Security Audits: What Good Looks Like in 2026
What a proper SMB security audit covers in 2026: the 7-domain checklist (identity, endpoint, email-auth, data, MDM, backup, IR), and when to run one.
TL;DR
A good SMB security audit in 2026 covers seven domains: identity, endpoint, email authentication, data, devices, backup and incident response. It scores against a named framework (CIS Microsoft 365 Foundations Benchmark v3, CIS Google Workspace, NIST CSF 2.0) and produces an executive summary, top three gaps, top three quick wins and top three roadmap items. Annual minimum, plus 60 days before any cyber-insurance renewal and after any major change. Anything less is theatre.
What’s the difference between a security audit, a posture review, and a pen test?
Three jobs, often confused.
A security audit is a structured review of configuration, policy and process against a defined yardstick (CIS, NIST CSF 2.0, ISO 27001 controls, the CIS Microsoft 365 Foundations Benchmark v3, the CIS Google Workspace Benchmark). It answers “are the controls in place and working?”. Mostly read-only. Produces evidence and findings.
A posture review is the lighter cousin. Same domains, less depth, faster turnaround. Often what an MSP means when it says “audit” in a sales conversation. Two days, not two weeks.
A penetration test is offensive. A tester, usually with a CREST or OSCP, tries to break in. External, internal assumed-breach, web app, social engineering. A pen test tells you whether the door can be kicked open. An audit tells you whether the door, the lock, the alarm and the camera all exist and work. Most SMEs need an audit annually and a pen test every 24 to 36 months. Underwriters increasingly ask for both.
A vulnerability scan (Nessus, Qualys, OpenVAS, Defender Vulnerability Management) is the fourth category. Automated, finds known CVEs on reachable hosts, feeds the audit and the pen test. Not a substitute for either.
What does a good SMB security audit actually cover?
Seven domains. If a quote covers fewer, push back.
- Identity. IdP (Entra ID, Google Workspace, Okta), MFA enforcement, Conditional Access or context-aware access, named admins, break-glass.
- Endpoint. EDR coverage and tuning, full-disk encryption, OS patch posture, third-party patching.
- Email authentication. SPF, DKIM, DMARC, MTA-STS, real-receiver headers.
- Data. DLP, sensitivity labels, third-party SaaS exposure, OAuth grants.
- MDM and devices. Compliance policies, OS version coverage, jailbreak/root detection, BYOD posture.
- Backup. What is backed up, retention, where the copies live, whether a restore has been tested.
- Incident response. Documented plan, contact tree, regulator-notification path, who calls who at 2am.
Anything outside these seven (network perimeter, physical security, vendor-risk management, secure SDLC) is bonus, not core, for most SMBs. Add when the business model demands it.
Identity audit: what to actually check
Identity is where most SMB compromises we respond to actually start.
MFA enforcement. The IdP-side enforcement record, not “we asked everyone”. In Entra ID, the legacy per-user MFA toggle is not a Conditional Access policy. We read every CA policy and check Sign-In Logs for the trailing 30 days for any successful sign-in that didn’t satisfy a strong-auth claim. Eight times in ten there is at least one.
Legacy authentication blocked. IMAP, POP, SMTP AUTH, older Exchange Web Services flows. Legacy auth bypasses MFA entirely. The most common gap on inherited Microsoft 365 tenants is “MFA on, legacy auth still permitted”. Block Legacy Authentication is the first CA policy we expect live in enforced mode. See our Microsoft 365 hardening guide for the full CA baseline.
Conditional Access posture. Policy-by-policy walk-through. Block legacy auth. Require MFA for all users. Require compliant device for desktop access. Require phishing-resistant MFA for admins. Geo-restrict where it makes sense. Block high-risk sign-ins (Entra P2 only). Every exclusion named. A service account excluded from MFA with full mailbox access is a gift.
Named admins. Global Admin count under five for an SMB. Each admin role assigned to a person, not a shared mailbox. Privileged Identity Management eligible-not-active where licensing allows. Sign-in activity for every admin reviewed.
Break-glass accounts. At least two. Excluded from the main CA policies by design. Hardware FIDO2 keys, not authenticator apps. Credentials sealed and stored physically. Sign-in activity monitored with alerting. And tested. If the path has not been walked in six months, it does not work.
For Google Workspace, swap Conditional Access for Context-Aware Access and Entra for the Admin Console. Principles map directly.
Endpoint audit
The endpoint pass covers three things: detection coverage, encryption coverage and patch posture.
