This blog post will provide a complete information technology assessment checklist designed to provide industry best practices to small businesses.
To get the best results from the checklist, create a plan of action to rectify any issues over a certain period. Once the period has elapsed, complete another checklist and keep a history of any progression.
You may want to highlight and prioritize anything security-related for business continuity reasons.
Bought to you by Nerds On Site. We specialize in delivering onsite & managed IT services for small-and-medium enterprises (SMEs). Onsite services are available in every major city in Canada & the US, along with some smaller markets, and we currently secure over 2 million devices.
Small Business Information Technology Assessment Checklist
- Is the equipment in a locked cabinet or behind a locked door?
- Is the room where the networking equipment is hosted labeled?
- What kind of equipment do you have for networking? Routers/Switches/Other Devices
- Do you use consumer-grade or business-grade equipment?
- Who has access to network devices? Are the login details printed on the router? Were they changed?
- How many devices are currently connected to your WiFi?
- Do you know all devices that are currently connected?
- How many networks are available through your equipment, including the guest network?
- Are employee personal phones/guests/unknown devices on the same network as your business computers?
- Inspect network equipment & all data jacks in the building. Are there any devices connected that you do not recognize?
Equipment should not be accessible to employees or the general public. Ideally, equipment should be locked in a cabinet or behind a locked door.
The room that hosts networking equipment should not be labeled to make it harder for criminals to identify.
Consumer-grade equipment should never be used in a business environment. If your internet service provides your equipment, and you do not have any other devices, you should consider implementing a business-grade device. Consumer-grade devices are more common and more likely to be exploited for vulnerabilities.
Administrator access to your network in the wrong hands is one of the worst cyber mistakes your business could make. Ensure no stickers are visible, the default passwords were changed, and these passwords are not stored and written down where someone could access them.
Devices connected to a network can access critical data from others connected. Ransomware is often spread by infecting other PCs it sees on the same network that the original device is linked to.
We highly recommend having separate networks for General Business, Critical Business (Sensitive Data, Banking, Financial, Human Resources), IoT devices (Printers & Smart Devices) & Guest/Personal phones.
Strict controls should be enforced to ensure the correct networks are used for the correct devices and checked regularly for unknown devices.
Unknown devices should be removed immediately as they can allow complete control over the host network, reporting sensitive information back to cybercriminals.
Like the ones provided by Nerds On Site, some business solutions can provide complete network protection against phishing, ransomware & unknown devices on the internal network through AI-driven Zero Trust technology.
2) Devices (Inventory)
- How many IoT devices does your business have? (Printers, Smart devices like cameras, thermostats, etc.)
- How many business desktop computers do you have?
- How many business laptops do you have?
- Which operating systems do the computers use?
- How many mobile devices does your business have?
- Are accurate records kept of who has what devices?
- Are the records up to date, and are all devices accounted for?
Regardless of the size of your business, it would help if you were inventorying your devices at least every six months. This ensures accurate record-keeping, allows for discussions about upgrades, and highlights any technology-related tax write-offs if required.
It may be worth considering consolidating to one when using multiple operating systems. This will reduce technology-related costs in the long run.
3) Devices (Security)
- Do mobile devices (Cell Phones/Laptops) have a technology sticker for if it’s lost or stolen?
- Do desktop & laptop computers have screen locking enforced?
- How long is the screen locking time out?
- Do staff have ‘local admin’?
- Are the computers ‘hardened’?
- Do you have a list of allowed software for computers?
- Are security patches regularly installed?
While not critical, it’s good practice to have ‘technology stickers’ with a bar code and your business name/address on all devices. If they are ever lost, and these are not removed, it’ll be easier for the authorities to contact you if they are recovered.
Screen locking should be enforced for every small business system and set to one minute. While trusting co-workers is a sign of a healthy working environment, going to the bathroom without a locking enforcement policy would allow anyone with immediate access to the computer direct access to its data.
There is no reason for a business device to be able:
- Have personal programs
- Be able to install new software at will
Suppose users have local admin and become prey to a phishing campaign that downloads malicious software. In that case, that software will be able to execute the program on that computer and then infect the network and any other machines on that network that also have local admin.
We recommend having a professional harden critical machines. Hardening limits some critical vulnerabilities within Windows that cybercriminals commonly exploit (like PowerShell).
