What a Proper IT Assessment Actually Tells You (And Why Most Small Businesses Are Flying Blind)

Most small businesses in Greater Vancouver make technology decisions reactively. A server slows to a crawl and gets replaced. A piece of software stops meeting the team's needs and something new gets purchased. A vendor calls with a compelling pitch and a subscription gets added. The network has never been looked at systematically, but it mostly works, so it mostly gets ignored.

This approach is not irrational given the demands on a small business owner's time. Technology is rarely the most urgent thing on the list. But the cumulative cost of making unexamined technology decisions - in redundant subscriptions, in security gaps that go unaddressed, in hardware that fails at the worst possible moment, in staff time absorbed by systems that should have been replaced two years ago - adds up to something real.

An IT assessment is, at its most basic, the process of actually looking at what you have before making decisions about what to change. It is surprisingly uncommon in small businesses, and the gap between what most owners assume about their technology environment and what is actually true tends to be significant.

This post covers what a proper assessment covers, what it tends to find, and how to use that information practically.

Why "It's Working Fine" Is Not the Same as "It's Fine"

There is a category of technology problem that is not visible until it fails catastrophically. Hardware that is aging toward the end of its reliable lifespan shows no symptoms until the drive fails and takes unrecoverable data with it. A backup system that stopped working three months ago gives no indication until a recovery is attempted and the backup turns out to be unusable. A router running four-year-old firmware with documented vulnerabilities shows no obvious signs of compromise until it is actively exploited.

"It's working fine" is a statement about current observable behavior. It is not a statement about risk, about trajectory, or about what will be true in six months.

The IT environments that produce the worst outcomes for small businesses are almost never the ones that looked obviously broken. They are the ones that appeared to be working fine right up until they were not, and where the underlying conditions that caused the failure had been present for a long time without anyone seeing them.

An assessment creates visibility into those conditions before they become incidents.

What a Proper Assessment Covers

A useful IT assessment for a small business is not a checkbox exercise or a prelude to a hardware sale. It is a structured examination of the technology environment across several dimensions, aimed at producing an honest picture of current state and a prioritized view of what warrants attention.

Hardware inventory and lifecycle status

The starting point is knowing what physical technology the business actually owns and operates. This sounds straightforward, but many small businesses have surprising gaps in their own inventory - devices that were purchased years ago and quietly repurposed, hardware that is still in production but no longer receiving security updates from the manufacturer, equipment where nobody is sure who owns it or what it is doing.

Beyond inventory, lifecycle status matters. Most hardware has a realistic service life beyond which performance degrades and failure risk increases significantly. For desktops and laptops, this is typically four to six years for reliable operation. For servers, similar. For network equipment, longer in some cases but with the asterisk that security update support has often ended long before hardware physically fails.

Equipment that is within twelve to eighteen months of end-of-reliable-life should be in a replacement plan, not waiting for failure. Unplanned failures produce emergency purchases at poor prices and, in the case of storage devices, potentially data loss. Planned replacements happen on a schedule, at negotiated prices, with proper data migration and zero unplanned downtime.

Network architecture and security posture

This is the area where assessments most consistently turn up findings that surprise business owners.

A network audit examines the physical and logical topology: what devices are connected, how they are segmented (or not), what the traffic patterns look like, how devices are accessing each other, and what the external exposure profile of the network looks like.

Common findings include:

• Flat networks with no segmentation between POS systems, office computers, and guest WiFi
• Default or weak credentials on routers, switches, and access points
• Firmware that has not been updated in years, sometimes on devices with documented vulnerabilities
• Unknown devices on the network that were connected at some point and never removed
• Remote access configurations (VPN, RDP, remote desktop tools) that are misconfigured or unnecessarily exposed
• WiFi networks using outdated security protocols (WEP, or WPA without the current recommended settings)

None of these findings require sophisticated detection. They are visible with a proper scan and configuration review. The reason they persist is that nobody has looked.

