TL;DR: Most businesses do not realise their IT is holding them back until the cost becomes undeniable — a major outage, a security incident, or new staff who cannot understand how anything works. This self-assessment identifies the eight most common ways IT limits business growth, with a scoring system to help you prioritise.
The Hidden Cost of Adequate IT
There is a category of business problem that is particularly hard to see: the cost of things that almost work. A slow system that takes 30 extra seconds per task does not cause an incident. A file-sharing process that requires three extra steps does not trigger a helpdesk ticket. Staff who have learned to work around IT limitations rather than through them do not appear on any report.
But the cumulative effect of these friction points is significant. Research consistently shows that knowledge workers lose 20–30% of their productive time to technology friction — slow systems, difficult processes, searching for information, duplicating work that should be automated. For a 20-person team at $80,000 average salary, that is approximately $320,000 of labour per year spent on avoidable inefficiency.
This self-assessment gives you a structured way to see what “adequate” IT is actually costing your business.
Sign 1: Your Team Has Developed Workarounds
The indicator: When you ask staff how they do a particular task, their explanation includes steps that begin with “I usually just…” or “We have a workaround for that…”
Workarounds are evidence that your IT systems are not fit for purpose. They are efficient solutions to problems that should not exist. They work — until the person who invented the workaround leaves, and no one can explain why things are done the way they are.
Common workarounds to look for:
- Emailing files to yourself to move them between systems (indicates no shared file storage)
- Using personal tools (personal Dropbox, personal Gmail) for work because the work tools are inadequate
- Copy-pasting data between two systems that should be integrated
- Maintaining a personal spreadsheet that duplicates data from the “official” system
- Having a dedicated person whose job is to reconcile two systems that should be automatically synchronised
What to do: Conduct a process review — ask five people to walk you through their three most common daily tasks. Count the workarounds. Prioritise the ones that affect the most people or the most revenue-generating activity.
Score: 0 = no workarounds identified. 1 = 1–3 minor workarounds. 2 = 4+ workarounds or workarounds affecting core revenue processes.
Sign 2: IT Issues Are a Regular Team Meeting Agenda Item
The indicator: IT problems appear on team meeting agendas, are a regular topic in management discussions, or are raised unprompted in staff feedback.
When IT is invisible, it is doing its job. When it is a conversation topic, it is not.
The question is not whether IT problems are ever discussed — no IT environment is perfect. The question is whether they are discussed regularly, whether the same problems recur, and whether staff have normalised working around them.
Red flags:
- The same IT problem appears in meeting notes more than twice
- Staff mention IT problems in performance reviews or engagement surveys
- You regularly hear “it’s always like this” as an explanation for IT dysfunction
- New staff are visibly surprised by the state of the IT environment
What to do: Review the last six months of helpdesk tickets (if you have a helpdesk). Look for repeat issues, unresolved issues, and patterns. If you do not have a helpdesk ticketing system, that itself is a finding.
Score: 0 = IT is rarely discussed outside of IT meetings. 1 = Occasional IT complaints. 2 = Regular IT frustration voiced by multiple staff.
Sign 3: You Have Had Unplanned Downtime in the Last 12 Months
The indicator: Your business operations were disrupted by an IT failure that was not planned or scheduled.
Unplanned downtime has a direct cost: staff cannot work, transactions cannot process, clients cannot be served. But it also has an indirect cost: the time to recover, the client communication required, and the staff stress and credibility impact.
Common causes of SMB unplanned downtime:
- Internet outage with no failover
- Server hardware failure (especially servers more than 5 years old)
- Ransomware attack
- Accidental file deletion without adequate backup recovery
- Software failure due to unmanaged updates
- Power event without UPS protection
What to do: Document each unplanned downtime event in the last 12 months. For each, estimate the cost: hours of downtime × number of staff affected × average hourly rate. This usually produces a number that is significantly larger than the cost of prevention.
Score: 0 = No unplanned downtime. 1 = One brief incident (<2 hours). 2 = Multiple incidents or any incident >4 hours.
Sign 4: Onboarding New Staff Takes More Than One Day
The indicator: When a new employee starts, they spend significant time (more than one business day) waiting for access, waiting for equipment, or being unable to work because systems are not ready.
IT onboarding friction is a real cost — in the new employee’s time, their manager’s time, and the credibility signal it sends about how well-run the business is.
Warning signs:
- New laptops are configured manually by IT for each new employee (rather than via Autopilot/zero-touch)
- Access to systems is requested case-by-case rather than triggered by a role-based process
- New staff regularly discover missing access in their first week
- Equipment orders are placed after the new employee’s start date is confirmed (not before)
What to do: Document your current onboarding IT process. Map it against the Employee IT Onboarding Checklist. Identify the steps that take the most time and whether they can be automated.
Score: 0 = New staff are productive on day one. 1 = Minor delays (half a day). 2 = Staff regularly spend more than one day waiting for access or equipment.
