TL;DR: Only 51% of small businesses have AI security policies despite 83% saying AI has increased the threat level. This self-assessment checklist covers the seven critical areas where NC businesses must be prepared for AI-powered cyber threats, from MFA deployment to incident response readiness. Score your business and identify the gaps that put you at greatest risk.
Critical takeaway: Readiness is measurable. With 43% of cyberattacks targeting small businesses, the average AI-related breach costing $254,445, and 60% of breached SMBs closing within six months, knowing exactly where your defenses stand is the first step toward survival in the AI threat era.
Want a professional assessment? Contact Preferred Data Corporation at (336) 886-3282 or take our free cybersecurity assessment. Serving High Point, Greensboro, Charlotte, Raleigh, and all of North Carolina since 1987.
How Ready Is Your Business? The AI Threat Readiness Framework
Most North Carolina business owners know cybersecurity matters, but few have a clear picture of exactly where they stand. This readiness framework breaks AI threat preparedness into seven measurable categories. Rate your business honestly on each, and you will have a concrete understanding of your risk profile.
Each category uses a simple scoring system. For each item, assign your business a score: 2 points if fully implemented, 1 point if partially implemented, and 0 points if not implemented. Total your score at the end to determine your readiness level.
This assessment is designed for businesses of all sizes across North Carolina, from 10-person shops in High Point to 200-person manufacturers in Charlotte. The specific tools and approaches may vary, but the fundamentals apply universally. With 94% of SMBs using managed service providers in 2026, most businesses will address these categories through their MSP relationship.
Category 1: Identity and Access Controls
Identity and access management is the foundation of cybersecurity defense. MFA alone blocks 99.9% of automated attacks according to Microsoft research. Without strong identity controls, every other defense can be bypassed.
Assessment items:
- [ ] Multi-factor authentication is enabled on all business email accounts
- [ ] MFA is enabled on all cloud services (Microsoft 365, Google Workspace, etc.)
- [ ] MFA is required for all remote access (VPN, RDP, remote desktop)
- [ ] Administrative accounts use separate MFA-protected credentials
- [ ] Password policy requires 14+ characters with complexity requirements
- [ ] Former employee accounts are disabled within 24 hours of departure
- [ ] Privileged access is limited to employees who specifically need it
- [ ] Single sign-on (SSO) is implemented where available
Why this matters in the AI era: AI-powered phishing achieves 54-78% open rates compared to just 12% for traditional phishing. When AI can craft a perfect impersonation of your CEO's email style, the password is likely to be compromised. MFA is the failsafe that prevents compromised credentials from becoming compromised systems.
For businesses in Greensboro, Winston-Salem, and the Piedmont Triad, identity controls should be the first priority. If you scored less than 12 points in this category, address it immediately.
Category 2: Endpoint Protection and Detection
Traditional antivirus is insufficient in the AI era. Claude Mythos discovered thousands of zero-day vulnerabilities with no known signatures. Your endpoint protection must detect threats based on behavior, not just pattern matching.
Assessment items:
- [ ] All endpoints run next-generation EDR (endpoint detection and response)
- [ ] EDR solutions use behavioral analysis, not just signature matching
- [ ] Mobile devices are managed with MDM (mobile device management)
- [ ] USB and removable media policies are enforced technically
- [ ] Full-disk encryption is enabled on all laptops and mobile devices
- [ ] Operating systems are updated within 48 hours of patch release
- [ ] Third-party applications are patched regularly (browsers, PDF readers, etc.)
- [ ] End-of-life software has been identified and has a migration plan
Why this matters in the AI era: Mythos found zero-days in every major OS and browser, including a 27-year-old OpenBSD bug and a 17-year-old FreeBSD vulnerability (CVE-2026-4747). Behavioral detection catches exploitation attempts even when the specific vulnerability is unknown. For manufacturers in High Point and Charlotte running legacy production systems, this category is critical.
Category 3: Network Security Architecture
Network architecture determines how far an attacker can move once inside your environment. Proper segmentation can turn a 72-minute complete breach into a contained incident affecting a single segment.
