19 May
Reading time: 8 minutes · Last updated: 15 May 2026
Most SMB owners don’t have a sense of whether their IT is healthy or quietly broken. They have a sense that “it’s working” — until the day it isn’t. A proper SMB IT health check gives you a clear picture of where you actually stand, in 12 plain-English questions you can answer in about 15 minutes.
This is the pillar post for our content series — every other article in this batch ladders up to one of these questions. If you’re going to read just one, read this one. Score yourself honestly, then dig into the linked posts where you came up short.
How to use this
For each question, answer Yes / Partial / No. Yes = 2 points, Partial = 1, No = 0. The scoring guide is at the bottom.
Section 1 — Cybersecurity foundations
Q1. Is multi-factor authentication enforced on every account that supports it?
Email, file storage, accounting, CRM, banking, remote access. Not just “available” — enforced. MFA stops 99% of stolen-password attacks. If you’re missing this, fix it this week.
Deep dive: 5 SMB Cybersecurity Red Flags
Q2. Do you have endpoint detection and response (EDR) on every endpoint, monitored 24/7?
Antivirus alone is no longer enough. EDR watches for behaviour, not just known viruses, and a managed SOC reviews alerts around the clock.
Deep dive: Anatomy of an SMB Cyberattack
Q3. Has your team had phishing simulation training in the last 90 days?
Once-a-year videos don’t change behaviour. Frequent, simulated, blame-free training does — and your click rate is the metric that matters.
Deep dive: Phishing in 2026
Section 2 — Backup and recovery
Q4. Do you follow the 3-2-1-1-0 backup rule, including an immutable copy?
Three copies, two media, one off-site, one immutable, zero errors verified. Anything less is a hope, not a backup.
Deep dive: The 3-2-1-1-0 Backup Rule
Q5. Have you successfully test-restored from a backup in the last 90 days?
Backups that have never been restored have failed roughly 1 in 5 times. The only way to know yours work is to test them.
Q6. Do you have a written disaster recovery plan with defined RTO/RPO targets?
Not in someone’s head. Not in a binder from 2022. A current, tested, written plan that staff can follow at 2 a.m.
Deep dive: SMB Disaster Recovery Plan
Section 3 — Operations and cost
Q7. Do you know your IT downtime cost per hour?
If you can’t put a number on it, you can’t make sensible decisions about what to invest in. Most SMBs are surprised by how high their honest number is.
Deep dive: Cost of IT Downtime
Q8. Are you on managed IT (flat fee, proactive) rather than break/fix (hourly, reactive)?
For most SMBs above 10 staff, the math says managed wins. If you’re still on break/fix, run the comparison.
Deep dive: Break/Fix vs. Managed IT
Q9. Do you have a vCIO or strategic IT advisor — someone who is not just fixing tickets?
Hands-on technical work is necessary but not sufficient. Someone needs to own the 12-month roadmap and budget.
Deep dive: What Is a Virtual CIO?
Section 4 — Communications and customer experience
Q10. Is your business email on hosted Exchange / Microsoft 365 Business / Google Workspace, with anti-impersonation protection?
Free email and consumer email accounts have no place in serious business. Your email is your identity and your contracts.
Deep dive: Hosted Exchange vs. Free Email
Q11. Are inbound calls captured 24/7 — no missed leads, no overflowing voicemail?
Whether by AI receptionist, a live answering service, or smart routing, the question is whether you’re losing leads to voicemail.
Deep dive: AI Receptionist 101 and VoIP for Small Business
Q12. Is your website fast, secure, mobile-friendly, and capturing leads after hours?
Your website is your front door. Audit it like one.
Deep dive: SMB Website Audit Checklist
Bonus question — Compliance
Q13 (only if applicable): Are you formally compliant with the regulations that apply to your industry?
HIPAA for health, PCI for cards, GLBA for financial information. If you’re in scope and don’t have a current compliance programme, that’s the highest-priority gap on this entire list.
Deep dive: SMB Compliance Guide
Scoring
| Score | What it means |
|---|---|
| 21–24 | You’re in the top tier. Maintain cadence — annual rehearsal, quarterly review. |
| 15–20 | Solid foundation, real gaps. Pick the two lowest-scoring questions and fix this quarter. |
| 8–14 | You’re more exposed than you think. Most SMBs that get hit hard live in this range. |
| 0–7 | You’re operating on luck. Treat this as urgent — the next incident, not the last one, is the question. |
The honest takeaway
No SMB scores 24/24 the first time we run this. Most score 12–16. The point is not to be perfect — it’s to know where you stand and to put the next 60 days against the gaps that matter most. Cybersecurity, backup, and an incident response plan should be the first dominos. Strategy, communications, and customer experience compound after that.
If you make it through this list and feel uncertain about three or more answers, that’s not a failure — that’s a useful signal. Most owners are in exactly the same place.
How SohoWizz runs an IT health check
Our standard health-check engagement: a 60-minute scoping call, two days of discovery (interviews, documentation, configuration review, light vulnerability scan), and a one-page executive summary plus a prioritised remediation plan you can take to the next leadership meeting. Most SMBs leave with three to five 90-day actions and a clear sense of whether managed IT, vCIO, or focused projects are the right next step.
Read the deep-dives
- 5 Cybersecurity Red Flags
- What Is a Virtual CIO?
- AI Receptionist 101
- Phishing in 2026
- Disaster Recovery Plan
- Compliance Guide
- 3-2-1-1-0 Backup Rule
- Cost of IT Downtime
- 5 AI Receptionist Wins
- Hosted Exchange vs Free Email
- Break/Fix vs Managed IT
- SMB Website Audit
- Anatomy of an SMB Cyberattack
- VoIP for Small Business
Free SMB IT Health Check
A no-pitch, one-page assessment from a SohoWizz vCIO. Tell us your size and stack — we’ll send back the score and the next-90-days plan.
