When CloudVanguard IT offers a free IT assessment, we're not running a sales pitch dressed up as a checklist. We're doing a structured evaluation of your environment — the kind that tells you exactly where your risks are, what's working, and what needs attention. Here's exactly what we look at, and why each area matters for GTA businesses.
Why a Free IT Assessment Is Worth Your Time
Most business owners in Ajax, Toronto, and across the GTA have never had a formal review of their IT environment. They inherited a setup from a previous provider, built things incrementally as the business grew, or simply kept what was working — or what seemed to be working.
The problem with that approach is that IT risk doesn't announce itself. Misconfigurations, outdated software, weak backup postures, and security gaps accumulate quietly until something goes wrong. By the time a ransomware event, a data breach, or a critical system failure surfaces the problem, the cost of fixing it is orders of magnitude higher than it would have been to address it proactively.
A structured IT assessment changes that dynamic. It gives you a clear, objective picture of your current environment — what is well-configured, what is exposed, and what is one bad day away from becoming a serious incident. The Canadian Centre for Cyber Security recommends that small and mid-sized organizations conduct regular reviews of their security controls as a foundational practice. Our assessment covers exactly those controls — and more.
Here is a detailed look at what we evaluate, and why each area is on the list.
1. Network Infrastructure and Perimeter Security
We start at the network level — the foundation everything else sits on.
Firewall Configuration
We review your firewall rules, firmware version, and configuration. An outdated firewall running default settings is not meaningfully different from having no firewall. We look for unnecessary open ports, overly permissive inbound rules, and firmware that is behind on security patches. Many SMBs are running consumer-grade routers in business environments, or business-grade hardware that has never been properly configured.
Network Segmentation
We check whether your network separates sensitive systems from general traffic. A flat network — where every device can communicate with every other device — means that a compromised endpoint can reach your server, your accounting software, and your client files without any additional barriers. Basic segmentation (separating Wi-Fi guest traffic, isolating servers, creating VLANs for sensitive workloads) is a high-impact, low-cost control that most SMBs have never implemented.
Remote Access Security
If your team accesses the office network remotely — via VPN, RDP, or a remote desktop platform — we evaluate how that access is configured and protected. Exposed RDP is one of the most exploited entry points for ransomware operators. The RCMP's National Cybercrime Coordination Centre has repeatedly flagged poorly secured remote access as a primary ransomware delivery vector in Canadian SMB incidents.
2. Endpoint Security
Every device that connects to your network — desktops, laptops, servers, mobile devices — is a potential entry point. We assess each category.
Patch and Update Status
We inventory the patch status of operating systems and key third-party applications across your endpoints. Unpatched software is among the most reliably exploited vulnerabilities in SMB environments. The Verizon Data Breach Investigations Report consistently identifies exploitation of known, patchable vulnerabilities as a top breach pattern — meaning the fix existed before the breach occurred. Automated, documented patch management is a baseline we check for on every assessment.
Antivirus vs. EDR Coverage
We identify whether endpoints are running traditional antivirus or a modern Endpoint Detection and Response (EDR) solution. As we covered in our post on why antivirus alone is not enough, signature-based antivirus misses the majority of techniques used in modern attacks. We flag any coverage gaps — unprotected devices, outdated agents, or platforms that have not been updated to current capability.
Encryption
We check whether device storage is encrypted. For laptops and mobile devices especially, full-disk encryption (BitLocker on Windows, FileVault on Mac) means that a lost or stolen device does not become a data breach. This is a straightforward control that is frequently absent — and often required by industry regulations.
3. Identity and Access Management
Credential compromise is the most common initial access technique used by attackers. This section of the assessment focuses on how identities are managed and protected.
Multi-Factor Authentication
We check MFA enrollment across all cloud services — Microsoft 365, Google Workspace, accounting platforms, practice management software, and any other application that stores business or client data. Microsoft Security research shows that MFA blocks over 99% of automated credential attacks. Unenforced MFA on any business application is a high-priority finding in every assessment we run.
Password Policies and Privileged Accounts
We review password policies, identify accounts with administrative privileges, and check for shared credentials or service accounts with excessive permissions. The principle of least privilege — every user and system gets only the access they actually need — is a core identity hygiene control. Accounts with unnecessary admin rights are a force multiplier for any attacker who gets in.
Offboarding Procedures
We ask how quickly former employees lose access to business systems. This is one of the most overlooked identity risks in small businesses. Accounts from staff who left months or years ago frequently remain active — sometimes with broad permissions — because no formal deprovisioning process exists. We document the gap and recommend a remediation workflow.
4. Data Backup and Recovery
Backup is where many businesses discover their real posture for the first time — usually during an incident. Our assessment treats backup as a critical, testable control rather than an administrative checkbox.