Cloud services and licensing

Cloud services accumulate. A subscription gets started for a specific purpose, the purpose changes, and the subscription continues. A staff member sets up a tool, leaves the company, and the account keeps billing. Different people in the business independently signed up for tools that do the same thing.

A cloud service audit catalogs what is being paid for, who is using it, and whether it is serving a need that could be met by a tool the business already has. For businesses using Microsoft 365, this often surfaces significant overlap between included M365 capabilities and separately subscribed tools covering the same function.

The savings from cleaning up redundant subscriptions are sometimes substantial but that is not the primary value of this exercise. The more important output is clarity: a complete picture of what data lives where, what access exists, and what the actual technology spend is across all cloud services.

Data backup and recovery capability

This is the question that small business owners most commonly find uncomfortable to answer honestly: if your primary systems failed completely right now, what would you lose, and how long would it take to be operational again?

There are three things to distinguish here that are commonly confused.

Sync is not backup. Files in OneDrive or Google Drive are synchronized copies. If a ransomware attack encrypts files on a device, the encrypted versions can sync to the cloud, overwriting the clean copies. If a staff member accidentally deletes a folder, the deletion syncs. Cloud sync provides convenient access across devices; it is not a recovery mechanism for data loss events.

Backup is not recovery. Having backup files is different from being able to recover from them. A backup that has never been tested and has been running for two years without anyone verifying its integrity may not produce a usable recovery. The only way to know a backup works is to test the restoration process.

RTO and RPO are the right questions. Recovery Time Objective is how long a full recovery would take. Recovery Point Objective is how much data would be lost (measured in time - if backup runs every 24 hours, the maximum data loss is up to 24 hours of work). Most small businesses have not thought about these questions explicitly, and the answers, when worked through, are often more concerning than the owners expected.

A proper assessment documents the backup architecture, identifies what is and is not protected, verifies that backup processes are actually running (rather than silently failing), and estimates realistic RTO and RPO under current conditions. The output is an honest assessment of recovery capability, not an optimistic assumption.

Software and licensing compliance

Small businesses frequently accumulate software licensing complexity. Licenses that were purchased per-user or per-device and have not been reconciled against current staff headcount. Applications that are no longer used but are still licensed. Software that more people are using than the current license covers.

Over-licensing is a cost management issue. Under-licensing is a legal compliance issue. A software audit identifies both and produces a clear picture of the licensing obligations the business actually carries.

This is also the right moment to identify software that is end-of-life or no longer receiving security updates. Windows 10 reached end of support in October 2025, meaning systems still running it are no longer receiving security patches from Microsoft. This is a concrete risk factor that many businesses have not yet addressed.

Security configuration and user access

Beyond network architecture, a security review at the user and application level looks at how access is managed: who has access to what, whether that access reflects current roles (including whether former employees' accounts have been properly deprovisioned), whether multi-factor authentication is enabled across business accounts, and whether password practices meet a reasonable security baseline.

User access management is an area where even security-conscious businesses frequently have gaps. A staff member who changed roles two years ago may still have access to systems relevant to their previous role but not their current one. A former employee's Microsoft 365 account may technically be deprovisioned but their access to a third-party application connected to that account may still be active.

These are findings that produce remediation actions rather than major projects. Cleaning up access configurations is a matter of careful review and targeted changes. But the review has to actually happen.

What Assessments Typically Find in Greater Vancouver Small Businesses

Without naming specific clients, the patterns that show up most consistently:

Storage and file management confusion. Many businesses have files distributed across multiple locations - network drives, personal OneDrive accounts, SharePoint sites set up informally, and local drives on specific computers. Nobody has a complete map of where everything is. Backup coverage reflects this confusion: some things are backed up, some are not, and the boundary between them is unclear.

