Free IT Readiness Assessment
Is Your Business
Actually Protected?
Most IT checklists tell you what you already know. This one surfaces the gaps your team might be overlooking — the ones that cause real downtime, data loss, and liability. Check off what you have, see where you stand.
Filter by your company size to see only what applies to you.
Identity & Access Management
MFA enforced on every account — including shared & service accounts
Compromised credentials cause 80% of breaches. "Most accounts" isn't good enough.
Critical
Offboarding process revokes all access within 24 hours of employee departure
Former employees retain access for an average of 2.5 months at companies without automation.
Critical
Principle of least privilege applied — no blanket admin rights for standard users
Admin rights on every machine dramatically expands your attack surface if one account is compromised.
High
Privileged Access Workstations (PAW) or separate admin accounts used by IT staff
IT admins browsing the web with domain admin credentials is a textbook attacker entry point.
High
Company-wide password manager deployed with audited vault health scores
Reused passwords across SaaS tools create cascading breach risk — one compromised site unlocks everything.
High
Endpoint Security & Patch Management
Every device managed under an MDM or RMM platform — including personal (BYOD) devices
Unmanaged personal devices accessing company data is an uncontrolled variable you can't audit or secure.
Critical
Critical patches deployed within 72 hours, with a documented exception approval process
Most ransomware exploits vulnerabilities that already have patches available — they just haven't been deployed.
Critical
EDR (Endpoint Detection & Response) deployed — not just traditional antivirus
Legacy AV misses modern fileless attacks and "living-off-the-land" techniques that look like normal system activity.
High
Full disk encryption enabled on all laptops and mobile devices
A lost or stolen laptop without encryption is a reportable data breach — and potentially a compliance violation.
High
Hardware asset inventory maintained — you know every device that touches your network
You can't protect what you don't know exists. Shadow IT and forgotten devices are persistent blind spots.
Medium
Backup & Business Continuity
3-2-1 backup rule implemented and restoration has been physically tested — not just configured
Backups that have never been tested have a much higher failure rate than most IT teams assume. Confidence without testing is a liability.
Critical
Backups are stored air-gapped or immutable — ransomware cannot reach or encrypt them
Ransomware operators now target backup systems first. Network-attached backups are not a safety net — they're part of the target.
Critical
RTO and RPO defined, documented, and reviewed against current backup configuration
Without defined Recovery Time and Recovery Point Objectives, you won't know if your backup strategy is adequate until disaster strikes.
High
Tabletop disaster recovery exercise conducted within the past 12 months
A plan that only exists on paper routinely fails in the worst possible moment. Muscle memory is built through practice, not documentation.
Medium
SaaS data (Microsoft 365, Google Workspace, Salesforce, etc.) backed up separately
SaaS providers do not guarantee data recovery from accidental deletion or ransomware. That's your responsibility, not theirs.
High
Network Security & Segmentation
Guest, IoT, and employee networks isolated on separate VLANs
A compromised smart TV, printer, or HVAC controller should never be able to reach your file server. Flat networks are flat risks.
High
DNS filtering active — malicious domains blocked before any traffic initiates
DNS-layer filtering stops phishing sites and command-and-control callbacks that bypass traditional perimeter firewalls entirely.
High
Remote access uses zero-trust or MFA-protected VPN — no exposed RDP ports
Exposed RDP is the #1 initial access vector in ransomware incidents globally. If port 3389 is open, you are a target.
Critical
Firewall rules reviewed and cleaned up within the last 6 months
Firewall rules accumulate over time. Rules nobody remembers creating quietly open gaps that nobody is actively monitoring.
Medium
Network traffic monitored with SIEM or NDR — anomalies generate actionable alerts
The average dwell time before ransomware detonation is 9 days. Traffic monitoring is how you catch it in the quiet period.
High
Compliance, Policy & Risk
Written Acceptable Use Policy (AUP) in place and signed by all employees
Without a signed AUP, enforcing security policies is legally ambiguous — especially for disciplinary action or termination.
Medium
Cyber liability insurance reviewed against actual exposure in the last 12 months
Most SMBs are significantly underinsured. Policies exclude incidents caused by known unpatched vulnerabilities — and insurers are actively looking for reasons to deny claims.
High
Third-party vendor risk assessments completed for all critical SaaS and service providers
Your security posture is only as strong as your weakest vendor's. Supply chain attacks are now a primary threat vector.
High
Data classification policy exists — employees know what's confidential, internal, or public
You can't protect what you haven't defined. Most data leaks aren't malicious — they're employees who didn't know the data was sensitive.
Medium
Annual IT risk assessment conducted with findings tracked to resolution
Awareness without action is just documentation. Risk assessments only have value when findings have owners and deadlines.
Medium
Human Layer & Security Awareness
Phishing simulations run at least quarterly, with mandatory remediation training for failures
Annual security training produces almost no measurable behavior change. Frequency and feedback loops are what actually reduce click rates.
High
Documented incident response plan — with named roles, escalation order, and contact list
The first 30 minutes of a breach determine the outcome. "We'll figure it out when it happens" is not an incident response plan.
Critical
Finance team trained specifically on wire fraud, BEC, and invoice manipulation
Business Email Compromise targeting finance teams costs US companies $2.9B annually. It's the highest-ROI attack in the threat actor playbook.
Critical
AI-generated spear phishing awareness included in training — employees can't rely on old red flags
AI tools now produce hyper-personalized, grammatically perfect phishing emails. "Check for spelling errors" is obsolete advice in 2025.
High
Clear, no-judgment reporting channel for suspicious activity — employees aren't afraid to speak up
Employees who clicked something suspicious often stay silent out of embarrassment. That delay is where small incidents become catastrophic ones.
High
get expert eye on your gaps
See exactly what to fix first.
Not sure where to start? Our team offers a free 30-minute IT Risk Briefing — we'll prioritize your specific gaps based on your industry, size, and risk profile. No pitch. Just
Maximize your business
Tech shouldn’t slow you down. We build systems that just work — secure, smart, and ready to scale. No excuses, no fluff. Let’s fix your tech and get results.
ADDRESS:
3155-B Sedona Court Ontario CA 91764
Company
Our Services
Industries
Insights & Updates from Intelesys
Copyright 2026. Intelesys. All rights reserved.