Backup Coverage and Frequency
We identify what is being backed up, how frequently, and whether the backup scope actually covers the data that matters. Common gaps include: cloud application data (Microsoft 365 email and SharePoint are not backed up by Microsoft by default), databases that are excluded from file-level backups, and local backups that cover files but not system state or applications.
Offsite and Offline Copies
A backup that lives on the same network as your production environment can be encrypted by ransomware along with everything else. We check whether you have offsite or cloud-based copies that are logically isolated from your primary environment — and whether those copies are current.
Recovery Testing
Having backups is not the same as having a working recovery capability. We ask when the last restoration test was performed and whether a documented recovery time objective (RTO) exists. Most SMBs have never tested a restore. A backup that has never been tested is a hypothesis, not a guarantee.
5. Microsoft 365 and Cloud Application Security
Most GTA businesses now run a significant portion of their operations through cloud applications — primarily Microsoft 365. Cloud misconfiguration is a consistently exploited vulnerability class, and the default settings in many Microsoft 365 tenants are not optimally secure.
Microsoft Secure Score
Microsoft provides a built-in Secure Score for every 365 tenant — a measurable indicator of how well the environment is configured against Microsoft's security recommendations. We pull this score and review the highest-impact, unfulfilled recommendations. Common findings include disabled security defaults, legacy authentication protocols that bypass MFA, and overly permissive external sharing settings in SharePoint and OneDrive.
Email Security Configuration
We review SPF, DKIM, and DMARC records for your domain. These email authentication standards prevent attackers from spoofing your domain — sending emails that appear to come from your business — and are a foundational control against Business Email Compromise. The FBI's Internet Crime Report consistently ranks BEC among the costliest cybercrime categories globally. Missing or misconfigured email authentication records are a common and easily remediated finding.
Third-Party App Permissions
We review which third-party applications have been granted access to your Microsoft 365 tenant. OAuth app permissions are frequently over-granted and rarely audited. A compromised or malicious third-party app with broad permissions can access email, files, and calendar data across the entire organization.
6. Compliance and Regulatory Alignment
For businesses in regulated industries, IT assessment findings have compliance implications — not just operational ones.
PIPEDA and Provincial Privacy Law
We map findings against the reasonable safeguard requirements under Canada's PIPEDA and applicable provincial legislation. For healthcare providers, this includes alignment with PHIPA requirements. For legal and financial services firms, we note findings that are relevant to Law Society, CPA Canada, or financial regulatory guidance.
Industry-Specific Requirements
Our assessments for healthcare and dental practices, law firms, accounting and financial services firms, and non-profit organizations include an industry-specific lens. The controls that matter most, and the findings that carry the highest regulatory risk, differ by sector. We flag the items most relevant to your specific compliance environment.
What You Get at the End
At the conclusion of the assessment, you receive a plain-language written report that covers:
Current state summary: A clear overview of your environment — what is in place, what is missing, and how the overall posture compares to current best practice for an SMB of your size and industry.
Prioritized findings: Risks ranked by severity and likelihood of exploitation, so you know what to address first and what can be scheduled for later.
Remediation roadmap: Concrete, actionable recommendations for each finding — not vague guidance, but specific steps and, where relevant, the tools or processes that address each gap.
Cost context: An honest picture of what remediation looks like in terms of effort and investment, including whether items are covered under a CloudVanguard IT managed services plan or require a separate project.
The goal is not to produce a report that justifies a sale — it is to give you a clear, honest picture of where you stand, so you can make an informed decision about what to do next. Some businesses come out of the assessment with a handful of low-effort fixes that close most of their risk. Others discover more significant gaps that require a phased approach. Either way, you leave knowing the actual state of your environment.
Who the Assessment Is For
The free IT assessment is designed for small and mid-sized businesses in the Greater Toronto Area — typically five to one hundred and fifty employees — that want an objective evaluation of their IT environment. It is particularly valuable for:
Businesses that have never had a formal IT review and want to understand where they actually stand.
Companies that have recently grown, added remote workers, or moved workloads to the cloud and want to ensure their security posture has kept pace.
Organizations that have had an IT incident — a phishing attack, a malware infection, a data loss event — and want to understand how it happened and what needs to change.
Regulated businesses — law firms, healthcare providers, accounting practices, financial services firms — that need to demonstrate reasonable safeguards and want a clear gap analysis against applicable requirements.
Businesses considering switching IT providers that want an independent view of their current environment before making a change.
How to Get Started
The assessment is genuinely free — no commitment, no obligation, no pressure to sign a contract. We do it because the businesses that understand their environment clearly are the ones that make good decisions about IT, and those are the clients we want to work with. Book your free IT assessment and a member of our team will reach out to schedule a time that works for you.
CloudVanguard IT serves businesses in Ajax, Toronto, Markham, Mississauga, Scarborough, Whitby, Oshawa, and across the broader GTA. Flat monthly pricing, no lock-in contracts, and a local team that picks up the phone.