EDR coverage. Every endpoint reporting in. Not 95%. Every one. The 5% gap is where the attacker lands. We export the device list from the IdP, the MDM and the EDR console, then diff them. Vendor doesn’t matter (Defender for Business, Bitdefender GravityZone, SentinelOne, CrowdStrike). The test is “is every device reporting and is the agent healthy?”. Tamper Protection on. Attack Surface Reduction rules in block mode where Defender. Advanced Threat Control tuned where Bitdefender. See /bitdefender/ for what a tuned GravityZone tenant looks like.
Full-disk encryption coverage. BitLocker on Windows, FileVault on macOS, native LUKS or equivalent on Linux. Recovery keys escrowed somewhere a non-departed admin can retrieve them. We have audited tenants where 90% of laptops were encrypted but the recovery keys were stored on the IT manager’s personal OneDrive. That is not encryption coverage in any meaningful sense.
Patch posture. OS patch level for the trailing 30 days. Average days behind latest. Long-tail third-party patching (Chrome, Acrobat, Zoom, Teams, 7-Zip, Java where it still lurks). Most successful breaches we investigate exploited a known CVE patched weeks earlier. CVE-2024-30051 (Windows DWM), CVE-2023-7024 (Chrome), CVE-2024-21412 (Defender SmartScreen): all patched, still found unpatched on inherited fleets.
The audit produces a per-endpoint scorecard, a fleet-wide compliance percentage, and a list of orphaned devices the IT team forgot existed.
Email-auth audit
The audit reads what public DNS publishes and what real receivers actually do.
SPF. Lookup count under 10. Every include traced to a sender actively used. Ghost includes (the Mailchimp from three years ago that nobody removed) cut. Eyeball the includes, ask marketing about the ones we don’t recognise.
DKIM. Selectors enabled and active. For Microsoft 365, both selector1 and selector2 published as CNAMEs and signing turned on per-domain in the Defender portal. For Google Workspace, the google selector active and not just generated-but-not-enabled (the most common GW DKIM failure). 2048-bit keys minimum. 1024-bit selectors are weak by 2026 standards.
DMARC. Policy strength is the first thing read. p=none is monitoring, not protection. p=quarantine is partial. p=reject is the destination. pct= tag honoured. rua= pointing somewhere that actually parses the XML. sp= set explicitly so subdomains are covered.
Headers. The receipts. Send a test message into a known-good account and read the actual Authentication-Results, Received-SPF, DKIM-Signature and ARC-Authentication-Results headers. The DNS view tells you what your domain claims; the headers tell you what receivers see. Full detail at /dmarc/.
Data audit
Under-scoped auditors skip this. Then everyone is surprised when a sales rep walks out with the customer list.
DLP. Microsoft Purview DLP rules, Google Workspace DLP rules, third-party tools where present. Every rule reviewed for whether it actually blocks something or sits in audit-only mode forever. Coverage of credit-card numbers, identity numbers, banking details, classified document patterns. Test transactions sent and observed.
Sensitivity labels. Published taxonomy (Public, Internal, Confidential, Restricted is the common shape). Default labels applied to new content. Encryption at the higher tiers. Auto-classification rules examined. Plus the user-experience check: can a user downgrade a label without justification, and is the audit log capturing it?
Third-party SaaS exposure. OAuth grants in the Microsoft 365 enterprise applications blade and the Google Workspace OAuth apps console. Every grant reviewed for “do we still use this and do we trust it?”. Common findings: AI-summarisation tools granted full mailbox read, and “free” PDF converters granted Drive scopes nobody remembered approving.
Shared-responsibility check. What is and is not the SaaS vendor’s job. If the answer is hand-waving, the shared responsibility model is the conversation we end up having.
MDM and device audit
The fleet management layer enforces compliance. The audit checks whether the policies say what the business thinks they say.
Compliance policies. What “compliant” means defined explicitly. Encrypted disk. Current OS. No jailbreak or root. Antivirus running. Screen lock under 15 minutes. Policy attached to the CA “require compliant device” rule so non-compliant devices lose access. Half of “compliance policies” in inherited Intune tenants don’t feed CA. Reports, not controls.
OS versions. Windows 11 24H2 baseline by 2026 or a documented exception. macOS within one major version of current. iOS and Android within two minor versions. Long-tail Windows 10 boxes still on the network is the common finding.
Jailbreak and root detection. On by default in Hexnode and Intune for managed iOS and Android. Off in BYOD configurations more often than people think. Verified by enrolling a deliberately-jailbroken test device.
Enrolment posture. Auto-enrolment for new devices. Old enrolments cleaned out. Stale device objects in Entra older than 90 days retired. The full MDM playbook at /mdm/ covers Hexnode and Intune.
Backup audit
The audit question is not “do you back up?” but “have you tested a restore?”.