Assessment items:
- [ ] Network is segmented into separate zones (e.g., production, office, guest)
- [ ] Firewall rules restrict traffic between segments based on business need
- [ ] Wireless networks use WPA3 encryption with separate SSIDs for business and guest
- [ ] Network monitoring detects anomalous traffic patterns
- [ ] DNS filtering blocks known malicious domains
- [ ] Remote access uses VPN with MFA (not exposed RDP)
- [ ] IoT devices are isolated on a separate network segment
- [ ] OT/industrial systems are air-gapped or heavily restricted from IT networks
Why this matters in the AI era: AI-powered attacks move through networks at machine speed. Without segmentation, a single compromised workstation in your Raleigh office can lead to full network compromise in under 72 minutes. Segmentation buys time and limits damage.
Category 4: Data Protection and Backup
Data protection ensures that even when defenses fail, your business can recover. With ransomware costs projected at $74 billion in 2026 and 75% of SMBs unable to continue operating after a ransomware attack, backup is your last line of defense.
Assessment items:
- [ ] All critical data is backed up at least daily
- [ ] Backups follow the 3-2-1 rule (3 copies, 2 media types, 1 offsite)
- [ ] Backup integrity is tested monthly through restoration exercises
- [ ] Backups are stored in an air-gapped or immutable format (ransomware-proof)
- [ ] Data classification policy identifies sensitive data and its location
- [ ] Encryption protects data at rest and in transit
- [ ] Data retention policies are documented and followed
- [ ] Cloud data is backed up independently (not relying solely on provider)
Why this matters in the AI era: AI-powered ransomware is faster, more targeted, and harder to detect. When attackers can move from access to encryption in under 72 minutes, having reliable, tested backups is the difference between a disruption and a disaster. For businesses in Durham, Charlotte, and across North Carolina, backup solutions are non-negotiable.
| Backup Maturity Level | Description | Ransomware Survival Probability |
|---|---|---|
| No backups | Business data exists only on live systems | Very low |
| Basic backups (on-network) | Regular backups stored on same network | Low - likely encrypted with other data |
| Offsite backups | Copies stored at different location | Moderate |
| Immutable offsite backups | Cannot be modified or deleted after creation | High |
| Tested immutable backups | Regular restoration tests confirm viability | Very high |
Category 5: Security Awareness and Training
Employees remain the most common entry point for cyberattacks. With AI-powered phishing achieving 54-78% open rates, training programs must evolve to address increasingly sophisticated social engineering.
Assessment items:
- [ ] All employees complete cybersecurity awareness training annually
- [ ] Phishing simulation tests are conducted quarterly
- [ ] Employees know how to report suspected phishing or security incidents
- [ ] Training specifically addresses AI-generated phishing and deepfakes
- [ ] Role-specific training is provided for high-risk positions (finance, HR, IT)
- [ ] Security policies are documented and accessible to all employees
- [ ] New hire onboarding includes cybersecurity training within first week
- [ ] Executive team has received targeted training on business email compromise
Why this matters in the AI era: AI phishing costs 95% less to produce and achieves dramatically higher success rates. Employees in Greensboro, High Point, and across North Carolina will encounter AI-crafted phishing emails that are virtually indistinguishable from legitimate business communications. Training is the only way to build human resilience against these attacks.
Category 6: Incident Response and Business Continuity
When (not if) an incident occurs, your response speed determines the outcome. Organizations with AI-powered defenses detect threats 80 days faster and save $1.9 million per breach. But speed requires planning and preparation.
Assessment items:
- [ ] A written incident response plan exists and is reviewed annually
- [ ] Key personnel know their roles during a security incident
- [ ] The incident response plan has been tested through a tabletop exercise
- [ ] Communication templates exist for customer, employee, and regulatory notification
- [ ] Legal counsel and cyber insurance provider contacts are readily available
- [ ] 24/7 monitoring and alerting is in place (internal or via MSP)
- [ ] Automated containment capabilities exist for detected threats
- [ ] Business continuity plan addresses operations during extended IT outage
Why this matters in the AI era: Attackers move from access to data theft in under 72 minutes. An incident response plan that starts with "call the IT guy in the morning" is not a plan, it is a resignation letter. For manufacturing companies in the Piedmont Triad with production schedules to maintain, business continuity planning is essential.
Category 7: AI-Specific Security Policies
This is the category where most businesses fall short. Only 51% of SMBs have AI security policies, despite 83% acknowledging AI has increased the threat level. Closing this gap is essential for businesses across North Carolina.
