enterprise admins groups empty when not in use

Frequently Asked Questions

What is identity and access management (IAM)?

Identity and access management (IAM) is the framework of policies, processes, and technologies that controls who can access what in an organisation's IT systems. It covers user account management, authentication (including MFA), authorisation, and privileged access controls.

What is the most important IAM control for small businesses?

Multi-factor authentication (MFA) on email and remote access is the single most impactful IAM control for SMBs. It prevents the vast majority of account takeover attacks, even when passwords are compromised through phishing or data breaches.

How should admin accounts be managed in a small business?

Admin accounts should be separate from standard user accounts — each administrator should have two accounts: a standard account for email and day-to-day work, and a named admin account used only for administrative tasks.

Check Your Identity & Access Security Score

The VP Audit free assessment includes a dedicated Identity & Access domain covering MFA, privileged access, and user account hygiene.

Start Free Assessment →

← Back to Blog