10 Security & Privacy Metrics to Keep Your SMB in the Black – Ep 502 

Think your once-a-year vulnerability scan is enough? That’s adorable. Waiting to check your security metrics until something goes wrong is like only checking your smoke alarm after the house starts smelling like burnt toast. In this episode, we peel back the layers on the top 10 security and privacy metrics every business should be tracking—whether you’re the CEO, the IT person, or just someone who knows how to find the printer on the network. From patch management and MFA to phishing tests and forgotten routers older than your intern, we’ve got it all. Buckle up and get ready to verify like your digital life depends on it—because it kinda does.

In this episode:

10 Security & Privacy Metrics to Keep Your SMB in the Black – Ep 502

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

When you see a couple of numbers on the left side of the text below click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

10 Security & Privacy Metrics to Keep Your SMB in the Black

“I don’t have time for 10 things!” No problem—start small! Just do the ones in the first section.

10 SMB Monthly Management Reports for PriSec

(Prioritized for Maximum Protection & Compliance)

🔥 Critical Protection First (Preventing Attacks & Breaches)

1️⃣ Patching & Vulnerability Management 🛠️ (Your first line of defense!)

• Why? Hackers exploit unpatched systems daily.
• How? Track patch % across OS, apps, and network devices.
• Example Metric: 96% of systems patched, 2 critical vulnerabilities open.

2️⃣ Authentication & Access Security (MFA Adoption & Password Policies) 🔑

• Why? 81% of breaches involve stolen or weak passwords.
• How? Track MFA use on email, business apps, VPNs.
• Example Metric: 92% of employees use MFA on email, but only 60% on business apps.

3️⃣ Device & End-of-Life (EOL) Risk Management

• Why? Unpatched, outdated, or unprotected devices = security nightmares.
• How? Track:
  ✅ Active devices & those nearing end-of-life (EOL) (Are any running outdated OS/software?)
  ✅ Patching status on endpoints (Are all devices patched regularly?)
  ✅ Endpoint protection coverage (Are all devices running EDR, XDR, or at least antimalware?)
• Example Metric: 30 devices in use, 5 reaching EOL, 2 laptops missing EDR protection.

4️⃣ Security Awareness & Phishing Resilience 🎓

• Why? Employees don’t get smarter once a year—security needs to be reinforced continuously.
• How? Track:
  ✅ Required security & HIPAA training completion (for all employees)
  ✅ Ongoing phishing tests & click rates (How often? What’s the failure rate?)
  ✅ Regular awareness reinforcement (Fake phishing, security tips, newsletters, reminders)
• Example Metric: 94% of staff completed security training; last phishing test: 10% click rate (Goal: below 5%).

🔎 Monitoring & Risk Awareness (Spotting & Addressing Threats)

5️⃣ Reported Security & Privacy Incidents (Including Snooping!) 🚨

• Why? If nobody is reporting issues, you have a bigger issue.
• How? Track all incidents & outcomes.
• Example Metric: 4 incidents this month; 1 was unauthorized snooping, 3 were accidental PHI disclosures.

6️⃣ Threats Blocked This Month 🛑

• Why? Owners think, “We’re small, no one attacks us.” The stats say otherwise.
• How? Pull reports from firewalls, email security, endpoint protection.
• Example Metric: 3,500 phishing emails blocked, 50 malware attempts stopped.

7️⃣ Business Associate (Vendor) Security Reviews 📜

• Why? If your vendors don’t have security, neither do you.
• How? Track which vendors were reviewed, failed security checks, or have outdated BAAs.
• Example Metric: 12 vendors reviewed, 2 failed security audits.

📋 Compliance & Resilience (Making Sure You Can Recover & is awesome sweet I’m gonna have it after the sugar Defend)

8️⃣ Incident Response, Disaster Recovery & Business Continuity Preparedness 🏥

• Why? If the plan isn’t ready before an attack, you’re already losing.
• How? Track:
  ✅ Last tabletop exercise / IR plan test
  ✅ Does the plan have real playbooks (Ransomware, phishing, insider threats, etc.)?
  ✅ Are roles & responsibilities rotated so more people know what to do?
• Example Metric: IR plan last tested 6 months ago, no playbooks for ransomware or insider threats (Needs improvement).

9️⃣ Audit & Risk Assessment Status (Including Policies & Risk Plan Progress)

• Why? Risk assessments aren’t just a checkbox—they should guide decisions, especially when things change.
• How? Track:
  ✅ Last HIPAA security risk assessment (Is it up to date?)
  ✅ Open items from the risk management plan (Are projects progressing?)
  ✅ Policy & procedure reviews (Are they current?)
  ✅ Security Risk Assessments (SRAs) for major operational & environmental changes (Are new risks being evaluated when the business evolves?)
• Example Metric: Last risk assessment: 9 months ago, 5 open security projects not progressing, 3 major operational changes with no SRA conducted.

🔟 Access & Activity Auditing (Are People Doing What They Should?) 👀

• Why? “Trust but verify” is the only way to protect data.
• How? Regularly review your policies and procedures. Make sure they are being followed AND that they are actually working effectively.
• Example Metric: 2 policies updated, 12 procedures being audited.

There you have it. Break them down into sections to get started. Work with your IT team on how to make these reports happen in some sort of automated fashion or least minimal effort. The first step is to figure out where the data is, though, and how you can get to it.

If you’re still thinking, “Eh, we’ve never had a breach, so we’re probably good,” consider this your friendly wake-up call. The best defense is a proactive offense—and no, crossing your fingers doesn’t count. From MFA to end-of-life alerts, and from phishing tests to tracking down that 15-year-old router, we’ve laid out the roadmap to keeping your business off the breach list. Now it’s your turn to drive (or at least ride shotgun while your IT team handles it). Security isn’t a one-and-done deal—it’s like brushing your teeth; skip it too long, and the decay sets in before you even smell it.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.