Assessment items:
- [ ] An AI acceptable use policy governs how employees use AI tools
- [ ] Guidelines exist for what data can and cannot be shared with AI systems
- [ ] AI-generated content is reviewed before external publication
- [ ] The business has evaluated AI-powered security tools for defense
- [ ] Supply chain partners have been assessed for AI-related security risks
- [ ] Cybersecurity insurance policy has been reviewed for AI-specific coverage
- [ ] Regular threat briefings include AI-powered attack trends
- [ ] Budget allocation for cybersecurity reflects AI-era threat levels
Why this matters: Claude Mythos scored 83.1% on CyberGym and discovered thousands of zero-days. The $100 million Project Glasswing coalition, with Amazon, Apple, Google, and Microsoft, confirms that AI changes everything. Businesses without AI-specific policies are operating with a blind spot in their risk management.
Ready for a professional assessment? Take our free cybersecurity assessment or call Preferred Data at (336) 886-3282 for an in-depth evaluation.
Score Your Readiness: What Your Results Mean
Add up your scores across all seven categories. The maximum possible score is 112 points (56 items at 2 points each).
| Score Range | Readiness Level | Recommended Action |
|---|---|---|
| 90-112 | Strong | Annual review and continuous improvement |
| 70-89 | Good | Address gaps in lowest-scoring categories |
| 50-69 | Fair | Prioritize improvements, engage professional help |
| 30-49 | Concerning | Significant gaps exist, immediate action needed |
| 0-29 | Critical | Major risk exposure, seek professional assessment now |
Most North Carolina businesses score in the 40-70 range, with significant gaps in AI-specific policies and incident response preparedness. If your score is below 70, Preferred Data Corporation can help you close the gaps efficiently.
With over 37 years of experience protecting NC businesses, BBB A+ accreditation, and an average client retention of 20+ years, we help businesses in High Point, Charlotte, Greensboro, Raleigh, Winston-Salem, Durham, and the entire Piedmont Triad region achieve and maintain cybersecurity readiness.
Our cybersecurity services address every category in this checklist. Our managed IT services ensure ongoing compliance and protection. Our AI transformation services help businesses safely adopt AI tools while managing associated risks.
Your cybersecurity readiness is measurable and improvable. Contact Preferred Data at (336) 886-3282 or visit our contact page to schedule your professional assessment. With 87% of organizations experiencing AI-driven attacks, the time to assess and act is now.
Frequently Asked Questions
How often should we reassess our cybersecurity readiness?
Reassess at least quarterly, with a comprehensive annual review. The AI threat landscape evolves rapidly, and what was adequate six months ago may have new gaps. Businesses in North Carolina should also reassess after any significant IT changes, new service deployments, or major industry threat developments.
What is the minimum acceptable readiness score?
A score of 70 or above indicates reasonable preparedness, though continuous improvement is essential. Scores below 50 represent significant risk that should be addressed urgently. The most critical items are MFA deployment, endpoint protection, and backup integrity, as these have the highest impact on breach outcomes.
Can we use this checklist for compliance purposes?
This checklist covers security fundamentals that align with many compliance frameworks, but it is not a substitute for formal compliance audits. CMMC, NIST, and other frameworks have specific requirements that may go beyond or differ from this general assessment. Preferred Data can help with compliance-specific assessments.
How much does it cost to improve from a low score to a high score?
Costs vary by current state and business complexity. However, improving from a score of 30 to 70 might cost $5,000-$30,000 depending on the specific gaps. Compare this to the $254,445 average breach cost and the improvement is a clear investment. Many improvements, like enabling MFA, cost nothing.
Should all employees be involved in the assessment?
Key stakeholders from IT, management, and operations should participate. Employees are also important for assessing the security awareness category. For businesses in the Piedmont Triad with fewer than 50 employees, involving the entire team in awareness assessments provides the most accurate picture.
What if we score well but still get breached?
No defense is perfect. The goal is reducing risk and ensuring rapid recovery. Even businesses with strong scores should maintain cyber insurance, tested backups, and incident response plans. The difference between a high-scoring and low-scoring business is not immunity from attack but the speed and effectiveness of recovery.
What role does our MSP play in this assessment?
Your managed service provider should be a primary partner in both the assessment and remediation. With 94% of SMBs using MSPs in 2026, your provider should be able to help you score this checklist and develop an improvement plan. If they cannot, consider whether they are the right partner for the AI era.
Does Preferred Data offer a more detailed assessment?
Yes. This self-assessment provides a general readiness picture. Our professional cybersecurity assessment includes vulnerability scanning, penetration testing elements, architecture review, and detailed remediation recommendations. Call (336) 886-3282 to schedule.