Small business IT basics: what you need (and what you don’t)

Most small businesses do not need fancy tech. They need people to sign in and get work done. They need customer and company data kept safe. They need a way to get help quickly when something breaks.

A lot of IT advice is written for big orgs with big budgets. Copy that playbook into a 10 to 50 person shop and you can end up paying for tools nobody asked for, plus a setup that is harder to run than what you started with.

This is the short list. The stuff that keeps you online and keeps the usual problems from turning into a week long mess.

What you are actually trying to accomplish

If you only remember three things, make it these:

1. People can work without fighting logins and access.
2. Data can be restored when something gets deleted, corrupted, or encrypted.
3. When something is broken, there is a clear path to fix it fast.

Everything else is optional until you have a real reason.

The basics that matter

Steady day to day tools

Most teams run on a small stack:

• Email and calendar
• File storage and sharing
• A handful of business apps, like accounting, CRM, scheduling, POS
• Internet and WiFi
• A website, even if it is just a landing page

When these are stable, work happens. When they are flaky, every small issue turns into missed calls, delayed orders, and people waiting around.

Backups you have proven you can restore

Backups only matter if you can restore. A backup that has never been tested is a guess.

A simple habit that works:

• Once a month, restore one folder or one report to a test location, then open it.
• Write down what you did in a couple sentences.

That is it. You do not need a big process to get value here, you just need proof that restore works.

Security that blocks the common stuff

You do not need a security program that reads like legal paperwork. Start with what stops the usual problems.

• Use a password manager for the team.
• Turn on MFA for email, file storage, and any admin accounts.
• Keep laptops, phones, and business apps updated.
• Limit admin access, most people should not have it.
• Remove access quickly when someone leaves.

A lot of breaches in small businesses start with email and reused passwords. MFA plus a password manager shuts down a big chunk of that.

A clean process for access

Access mistakes cause downtime and risk, and they are easy to prevent.

New hires lose the first day because accounts are not ready. Former staff keep access because nobody owns the cleanup. Both are avoidable with a checklist and someone responsible for it.

Support people can actually reach

If the support path is unclear, problems pile up.

Even without in house IT, you can set a simple workflow:

• One place to ask for help, email, form, or a chat channel
• What counts as urgent
• What details to include, device, error message, screenshot, who is affected

You would be surprised how much faster fixes go when tickets come in with the basics already included.

Short internal notes for repeat issues

Keep it short. Two pages is plenty.

Include things like:

• How to reset a password
• How to join WiFi
• What to do if a laptop is lost
• How to report a suspicious email
• Vendor contacts, internet provider, POS support, website host

This saves time every time someone new starts, and it stops the same questions from bouncing around.

A one page plan for the worst day

You do not need a binder. You need one page people can follow when work stops.

Cover a few common scenarios:

• Email is down
• Internet is down
• A device is stolen
• A key app is broken
• You suspect a security incident

Write down who decides what, who you call, and what gets checked first. When it is stressful, people need a list, not a debate.

Checklists you can copy

These are intentionally boring. That is the point.

Onboarding access checklist

Before day one

1. Confirm start date, role, manager, and location.
2. Create the email account and add the user to the right distribution lists.
3. Create or assign logins for the systems they will use.
4. Add them to the right teams, groups, and shared folders.
5. Turn on MFA and make sure the user can enroll it.
6. Prep the laptop or workstation, updates installed, disk encryption on if available, endpoint protection enabled.
7. Decide how first passwords will be delivered securely, avoid sending passwords in plain text.

Day one

1. Verify they can sign in.
2. Confirm email and calendar work.
3. Confirm file access and shared folders.
4. Confirm the apps needed for the job.
5. Share a short note on how to get help, where requests go, what counts as urgent.

Week one

1. Confirm access is correct, remove anything they do not need.
2. Write down what caused delays so the next onboarding goes smoother.

Offboarding access checklist

Before the last day, or immediately for urgent cases

1. Disable access to email, files, and business tools.
2. Remove MFA devices and recovery options tied to the account.
3. Recover company owned devices.
4. Transfer ownership of key mailboxes, files, calendars, and accounts.
5. Rotate shared credentials they had access to, especially finance, payroll, banking, and vendor portals.
6. Remove access to billing accounts and app admin panels.

After offboarding

1. Confirm access is removed everywhere, including older tools people forget about.
2. Make sure business critical data is stored in the right shared location.
3. Update internal contacts and ownership notes if needed.

What small businesses often do not need

Overbuilt systems

If a tool needs constant babysitting, you pay twice. Once for the tool, and again for the care.

Sometimes complex setups are worth it, but only when there is a clear reason and a clear owner. If nobody can explain what problem it solves in one sentence, pause.

Too many tools that do the same job

Duplicate tools create training drag and confusion. This usually shows up with:

• File sharing
• Chat
• Task tracking
• Internal docs

Pick one primary tool per job and stick with it. Standardizing beats having options.

Big migrations without a business reason

Switching email providers, moving file storage, rebuilding the website, swapping core apps, these can be good moves. They can also eat months.

Good reasons: fewer outages, better security, lower total cost, better customer experience.

Bad reason: everyone else is doing it.

Custom builds when off the shelf works

Custom work can fit unique processes. It also creates a new risk, who maintains it when the builder is gone.

If the honest answer is nobody, keep it simple and buy the boring tool.

Security rules nobody follows

Security only works if people can do it every day.

If rules are confusing or too strict, the team routes around them. Keep the rules clear, repeatable, and tied to how the business actually runs.

Complexity has a cost, even when the invoice looks fine

Complexity rarely shows up as one giant bill. It shows up as daily drag:

• More downtime
• More one off fixes
• More training
• More dependency on the one person who knows how it works

Simple setups are easier to keep running, easier to secure, and easier to change as the business changes.

When it is time to add more structure

You might be past the basics when:

• You have compliance requirements you must meet.
• You handle sensitive customer data at scale.
• You are hiring fast and access control is getting messy.
• Outages happen often.
• You have no visibility into what is failing and why.
• You rely on one person for everything.

Add structure when the business needs it. If things are stable and the team can work, you are already winning.