Sign 5: You Are Not Sure Whether Your Backups Work
The indicator: When asked “if your file server failed right now, how quickly could you recover?”, you do not have a confident, specific answer.
Most businesses have backup processes. Fewer have tested backup processes. The difference is critical: an untested backup is an assumption, not a recovery capability.
The ACSC’s annual cyber threat report consistently identifies inadequate backups as a primary factor in the severity of ransomware incidents. Businesses with tested, immutable backups recover in hours; businesses without them face weeks of disruption.
Questions to ask yourself:
- When was the last time a backup was tested by restoring files from it?
- Is there a backup copy that cannot be deleted or encrypted by ransomware (immutable backup)?
- Do you know how long a full recovery would take?
- Is Microsoft 365 data (email, SharePoint, OneDrive) backed up separately from Microsoft’s retention?
What to do: Schedule a backup test this month. Ask your IT provider for a restore test report. See Cyber Breach Response Playbook for backup requirements.
Score: 0 = Backups are tested monthly with documented results. 1 = Backups exist but have not been tested recently. 2 = Unsure whether backups work or would be adequate for recovery.
Sign 6: Your Security Is Reactive Rather Than Proactive
The indicator: Your business responds to security problems after they occur rather than preventing them before they do.
Reactive security means: you patch systems when they break, you consider MFA when someone gets hacked, you think about backup when you almost lose data. Proactive security means: you patch on a schedule before vulnerabilities are exploited, you enforce MFA before a breach forces you to, you test backups before you need them.
Signs of reactive security:
- You have not reviewed who has access to your critical systems in the last 12 months
- You do not know whether all staff have MFA enabled
- Your endpoint protection has not been updated or reviewed this year
- You do not receive alerts when suspicious activity occurs
- Your last security review was prompted by an incident, not scheduled
What to do: Complete the Microsoft 365 Security Baseline Checklist and Cyber Insurance Readiness Checklist. These two documents will tell you where your security posture actually stands.
Score: 0 = Regular proactive security reviews, patching, and monitoring in place. 1 = Some proactive measures but gaps exist. 2 = Primarily reactive — security receives attention after problems occur.
Sign 7: You Are Paying for Tools People Do Not Use
The indicator: When you review your software subscription costs, you find tools that staff have stopped using, duplicate tools serving the same purpose, or licences for staff who have left.
Software sprawl is a common SMB problem. A tool gets added to solve a problem. Another tool gets added when someone forgets the first one. The first tool’s licence keeps renewing. The finance team is using a different spreadsheet to track what the CRM is supposed to track. And so on.
Common signs of software sprawl:
- Multiple tools that do the same job (e.g., two project management tools, two file storage solutions)
- Staff using free consumer tools (personal Dropbox, WhatsApp) instead of company-provided equivalents
- Licences for users who have left the business
- Tools that are paid for but universally avoided because they are poorly implemented
- No one can produce a complete list of business software subscriptions and their costs
What to do: Audit all software subscriptions monthly cost. Identify anything unused or duplicated. This exercise typically surfaces $500–2,000/month in avoidable costs for a 20-person business.
Score: 0 = Software subscriptions reviewed annually, no known waste. 1 = Some duplication or unused tools. 2 = Significant software sprawl or unknown costs.
Sign 8: You Cannot Easily Describe Your IT to a Potential IT Provider
The indicator: If you were asked to describe your IT environment to a new IT provider — how many servers, what software, what cloud services, how data is protected — you could not provide a clear, accurate picture.
Documentation is the foundation of IT management. An environment that cannot be described cannot be properly supported, secured, or recovered. It also creates significant dependency on individuals who carry critical knowledge about how systems are configured.
Signs of poor IT documentation:
- If your IT person left tomorrow, no one would know how systems work
- You have had an IT provider do configuration work that was never documented
- You do not know what admin credentials are used for which systems
- You do not know when software licences expire or what your IT contracts say
- You have servers or systems running whose original purpose has been forgotten
What to do: Engage your IT provider to produce a documentation baseline. At minimum: network diagram, server inventory, software inventory, licence register, and admin credential register. See Small Business IT Bible for documentation standards.
Score: 0 = IT environment is fully documented and current. 1 = Partial documentation. 2 = No documentation or documentation is significantly out of date.
Your Score
Add up your scores from all eight signs:
0–4: Your IT is reasonably well-managed. Focus on the specific areas where you scored 1 or 2 and address them systematically.
5–8: Your IT is creating real friction and risk. You have several areas that need attention. Prioritise the ones that most directly affect security and revenue.
9–16: Your IT is likely limiting your business’s performance and creating significant security exposure. A structured IT assessment and improvement plan is worth prioritising.
If you would like an independent assessment of your IT environment, book a Right Fit Call with CX IT Services. We can give you an honest, specific picture of where you stand and what the priority improvements are.
For related resources: