<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Audit on IT Made Simple</title><link>https://itmadesimple.co.nz/tags/audit/</link><description>Recent content in Audit on IT Made Simple</description><generator>Hugo -- gohugo.io</generator><language>en</language><managingEditor>Thaddeus</managingEditor><webMaster>Thaddeus</webMaster><lastBuildDate>Thu, 11 Jun 2026 08:00:00 +1200</lastBuildDate><atom:link href="https://itmadesimple.co.nz/tags/audit/index.xml" rel="self" type="application/rss+xml"/><item><title>The Security Audit Every Small Business Should Do</title><link>https://itmadesimple.co.nz/posts/security-audit-small-business/</link><pubDate>Thu, 11 Jun 2026 08:00:00 +1200</pubDate><author>Thaddeus</author><guid>https://itmadesimple.co.nz/posts/security-audit-small-business/</guid><description>Most small businesses have no idea how vulnerable they are. Here&amp;#39;s a practical security audit you can do yourself — no tools, no budget, just a checklist.</description><content:encoded><![CDATA[<p>I&rsquo;m going to ask you some questions. They&rsquo;re not comfortable. But answer them honestly, because criminals already know the answers — they&rsquo;re just waiting for you to keep ignoring them.</p>
<p>When was the last time you checked who still has access to your business email?</p>
<p>Do you know if your ex-employee&rsquo;s laptop still has your files on it?</p>
<p>Could someone walk into your office right now and plug a laptop into your network?</p>
<p>If you hesitated on any of those, this post is for you.</p>
<h3 id="why-security-audits-get-ignored">Why Security Audits Get Ignored</h3>
<p>Let&rsquo;s be honest — nobody wakes up excited to do a security audit. It&rsquo;s not fun. It doesn&rsquo;t directly make money. And for a small business owner already wearing every hat, it&rsquo;s the thing that gets pushed to next month every single month.</p>
<p>The problem is that &ldquo;never&rdquo; is how breaches happen. Not dramatic Hollywood hacking. Just someone reusing a password they leaked in a data breach three years ago, clicking a link in a voicemail redirecting as an email, or walking away from a computer that doesn&rsquo;t lock.</p>
<p>Small businesses are the perfect target. You&rsquo;ve got valuable data — customer details, bank access, supplier accounts — but you probably don&rsquo;t have the security guardrails that a larger company has. Hackers know this.</p>
<h3 id="the-audit--what-to-check-right-now">The Audit — What to Check Right Now</h3>
<p>Do all of these. Today, not tomorrow.</p>
<h4 id="1-who-has-access-to-what">1. Who Has Access to What?</h4>
<p>This is the big one.</p>
<ul>
<li><strong>List every system your business uses.</strong> Email, accounting software, bank accounts, social media, file storage, your website, Point of Sale system — everything.</li>
<li><strong>For each system, list who has a login.</strong> Not just current employees. Former employees too.</li>
<li><strong>Remove anyone who shouldn&rsquo;t have access.</strong> If &ldquo;Jake from three years ago&rdquo; still has admin access to your accounting software, that&rsquo;s a problem.</li>
</ul>
<p>Don&rsquo;t forget:</p>
<ul>
<li>Shared Wi-Fi passwords (especially in hospitality/retail)</li>
<li>Master accounts (the generic &ldquo;admin&rdquo; or &ldquo;office&rdquo; login everyone uses)</li>
<li>Third-party access (your accountant, your web developer, your MSP)</li>
</ul>
<p>If you don&rsquo;t have a list, that&rsquo;s problem one. Make the list. Fix it as you go.</p>
<h4 id="2-passwords--get-serious">2. Passwords — Get Serious</h4>
<p>I know. Everyone hates this topic. But it&rsquo;s still the number one way businesses get compromised.</p>
<ul>
<li><strong>Are you reusing passwords?</strong> If your QuickBooks password is the same as your email password, and your email gets breached, the attacker now owns your finances.</li>
<li><strong>Are you sharing passwords?</strong> Shared Gmail inboxes, shared logins to the bank — these are common in small business. They&rsquo;re also a nightmare when something goes wrong and you can&rsquo;t tell who did what.</li>
<li><strong>Get a password manager.</strong> Bitwarden is free for a single user and has a cheap team plan. 1Password is another option. Either is better than the spreadsheet on Karen&rsquo;s desktop called &ldquo;logins.xlsx&rdquo;.</li>
<li><strong>Prefer authenticator apps over SMS codes for MFA</strong> &ndash; SMS can be intercepted via SIM swapping. An authenticator app (like Microsoft Authenticator or Google Authenticator) is stronger protection.</li>
</ul>
<p>The goal: every person has their own login. Every system has a unique password. Nobody&rsquo;s writing passwords on a Post-it note stuck to their monitor. (You know who you are.)</p>
<h4 id="3-multi-factor-authentication--turn-it-on">3. Multi-Factor Authentication — Turn It On</h4>
<p>If you only do one thing from this entire post, make it this.</p>
<p>Turn on multi-factor authentication (MFA) on:</p>
<ul>
<li>Email (M365, Gmail — whichever you use)</li>
<li>Online banking</li>
<li>Accounting software</li>
<li>Cloud storage (OneDrive, Google Drive, Dropbox)</li>
<li>Social media accounts</li>
<li>Anything with customer data</li>
</ul>
<p>MFA means even if someone gets your password, they still can&rsquo;t log in without approving it on your phone. It blocks the vast majority of automated attacks.</p>
<p>Microsoft 365 makes this relatively straightforward — we covered MFA setup in a <a href="https://itmadesimple.co.nz/posts/what-is-microsoft-entra/">previous post</a>. email me if you need help.</p>
<h4 id="4-backups--test-them">4. Backups — Test Them</h4>
<p>We covered backups in <a href="https://itmadesimple.co.nz/posts/321-backup-rule-explained/">a previous post</a>, so I won&rsquo;t rehash the whole thing. But the audit question is simple: <strong>When did you last test a restore?</strong></p>
<p>If the answer is &ldquo;never&rdquo; or &ldquo;I don&rsquo;t remember,&rdquo; your backups might not actually work. Backups that you haven&rsquo;t tested are just hope with extra steps.</p>
<p>Pick a file from three months ago. Restore it. Confirm it works. Do the same thing next month. Build it into your routine.</p>
<p>Make sure at least one backup is offline or protected from deletion &ndash; ransomware that gets into your network can also wipe cloud backups.</p>
<h4 id="5-devices--whats-connected">5. Devices — What&rsquo;s Connected?</h4>
<p>Walk around your office. Count every device that connects to your network — computers, printers, phones, tablets, that random Raspberry Pi someone installed for a project two years ago.</p>
<p>Ask yourself:</p>
<ul>
<li>Are they all running current software? (Windows Updates, macOS updates, firmware on the router)</li>
<li>Do they all have passwords/PINs?</li>
<li>Do they lock automatically after a few minutes of inactivity?</li>
<li>Are they encrypted? (BitLocker on Windows, FileVault on Mac)</li>
<li>Is security software active on all devices? (Microsoft Defender is free and built into Windows)</li>
</ul>
<p>That old Windows 10 machine in the back office that &ldquo;still works fine&rdquo;? It&rsquo;s a liability. If it&rsquo;s running an unsupported operating system, it has known vulnerabilities that will never be patched. Replace it or isolate it from the network.</p>
<h4 id="6-physical-security--the-forgotten-layer">6. Physical Security — The Forgotten Layer</h4>
<p>You can have the best passwords in the world, but if someone can walk into your server room, none of it matters.</p>
<ul>
<li>Is your server cupboard locked?</li>
<li>Do you have a guest Wi-Fi network separate from your business machines?</li>
<li>What happens when a stranger walks in and says &ldquo;I&rsquo;m here to fix the printer&rdquo;? (Social engineering is real — verify, don&rsquo;t just trust)</li>
</ul>
<p>This sounds paranoid until the day it isn&rsquo;t.</p>
<h3 id="how-to-make-it-a-habit">How to Make It a Habit</h3>
<p>Don&rsquo;t try to fix everything in one day. Prioritise:</p>
<ol>
<li><strong>This week:</strong> Access audit and MFA everywhere. These are the highest-impact fixes.</li>
<li><strong>This month:</strong> Passwords sorted, backups tested, device inventory done.</li>
<li><strong>Ongoing:</strong> Quarterly review. Every three months, run through the checklist again. New employees, new devices, new software — things change.</li>
</ol>
<p>The goal isn&rsquo;t perfection. It&rsquo;s raising the bar high enough that automated attacks move on to an easier target.</p>
<h3 id="the-bottom-line">The Bottom Line</h3>
<p>You don&rsquo;t need a $50,000 security consultant or enterprise-grade tools. You need to spend a few hours going through a checklist and fixing the obvious stuff. Most small business breaches come from the same handful of basic failures — old passwords, no MFA, ex-employees who still have access, unpatched machines.</p>
<p>Fix the basics. You&rsquo;ll be ahead of 80% of small businesses overnight.</p>
<hr>
<p><em>Want a printable security audit checklist you can work through with timestamps and sign-off fields? I&rsquo;ve put together a full template on Patreon — covering every point above with checkboxes, priority ratings, and quarterly review trackers. <a href="https://www.patreon.com/c/ITMadeSimple">Grab it here</a>.</em></p>
]]></content:encoded></item></channel></rss>