Hardware that has been in service too long. In particular, computers that are running acceptably from the user's perspective but are running on aging storage hardware that is statistically overdue for failure. The performance degradation has been gradual enough that it feels normal. The risk of sudden failure is higher than it appears.

Cloud costs that have grown beyond what was intended. The combination of Microsoft 365 at scale, cloud backup subscriptions, SaaS applications across the team, and cloud storage that has grown over years can add up to a monthly figure that surprises owners when it is presented as a total. The individual line items each felt small when they were added.

No incident response plan. Almost universally, small businesses have not explicitly defined what they do when something goes wrong. The absence of a plan means that the first hour of a security incident or system failure is spent figuring out the process under stress rather than executing a known playbook.

Security basics that are still missing. Multi-factor authentication not enabled on all accounts. Passwords that have not been changed in years and are shared between systems. Remote access configurations that are more permissive than they need to be.

How to Use Assessment Findings

The point of an assessment is not a report. It is decisions.

A good assessment produces a prioritized list of findings organized by impact and effort. Some things warrant immediate action regardless of cost - security vulnerabilities with active exploitation potential, backup gaps that mean recent data loss is unrecoverable. Some things are medium-term investments - hardware replacement planning, SharePoint restructuring, licensing consolidation. Some things are nice-to-have improvements that can wait until budget and timing allow.

The priority ordering is important because the instinct after an assessment can be to address everything at once, which is neither financially realistic nor operationally sound. Phased remediation that addresses the highest-impact items first, then works through medium-priority items over quarters, produces better outcomes than an attempt to fix everything simultaneously.

The other value of the prioritized findings is that they provide a basis for conversations with whoever controls the technology budget. "We should do something about IT" is a weak argument for spending money. "Our backup system has not been tested in 18 months and our hardware refresh cycle is three years overdue on three critical machines, and here is what that exposure looks like" is a concrete one.

The Assessment as a Starting Point for Planning

One of the most underused applications of an IT assessment is as a planning input. Technology decisions made in the context of a clear picture of the current environment are consistently better than ones made ad-hoc.

A business planning to grow from eight to twenty staff members in the next two years has different technology needs than one maintaining a stable headcount. An assessment that documents the current environment's capacity limits, the scalability of existing systems, and the likely friction points at different growth stages lets that planning happen with actual information rather than guesses.

Similarly, a business planning a physical move, a lease renewal, or an office consolidation can use an assessment to understand what infrastructure changes the move requires, what can be carried over, and what should be updated rather than relocated.

Technology planning that is integrated with business planning rather than treated as a separate operational concern produces environments that support what the business is actually trying to do rather than constraining it.

What an Assessment Is Not

A few clarifications worth making explicit.

An assessment is not a sales pitch. A legitimate assessment produces honest findings regardless of whether those findings result in paid work. The goal is an accurate picture of the environment, which sometimes reveals that things are in reasonable shape and the business has more pressing priorities than technology investment.

An assessment is not a compliance certification. An IT assessment tells you what is in your environment and what the risk profile looks like. It is not a SOC 2 audit, a PCI DSS assessment, or a formal security certification. For businesses with specific compliance obligations, those are separate processes.

An assessment is not a one-time exercise. Technology environments change - new software gets added, staff changes create access management needs, hardware ages, vendors discontinue products. The value of an assessment has a shelf life. For most small businesses, revisiting the picture annually is appropriate; major events like office moves, significant staff changes, or new regulatory requirements warrant ad-hoc reviews outside the normal cycle.

Making the Decision to Actually Do One

The businesses I work with that have delayed getting an assessment done typically describe a version of the same feeling afterward: the main thing they wish they had known earlier. Not because every finding required expensive remediation, but because having a clear picture of their environment meant they stopped making decisions in the dark.

The investment in an assessment is bounded. The cost of the problems an assessment surfaces and prevents is not. For a business running without this visibility, the question is less "should we do this" and more "what information would we need to have to make better decisions about technology for the next two years."

The assessment is how you get that information.