Do you feel overwhelmed any time you think about your organization's information technology? Are you nervous about the cybersecurity of your organization? Do you know how many computers your organization owns? Do you ever remember applying updates to your organization's router? If you answered yes to any of these questions, it might be time to assess your technology and your IT practices.

Below is a list of essentials to get you started.

‍

1. Inventory your devices
   
   1. Create a spreadsheet and list every computer you own and every networking device you have. You might be surprised how many devices you own, and you may find some that need replacing or can go entirely.
   2. Add the serial number of each computer to your spreadsheet.
   3. You can use the online warranty lookup websites for your computers’ manufacturers, using the serial numbers you collected, to identify when each computer was purchased. Computers that are more than 5 years old are likely slow enough that replacement would be prudent, unless they fulfill a very simple need. Sometimes, installing ChromeOS Flex on an old computer can make it into a useful device for just browsing the internet.
      ‍
2. For each computer, check if the storage drive is a hard drive or an SSD. 
   
   1. For a computer to not slow you down, Windows must be installed on an SSD. Open Task Manager on your computer and go to the “Performance” tab. You should see any storage drives in the computers listed as “Disk 1,” “Disk 2,” etc. The type will be listed as HDD for hard drives and SSD for solid state drives. If the disk listed as “C:” is an HDD and not an SSD, you should consider whether replacing the entire computer or upgrading just the storage drive is the best course of action. SSDs are fairly inexpensive, so if the rest of the computer has life left, it could be worth purchasing a new SSD.
      ‍
3. For each device, make sure that it is still receiving security updates and has the latest firmware and software updates installed. 
   
   1. If the manufacturer is not providing security updates, consider removing the device from use.
   2. Keep in mind that after October 2025, Windows 10 will not receive support or security updates. You should apply the upgrade to Windows 11 on any computer that is eligible and replace any that is not eligible. A good rule of thumb to decide if a computer is supported is to check the age of the processor (CPU). Intel processors that are 8th generation or newer and AMD Ryzen processors are usually supported by Windows 11.
      ‍
4. Evaluate the status of your antivirus protection.
   
   1. If you use third-party antivirus software, make sure it is up-to-date on all of your Windows computers and the software either has auto-updates turned on, or that you have a plan for updating the software on a frequent basis.
   2. Decide if you should pay for third-party antivirus software. The built-in Windows Defender/Windows Security (which auto-updates by default) is as good or better than most third-party antivirus software. If you have many computers, you should consider a business-grade Endpoint Detection and Response (EDR) solution, which allows you to centrally manage the antivirus on all of your computers from one dashboard.
      ‍
5. Check your computer networking devices.
   
   1. If your router/firewall device is owned by your organization and not by the ISP, determine when it was last replaced and when it was last updated. If you cannot remember the last time anyone applied updates to it, you need to create a plan to do so on a regular basis. If you have a UniFi router/firewall (from Ubiquiti), make sure auto-updates are turned on. If your router/firewall device no longer receives updates, you need to replace it right away.
   2. Make sure all of your network switches and other networking equipment is off of the floor and dust free. Electronic equipment lasts longer when it is taken care of.
      ‍
6. Decide if your internet speed, Wi-Fi, and ethernet connectivity are up to the standards you expect.
   
   1. Check what your internet service plan’s bandwidth is (you probably see it advertised as speed). For a tiny business, aim for at least 100 Mbps. For a small business that provides guest Wi-Fi, aim for at least 300 Mbps. For a business with tens of employees and tens of computers, it will depend heavily on the specifics of what your organization does. 1 Gbps (1000 Mbps) will be enough for the vast majority of small to medium organizations, and even more than necessary for many. Again, the specifics of your business’s internet usage can matter a lot. Uploading and/or downloading large files often or streaming lots of video can increase your bandwidth needs. 
   2. Note whether your Wi-Fi is smooth and reliable.
      ‍‍
7. Evaluate your password policies.
   1. Reused passwords are a significant security risk. If one account is compromised, the attacker will try the same credentials at many common services to see what else they can get into. If a service or website with weaker security leaks your password, or an easier to break into account gets attacked and compromised, those re-used passwords will give the attacker access to more valuable accounts which normally would have stronger security.
   2. Consider implementing a password manager to allow you and your co-workers to create unique and long passwords for all of your accounts without having to remember all of them. Comprehensive Computing recommends Bitwarden, which can be used on an individual basis for free or set up in an organization to provide sharing capabilities for a small price. (Comprehensive Computing is a Bitwarden Partner.)
      ‍‍
8. Go through all of your accounts and turn on multifactor (two-factor) authentication (MFA or 2FA). 
   1. Make it a policy in your organization that everyone should turn on MFA whenever possible, and especially on accounts which give access to your most valuable assets, such as your Google Drive, Microsoft OneDrive or SharePoint, your email, etc.
      ‍‍
9. Consider your current backup system.
   1. Do you have software automatically making backups of your computers? Any servers you may have? Your Microsoft 365 or Google Workspace accounts? All of these assets you have should be backed up regularly. Backups are a significant part of your business continuity and disaster planning. 
   2. Microsoft 365 or Google Workspace, if you use one of these products, is likely where most of your business data exists, including everything from your emails to your important documents. While Microsoft and Google back up their storage of your data, they don’t offer a way to restore data that was deleted without your own backup system in place. If you delete something permanently, it is gone. If an unauthorized individual gains access to an account, that individual can, and likely will, delete anything that the user account was allowed to delete. 
   3. Also consider where your backups are stored. It is always best to have three total copies of your data—the primary copy, a backup on-site, and a second backup off-site.
      ‍‍
10. Run through your incident response (IR) plan.
    1. Do you have one? If not, consider writing one. It does not need to be extremely long and detailed, just effective at organizing your team to address a security incident, big or small.
    2. Make sure you rehearse your incident response plan at least once a year.
    3. If you want cyber insurance (you should seriously consider it), you will need an IR plan. Make sure that everything in your plan is achievable and followed exactly. Cyber insurance claims are much more difficult when your IR plan was not followed closely.

‍

A full IT assessment can go even further, such as:

• Determining where inefficiencies lie in your current use of technology and addressing them. Things such as long waiting times for a commonly used function on a computer, data that need to be manually entered in multiple systems, etc.
• Considering your data governance practices, such as where your data is stored, whether your organization’s data is owned and controlled by the organization, whether some data is owned by individual user accounts when it should be in shared locations such as Shared Drives in Google Workspace or SharePoint sites in Microsoft 365, who has access to what, what ability do those people have to exfiltrate data from your organization’s control, etc.
• Evaluating the cybersecurity training of your team. It is a significant leg-up to have a security awareness training program for your employees if the program is engaging and gives useful and actionable info.

‍