Over the past ten years, I've seen hundreds of SMB IT environments. The same problems keep repeating — and most of them could be prevented with basics done right.
This is a checklist. 10 things that need to be solid. For each one, I'll explain why it matters and what to do if it's not in order.
If even one of these is off, your company's IT is vulnerable.
1. Backups — and restore testing
Backups exist. Great. But when was the last time you tested that you can actually restore something from them?
I've seen situations where backups had been running for years — but when they were needed, the data was corrupted or the restore didn't work. A backup that hasn't been tested isn't a backup. It's a wish.
If this is off: Test a restore this week. Make sure the copy is in a separate location (not the same server). Automate and schedule testing at least quarterly.
2. Multi-factor authentication (MFA)
If anyone in your company logs in with just a password to anything, this is the first thing to fix. Not tomorrow. Today.
A password alone isn't enough. It gets stolen in phishing, leaked in breaches, or guessed. MFA is the simplest and most effective single measure to improve your security — and it's practically free in every modern system.
If this is off: Enable MFA on all services that support it. M365, email, VPN, remote desktop, banking, accounting — everything. Start with admin accounts and management.
3. Endpoint protection
Windows Defender is a good start, but is it managed? Do you know if someone's protection is disabled? Do you get an alert if someone downloads malware?
Unmanaged antivirus is like a smoke detector without batteries. Intune + Defender for Business or an equivalent solution gives you visibility across your entire device fleet.
If this is off: Set up centralized management. M365 Business Premium includes Intune and Defender for Business. If you're not on Microsoft, CrowdSec or similar open-source solutions do the same job.
4. Updates — automatically and on time
An unpatched system is an open door. Every month without updates increases your attack surface.
This isn't just about Windows. Browsers, office applications, servers, network devices, printers — everything gets updated. And preferably automatically, so nobody "forgets."
If this is off: Configure automatic updates. Managed Windows updates via Intune or WSUS, forced browser auto-updates. Check firewall and network device firmware separately.
5. Access rights management
Who has access to what? Do former employees still have accounts? Does everyone have admin rights "because it's easier"?
I've found environments where an employee who left three years ago still had an active account — with access to everything. This is more common than you'd think.
If this is off: Review access rights. Remove unnecessary accounts. Revoke admin rights from those who don't need them. Make this a quarterly review.
6. Email protection (SPF, DKIM, DMARC)
Can someone send email on behalf of your company? If SPF, DKIM, and DMARC aren't configured, the answer is yes.
These three DNS records tell the recipient's email system whether a message is actually from you or a forgery. Without them, anyone can send mail from your @company.com address.
If this is off: Check your DNS records. SPF and DKIM are usually fine if you're on M365, but DMARC is surprisingly often missing. Set DMARC to at least p=none for monitoring and tighten later.
7. Documentation — do you know what you have?
If the only person who knows how your IT works walks out the door, how quickly are you in trouble?
Documentation doesn't need to be a hundred-page opus. It's enough that the basics are written down: what services are in use, where they run, who has credentials, how backups work, who's responsible for what.
If this is off: Start with one page. List all IT services, their providers, responsible people, and critical contact info. Update at least once a year.
8. Firewalls and network segmentation
Is your office network one flat network where all devices can see each other? If an attacker gets into one machine, can they reach them all?
Network segmentation means different use cases (workstations, servers, IoT devices, guest network) are in separate networks. This limits the damage if something falls into the wrong hands.
If this is off: At minimum, separate your guest network and IoT devices from the work network. Make sure your firewall is updated and the default password is changed. Yes, this is still a problem in 2026.
9. Remote work security
COVID changed work permanently. But in many companies, remote work security still runs on 2020's emergency solutions.
VPN or Zero Trust solution, managed devices, MFA (see item 2), and clear rules about what can and can't be done on personal devices. Remote work isn't a security threat — unmanaged remote work is.
If this is off: Ensure remote connections go through a managed channel. If personal devices are used, limit access and make sure company data doesn't stay on personal machines. Intune MAM (Mobile Application Management) does this without full device management.
10. Disaster recovery plan
If everything goes down tomorrow — ransomware, fire, cloud service outage — do you know what happens? How quickly are you back up and running?
A disaster recovery plan doesn't mean a 50-page document. It means you know: what's critical, where it is, how to restore it, who calls whom, and how long it takes. If you don't know these answers, you don't have a plan.
If this is off: Define your critical systems and their recovery time (RTO) and recovery point (RPO). Test a restore in practice. Write down crisis contacts. Don't assume your cloud provider handles everything — read the contract.
Summary
These aren't complicated things. They're fundamentals. But "fundamentals done right" is rarer than you'd think.
If you're reading this list and recognizing your own environment in several items, you're not alone. Most SMBs are in the same situation. The difference is who actually does something about it.
A checklist is a good start. But if you truly want to know the state of your IT, a professional health check will tell you more in an hour than self-assessment does in a week.