IT Health Check Report
A point-in-time assessment of cybersecurity posture, backup health, network hygiene, and licensing exposure.
Moderate exposure — significant gaps, no active incidents.
Score reflects 6 high-severity findings and 4 medium-severity findings against a baseline of 40 controls. No critical breaches in evidence; recommended remediation timeline is 90 days.
Executive summary
Your environment is operationally functional but carries above-average risk in three areas: backup verification, endpoint protection consistency, and privileged-account hygiene. None of the findings are emergencies, but the combination would slow recovery from a ransomware event by an estimated 4–6 business days versus a hardened environment. The 30-day stabilization plan in §6 closes the highest-impact gaps without requiring net-new licensing.
1. Critical findings (resolve in < 30 days)
Local-admin account shared by 4 users
The Windows local-admin account "office-admin" is in active use on 14 of 18 endpoints. Same password since 2023.
Impact: a single phishing compromise on any user grants admin on the entire fleet. Lateral-movement risk is high.
Backup verification: 0 successful test-restores in 18 months
Datto/M365 backups are running but no recovery has been tested. Backup retention is 30 days.
Impact: in a real recovery scenario, RTO is unknown. Industry baseline says 30%+ of "working" backups fail when restored.
2. High-severity findings
MFA coverage: 11 of 22 M365 accounts
Half the M365 user accounts have no MFA enrolled. Conditional Access is configured but not enforced.
Impact: any one credential leak unlocks email + SharePoint without challenge.
EDR: 3 endpoints with expired Sophos licenses
3 laptops show "endpoint protection out of date" — last definition update 4+ weeks ago.
Impact: those 3 devices are running effectively unprotected against signature-based threats.
Patching: 6 endpoints > 90 days behind on Windows updates
No centralized patch management. Updates are user-discretion and 6 devices have skipped 3+ cumulative updates.
Procore + Sage: shared credentials across 4 users
Construction-management and accounting platforms share login credentials documented in a Google Sheet titled "passwords."
Impact: no audit trail per user, no offboarding control, single shared password as the only barrier.
3. Medium-severity findings
No DKIM/DMARC on outbound email
Domain has SPF but no DKIM signing or DMARC policy. Spoofing risk is elevated.
3 unmanaged BYOD phones accessing M365
Three personal phones are connected to company email with no Intune enrollment or wipe capability.
Office firewall on Comcast default firmware
The router/firewall has not been updated since installation. Vendor has issued 2 security advisories since.
No documented offboarding checklist
Two former employees retain active accounts in 1+ SaaS tools. No standard process exists.
4. License & spend audit
| Service | Tier | Active seats | Paid seats | Note |
|---|---|---|---|---|
| Microsoft 365 Business Standard | Standard | 22 | 25 | 3 unused seats — refund eligible |
| Procore | Project Management | 15 | 15 | Right-sized |
| Sage 300 CRE | Construction | 4 | 5 | 1 unused seat |
| Adobe Creative Cloud | All Apps | 2 | 4 | 2 unused — biggest savings opportunity |
| Datto SIRIS backup | 500GB | — | — | Right-sized |
Estimated annual recoverable spend from unused seats: ~$2,400 USD.
5. Network & hardware
Topology summary
Single-site office network: Comcast cable modem → consumer-grade router → 8-port unmanaged switch → ~30 wired/wireless endpoints. No VLAN separation. No guest WiFi. No wired-vs-wireless trust differentiation.
Hardware lifecycle
| Asset class | Count | Avg age | Est. replacement window |
|---|---|---|---|
| Laptops (Windows) | 18 | 3.4 yrs | 4 due in next 12 months |
| Laptops (macOS) | 4 | 2.1 yrs | None imminent |
| Office printer/MFP | 1 | 6+ yrs | Replace in next 6 months — out of vendor support |
| Conference-room display | 1 | 4 yrs | Acceptable |
6. 30-day stabilization plan (priority-ordered)
If you signed a managed-IT pilot tomorrow, here is exactly what gets fixed in the first 30 days, in this order:
- Week 1, Day 1–2: Deploy a fresh local-admin password per device via LAPS. Disable shared "office-admin" account.
- Week 1, Day 3–5: Enroll all 22 M365 users in MFA. Enforce Conditional Access. Test 1 phished-credential simulation.
- Week 2: Renew Sophos on the 3 expired endpoints. Push patch baseline (latest cumulative + driver updates) to all Windows endpoints via RMM.
- Week 3: Run first verified test-restore from Datto backup. Document RTO. Move "passwords" Google Sheet to 1Password Business.
- Week 4: Configure DKIM + DMARC. Replace consumer firewall with managed Sophos XGS-87. Enroll 3 BYOD phones in Intune (or remove M365 access). Document offboarding checklist.
Estimated cost (one-time + first-month recurring): $3,400 · estimated time saved on the next inevitable security event: ~3 business days of downtime.
7. Build vs buy recommendation
For a 22-person GC with no in-house IT, buy. Hiring a part-time IT person at $30–50/hr × ~10 hrs/week = $1,300–2,200/mo, with no SLA, no after-hours coverage, and a single-point-of-failure on availability. RMS managed IT at $99 × 22 = $2,178/mo provides equivalent coverage with documented response times, vendor management, and continuity if Justin is unavailable. The math is roughly even on cost; the decisive factor is risk transfer and consistency.
What this report is, and isn't
This is the illustrative format. A real IT Health Check is tailored to your specific environment, runs against your actual asset list, and identifies your specific gaps — not these example findings. Real reports include screenshots of misconfigured settings (redacted), exact CVE references where relevant, and contact info for vendor escalation paths.
What it is not: a SOC 2 audit, a HIPAA risk assessment, a PCI scope review, or a penetration test. RMS refers those out to specialists.