To further enforce the culture around correct business use of business devices, we recommend having a list of approved programs that can be installed.
System updates should never be delayed for extended periods. Updates often include security fixes that close vulnerabilities in the operating system. Not actively managing updates could be a critical mistake for your business.
When you partner with a managed security service provider like Nerds On Site, we can handle all of your updates, lock down all of your computers and enforce business use on your systems.
- Do you have password policies in place?
- Does your team keep copies of passwords visible to other staff members or accessible on their computer or desk?
- Does your team use the same passwords for both personal and business use?
- Do you use multi-factor authentication (MFA) on critical business systems, banking & email?
Passwords should be 12 characters long and contain a unique mixture of letters, numbers, and symbols. This is proven to be practically unhackable by modern password cracking techniques.
Of course, the above policy is void if the user is re-using passwords or they have passwords accessible to staff or customers. We recommend investing in a business password manager like LastPass and enforcing strong, unique passwords for every user. LastPass also allows for secure password sharing.
If you don’t use MFA, you need to start now; it is no longer a recommendation; it’s a requirement for your small business. MFA is not text-based or email-based verification; it is only available as an authenticator app on a mobile device.
5) Critical Data
- Are your critical computer systems encrypted?
- Do you use data backup?
- Do you use onsite servers or cloud services?
- How many backups do you have?
- Are your backups encrypted?
- Are your backups regularly tested?
Encryption is essential and relatively inexpensive. Windows users can purchase a ‘Windows Pro’ Subscription that includes ‘BitLocker,’ a Windows-based encryption program that will automatically keep your entire drive safe in loss or a break-in and subsequent theft.
When training for the Security+ certification, IT professionals are taught that businesses require three separate backup systems or redundancies.
- Hot (Onsite)
- Warm (Cloud Storage)
- Cold (Off-site, not connected to the internet)
This style of backup failover is the most successful if you care about your business data, as even if two fail, you’ll still have a third backup that is not connected to the internet to get your business back up and running.
The most important part of backup management is testing. Your business needs a regular testing schedule to ensure that you can recover backups if you need to do disaster recovery.
Nerds On Site technology solutions can take care of all of this with our small business Managed IT Services.
6) Security, Monitoring & Support
- Disaster recovery plan?
- Does your team have security awareness training (SAT)?
- Business-grade anti-virus?
- Network secured with a traditional firewall solution?
- Network secured with advanced Zero Trust networking?
- Are devices actively monitored for suspicious activity?
- Check the dark web for business credentials?
- Business email secured with DMARC, DKIM, and SPF?
- Does your business have 24/7/365 phone & remote IT support?
A disaster recovery plan will potentially save you tens of thousands of dollars. The second’s matter, so knowing exactly what to do in a system failure or a ransomware event will pay dividends. It would help if you also recorded any security breaches to ensure the point of entry for the attacker was closed and network remediation has taken place.
At the very least, the small business owner should take a SAT course to know the common attack vectors that cybercriminals use.
Business-grade anti-virus (also known as endpoint protection) is a substantial upgrade over a typical consumer solution for data protection. It is also worth asking if you’re using a cheap or free anti-virus solution. Are you a customer of theirs, or are you the product?
Zero Trust networking provides unparalleled data protection against phishing & ransomware and is a considerable upgrade over traditional firewall solutions. Nerds On Site offers solutions from $349 per month per office.
Endpoint protection from companies like Webroot often includes active device & dark web credential monitoring.
DMARC, DKIM & SPF prevent cybercriminals from spoofing your email address. Without these policies correctly implemented, it is possible to send an email from your address without you knowing. If you’re unsure if these policies are enforced, contact an IT professional.
If you do not have an in-house IT team, having on-demand IT support will save you thousands of dollars in lost productivity in the long run. Nerds On Site offers 24/7/365 phone & remote IT support with the United States-based call centers to small businesses. The services include a dedicated phone line for your business, and with per-user pricing, it’s very affordable.
Did you need a professional IT Assessment?
Nerds On Site offers on-site IT services to small business owners across North America. With services available in all major cities in both Canada & the United States, contact us today and let us create a technology checklist and show you how we can help achieve your business goals.