Running a Basic IT Security Audit on Your Small Business (Without a Consultant)

By The MHDNet Team — February 17, 2026 · 2 min read

Why a self-audit is worth doing

A professional IT security audit from a managed service provider or security consultant costs $1,500–5,000 for a small business. That cost is justified for businesses in regulated industries or with complex IT environments.

For most small businesses, a self-guided audit using a structured checklist catches 80% of the meaningful issues at zero cost. The issues most likely to result in a breach are also the most basic ones — and they’re visible without specialized tools.

Account security

All critical accounts (email, banking, accounting, admin tools) have unique passwords and are enrolled in multi-factor authentication
A password manager is in use and shared credentials are stored there rather than in email or a shared document
Former employees’ accounts are fully disabled and removed from all systems (not just email — check every business application)
Admin accounts are separate from daily-use accounts where possible

Device security

All business computers have automatic updates enabled for the operating system and major applications
All business computers have endpoint protection (antivirus/EDR) installed and current
All computers require a password to log in and lock automatically after 10–15 minutes of inactivity
Mobile devices with access to business email or data have device encryption enabled and screen lock configured

Network security

Wi-Fi uses WPA2 or WPA3 encryption with a strong password (not the default password)
A separate guest Wi-Fi network exists for visitors, isolated from the business network
Router and other network device admin passwords have been changed from defaults
Router firmware is current (check the admin interface for an update option)

Data and backup

Critical business data is backed up (at minimum: financial records, client data, operational documents)
Backups have been tested within the last 90 days by actually restoring files
Cloud storage sharing settings have been reviewed — no sensitive folders are publicly shared

Phishing awareness

Employees know what phishing looks like and have been reminded in the last 6 months
There is a process for employees to report suspicious emails (a specific person to forward to)

Any unchecked item is a specific, actionable improvement to make.