What is backed up. Microsoft 365 mailboxes, OneDrive, SharePoint, Teams chats. Google Workspace mail, Drive, Shared Drives, Calendar. On-prem file servers. Endpoints. Cloud workloads. Every category answered explicitly. The honest answer for many SMEs is “less than we thought”. See Vault vs third-party backup for the GW gap that catches people out.
Retention. Daily, weekly, monthly, yearly. Aligned with the regulatory requirement that actually applies (POPIA, GDPR, sector-specific). Backup is not retention or legal hold. Different jobs.
Where the copies live. 3-2-1 honoured. Three copies, two media types, one off-site. Immutability where the product supports it (S3 Object Lock, Veeam Hardened Repository, Datto immutable cloud). Ransomware encrypting both production and the only backup is a story we have heard too often.
Test restore. When was the last restore actually performed? Not “we restored that one user’s mailbox last month”. A full DR test. RTO and RPO measured against business expectation, not the SLA on the brochure. The audit asks for evidence: a screenshot, a runbook, a date. No evidence, no credit.
IR audit
Incident response is the domain most likely to be a PowerPoint deck and nothing else.
Documented plan. A runbook. Not a vendor template with placeholders unfilled. Sections for ransomware, business email compromise, data exfiltration, insider threat, lost-or-stolen device. Each with kick-off, evidence-preservation, containment and notification steps.
Contact tree. Who calls who at 2am. CEO, CFO, IT lead, MSP on-call, lawyer, insurer’s incident hotline, regulator contact. Phone numbers, not email. Tested with an actual call once a year.
Where do you report. POPIA reportable incidents go to the Information Regulator within a “reasonable” period; case law is converging on 72 hours. GDPR Article 33 is 72 hours hard. Sector regulators (FSCA, healthcare bodies) have their own clocks. Nobody figures this out at 3am during the actual incident.
Tabletop. When did the team last walk through a scenario? An hour, once a year, runbook open, deliberately-vague brief. Cheap, high-value, almost always skipped.
What good documentation looks like at the end
The deliverable separates an audit from theatre.
Executive summary. One page. The score, the trend, the headline risk. Written for a CFO, not a CISO.
Top three gaps. Biggest exposures, named and quantified. Not “improve patch posture”. Try “23 endpoints have not received Windows patches in over 90 days; two are domain controllers”. A gap that cannot be quantified is a feeling.
Top three quick wins. Real risk closed in under a fortnight, low cost, low disruption. Block legacy auth. Enable both DKIM selectors. Switch Tamper Protection on tenant-wide. The IT team starts on these the same week.
Top three roadmap items. The bigger projects. Migration to phishing-resistant MFA. DMARC p=reject deployment. EDR rollout to the Linux server estate. Sized in weeks-of-effort and rough rand-budget.
Evidence pack. Screenshots, exports, log excerpts. For the auditor next year, the underwriter at renewal, and the IT team six months from now.
Scorecard. Against a named framework (CIS Microsoft 365 Foundations Benchmark v3, CIS Google Workspace Benchmark, NIST CSF 2.0). Reproducible. Same rubric next year, real comparison.
When should an SMB do this?
Three triggers.
Annually, minimum. Threats move, your tenant drifts, vendors ship new defaults, staff change. A snapshot a year old is folklore.
Sixty days before a cyber-insurance renewal. Underwriters in 2026 ask explicit questions about EDR coverage, MFA enforcement, DMARC policy strength, backup immutability and IR readiness. Sixty days gives you time to fix the top three quick wins before the questionnaire goes back. Going into renewal blind is how premiums double. See cyber insurance and DMARC: what underwriters want for the questionnaire-side detail.
After any major change. New tenant. New MSP. Acquisition. Migration to cloud. Major staff turnover at the IT or admin tier. The post-change audit confirms the new posture and surfaces the drift that always happens during transitions.
Pragmatic note for owner-operators: the cheapest moment to commission an audit is right after inheriting an environment, before you make it your own. Defensible baseline; clean before-and-after on any future incident.
Where this fits
OSH services and professional services wrap audit work (independent review, post-incident retrospectives, MSP-transition support).
Related services: /microsoft-365/, /google-workspace/, /dmarc/, /bitdefender/, /mdm/, /exclaimer/. Other compliance reading: cyber insurance and DMARC.
Free 60-minute OSH security audit
The next step is small and concrete: a free 60-minute OSH security audit covering the seven domains. We log in read-only with your sign-off, score the tenant against the relevant CIS benchmark, and walk you through the top three gaps and top three quick wins. You walk out with a quick-wins list your IT team can start on the same week. Written report within five business days. Yours to keep whether you engage us further or not.
Email support@osh.co.za or use the form below. We respond with a calendar link the same business day.
