You've taken the Cyber Health Score quiz. Your results are on the screen. Now what?
This guide walks you through how to read your score, what the different sections mean, how to prioritize the findings, and what a sensible next step looks like based on where you land. Whether your score came back high or lower than you expected, this guide gives you something useful to do with it.
What the score actually measures
Your Cyber Health Score is a number out of 100. It reflects how well your practice's current security practices align with the controls and habits that matter most for your practice type and compliance environment.
It's not a perfect system. It's based on your answers to the quiz, not a technical inspection of your setup. Think of it as a well-informed starting point, not a final verdict. The score tells you where the likely gaps are so you know where to look more closely.
An important note: A high score doesn't mean you have no gaps. A low score doesn't mean you're about to be breached. The score reflects your posture on the day you took the quiz, based on the practices you described. It's a direction indicator, not an alarm system.
What your score range means
Strong foundation
Your practice has most of the fundamentals in place. Focus on the specific gaps flagged in your results and consider a formal assessment to validate what you're doing well.
Mixed posture
You have some good practices in place but meaningful gaps alongside them. The flagged items deserve attention, especially any marked as high priority in your results.
Significant gaps
Several important controls are missing or inconsistent. This doesn't mean a breach is imminent, but the gaps create real risk that's worth addressing on a planned timeline.
High exposure
Your practice has foundational gaps across multiple areas. A security assessment should be a near-term priority. Start with the highest-severity findings in your results.
Reading the findings section
Below your score, you'll see a list of findings. Each one represents an area where your answers suggested a gap. They're organized by category, and some are flagged with a severity level. Here's how to read that severity ranking.
| Severity | What it means | How to treat it |
|---|---|---|
| Critical | An immediate exposure that creates substantial risk. Often relates to access controls, account security, or unprotected client data. | Address this first, before anything else on the list. |
| High | A significant gap that increases your risk and could affect a compliance audit or insurance claim if not addressed. | Plan to address within 30 to 60 days. |
| Medium | A real gap, but one that's less immediately dangerous. Often relates to documentation, policies, or configuration details. | Put on a planned roadmap. Address within 90 days. |
| Low | A minor gap or a best practice you haven't yet adopted. Unlikely to cause direct problems but worth addressing over time. | Keep a running list and address when resources allow. |
If your results include multiple Critical or High findings, don't try to fix everything at once. Pick the top one or two and move on them. Progress on real priorities beats a half-finished list every time.
The areas the quiz covers
The Cyber Health Score evaluates your practice across six areas. Here's what each one means and why it matters.
Access and identity
Who has access to your systems, what level of access do they have, and how is that access protected? This covers passwords, two-factor authentication, shared logins, and whether access is reviewed when staff leave.
Data protection
Where does sensitive client data live, how is it stored, and who can reach it? This covers encryption, cloud storage configurations, and how data moves between systems and people.
Devices and endpoints
The computers, phones, and tablets your team uses to access practice systems. This covers whether devices are secured, updated, and managed — especially for remote work situations.
Policies and documentation
Whether your practice has written security policies and procedures. Auditors and insurers ask for these. A practice that does everything right but has nothing written down often can't prove it when it matters.
Incident preparedness
What would happen if something went wrong? This covers whether your practice has a plan for responding to a breach, a ransomware attack, or an accidental data disclosure.
Vendor and tool security
The third-party tools and services your practice uses, and whether they meet the security and compliance standards your practice requires. Especially relevant if you use AI tools, cloud platforms, or third-party scheduling and communication systems.
What to do next based on your score
One thing to keep in mind
Your score reflects a moment in time. Tools change. Staff changes. Compliance requirements change. A score that's solid today can develop gaps over the next 12 months without any single dramatic event. Revisiting the quiz periodically, and pairing it with a formal assessment every one to two years, keeps your baseline from drifting in ways you don't notice until an audit catches them.
The Cyber Health Score is a starting point, not a finish line. Use it as one.
Want a deeper look at your results?
The free quiz gives you a useful baseline. A full security assessment goes deeper and produces a Cyber Health Scorecard you can put in front of auditors and insurers.