IT health check small business IT IT review managed IT cybersecurity questions business operations

Your Backup Is the Smoke Detector Nobody Tests

Your backup is the smoke detector nobody tests until it matters. 5 IT questions every business owner should ask before Q2 ends.

centrexIT
6 min read

Your backup is the smoke detector nobody tests.

It chirps when the battery dies. You take it down to stop the noise. You mean to put it back. You don’t. Six months later there’s a real problem and the thing meant to save you is sitting in a drawer.

That’s most small and mid-sized business IT operations right now. Not broken — just quietly disconnected from the things that would tell you something’s wrong.

Q2 just started. You don’t need a formal audit to fix this. You need 30 minutes and five honest questions. Whether your IT is in-house, outsourced, or some mix of both, asking these out loud is the cheapest insurance you can buy this quarter.

1. When was the last time we restored from a backup — not just confirmed one ran?

This is the smoke detector question. The one most business owners assume is fine.

“The backup ran successfully” is not the same as “the backup actually works.” A backup that completes but can’t be restored is just expensive storage. The only way to know is to test the restore — pull a file, a folder, a server image — and time how long it takes.

If your IT team can’t tell you when they last did a real restore test (not a notification check), that’s the test result. Schedule one this month.

2. Who has admin access to what — and is that list current?

Admin access creep is a quiet killer. The bookkeeper who left two years ago. The vendor who set up the phone system in 2023. The former IT person from the company you acquired last summer. People accumulate access. Access rarely gets cleaned up.

Ask for a current list of every account with administrative privileges across your systems — email, file storage, accounting, your website, your network. If your team can produce that list quickly, good. If they need a week to figure it out, that’s the answer.

The fix isn’t dramatic. It’s just running through the list, removing what shouldn’t be there, and writing down a quarterly process for keeping it current.

3. If our internet goes down for 4 hours tomorrow, what stops working?

Most owners can name the obvious things — email, the website, file sharing. The dangerous answers come from the second tier.

Does your phone system run over your internet? Does your point-of-sale stop processing cards? Does your security camera system lose its cloud feed? Does the vendor portal your customers use go offline? Does payroll fail to submit?

This isn’t paranoia. The Federal Communications Commission tracks broadband outages and they happen — fiber cuts, regional ISP problems, weather events. The point isn’t to prevent outages. It’s to know what fails so you can decide which of those things needs a backup plan and which can wait it out.

4. What’s our process when an employee leaves — and is it actually being followed?

Employee offboarding is one of the most common security gaps in small businesses, and it’s almost always a process problem rather than a tools problem.

The questions to ask: When someone leaves, who disables their accounts? In what order? How fast? Is the laptop returned and wiped, or just sitting in a closet? Is their cloud storage transferred or orphaned? Does someone check that they’re no longer in vendor portals or shared SaaS accounts?

The reason this matters: a 2024 study from the Ponemon Institute found that insider threats — including departing employees — account for a meaningful share of breach incidents, and the cost per incident has been climbing year over year.

You don’t need a fancy system. You need a one-page checklist and someone whose job it is to run it every time.

If you’re reading this and realizing you don’t have clean answers to the first four questions, that’s actually useful information. centrexIT has a free 2-minute cybersecurity readiness assessment that walks through this kind of thing. Take it here.

5. What did we spend on IT last quarter — and what did we get for it?

This one trips up almost everyone. Not because the spending is wrong, but because nobody’s doing the math.

Most businesses can’t quickly answer: How much did we spend on software subscriptions last quarter? On hardware? On managed services or in-house IT staff? On cybersecurity tools? On cloud services?

And once you have those numbers — what did you get? Fewer outages? More uptime? Faster response when something broke? More projects completed? Or did the spend just keep the lights on?

This isn’t a cost-cutting exercise. It’s a value-of-investment exercise. If you spent $40,000 on IT last quarter and your team can’t tell you what changed because of it, that’s worth a conversation. The answer might be “the systems just kept working, which is what you paid for” — and that’s fine. But you should know.

The 30-minute version

You don’t need to do this perfectly. You need to do it at all.

Block 30 minutes this week. Bring whoever runs IT for you to the room — internal staff, your managed service provider, both. Ask the five questions. Write down the answers. If an answer is “I’m not sure,” that becomes a follow-up.

You’ll either come out of the meeting feeling better about the state of things, or you’ll come out with a short list of items to fix before Q2 ends. Either result is a win.

The smoke detector either beeps when there’s smoke, or it doesn’t. The only way to know which one you have is to test it.

Common Questions

How often should we run an IT health check like this? Quarterly is the right cadence for most small and mid-sized businesses. It maps to natural business reviews and catches drift before it compounds.

Should we hire someone outside to do this audit? Not for a 30-minute review like this. Outside audits are useful annually or when something specific has changed (acquisition, major system migration, compliance requirement). For a quarterly check, internal honesty is what matters.

What if our IT team gets defensive when we ask these questions? That’s information. Good IT teams welcome these questions because the answers help them prioritize. If the response is defensiveness rather than answers, you’ve learned something important about the working relationship.

Are these the only questions worth asking? No, but they’re the five that catch the most common gaps. If you have a regulated industry — healthcare, financial services, life sciences — you’ll have additional compliance-specific questions on top of these.

centrexIT has protected businesses across California, Arizona, Washington, Nevada, and Oregon since 2002. Quarterly IT reviews are part of how we work — not a billable extra, just how a good IT partnership runs.

Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/

Sources

  1. Ponemon Institute, “2024 Cost of Insider Threats Global Report” — ponemon.org
  2. Federal Communications Commission, “Network Outage Reporting System (NORS)” — fcc.gov
  3. Cybersecurity & Infrastructure Security Agency (CISA), “Cyber Essentials Toolkit” — cisa.gov
Found this helpful? Share it with your network.
Twitter LinkedIn
Written by
centrexIT

The centrexIT team brings decades of combined IT expertise, helping San Diego businesses thrive with secure, reliable technology solutions.

Meet Our Team