Repair Stories

What an IT Audit Finds Inside a Crystal Coast Business That's Never Had One

~5 min read morehead city, beaufort, atlantic beach, newport

What we find when we audit a Crystal Coast small business that's never had a professional IT review — the gaps, the risks, and what a practical fix looks like.

What an IT Audit Finds Inside a Crystal Coast Business That’s Never Had One

The businesses that call us for the first time have usually been running their own IT for years. Not because they wanted to — because they didn’t see an alternative. The owner set up the router when they moved in. Someone’s nephew configured the email. The computer at the front desk was bought at a big-box store and set up following the on-screen prompts. The printer was plugged in and it worked, so nobody thought about it again. The backup was set up once, maybe, and nobody has checked it since.

This is not a failure of intelligence or effort. It’s what happens when a small business runs lean and technology is managed by whoever is most willing to try. Over time, the accumulation of quick fixes, workarounds, and deferred decisions creates an IT environment that works — right up until it doesn’t.

When we do an audit of a business that’s never had one — in Newport, Cape Carteret, Maysville, or anywhere across the Crystal Coast — we find the same patterns with remarkable consistency. This post is a composite — no single business, all anonymized — of what we typically see when we walk in, open the closet, and start looking.

Finding 1: Consumer Router Running a Business

The router is a consumer-grade unit — either the one the ISP provided or one the owner bought at the electronics store. It’s been running for three or four years without a firmware update. The admin password is either the default printed on the bottom of the device or “password.” The Wi-Fi password is shared with everyone — staff, customers, the delivery driver, anyone who has ever asked.

What this means: A consumer router lacks the processing power, security features, and reliability of a business-grade unit. It doesn’t support network segmentation (so the POS, the office computers, and the guest devices are all on one flat network). It doesn’t have a firewall with meaningful inspection capability. And the default admin password means anyone on the network can access the router’s configuration — and potentially redirect traffic, change DNS settings, or open ports.

What the fix looks like: Replace with a business-grade router. Change the admin password. Create separate network segments for business, POS (if applicable), and guest use. Configure the firmware to auto-update or put it on a quarterly check schedule. Estimated time: one to two hours. Estimated cost: $200–$500 for the router plus installation labor.

Finding 2: Shared Windows Login — One Account, Everyone

Every person in the office — the owner, the office manager, the part-time employee who works Thursdays — logs into the same Windows user account. One username, one password, no individual accountability. The desktop is a mess of files from multiple people. The browser has saved passwords for business accounts mixed with personal accounts. There’s no way to determine who accessed what, when.

What this means: If a security incident occurs, there’s no audit trail. If an employee leaves and the login isn’t changed (and it never is, because changing it affects everyone), the departing employee retains effective access to every file and every saved credential on that machine. If ransomware executes under that account, it has access to everything that account has access to — which, since everyone is an administrator, is everything on the machine.

What the fix looks like: Create individual Windows user accounts for each person. Set appropriate permissions — standard user accounts for most people, administrator only for whoever actually needs it. Migrate files to appropriate shared locations so they’re accessible from any account. Change the previous shared password. Estimated time: one to two hours depending on the number of users. No hardware cost.

Finding 3: Backup That Hasn’t Been Checked in 18 Months

There’s an external hard drive plugged into the back of the main computer. It was set up eighteen months ago — maybe by a previous employee, maybe by the owner following a YouTube tutorial. The backup software shows a status icon, but nobody has looked at it since it was set up. When we check, one of three things is true: the backup is still running and the data is current (rare), the backup stopped running months ago due to a full drive or a software error and nobody noticed (common), or the drive has been unplugged for months and the backup software has been reporting errors to a notification that nobody reads (also common).

What this means: The business thinks it has a backup. It may not. Even if the backup is running, if it’s never been tested with an actual restore, there’s no guarantee the data is recoverable. And a local-only backup — sitting right next to the computer it’s backing up — doesn’t survive a fire, flood, or theft that affects both. One ENC business found this out the hard way when their single office computer failed.

What the fix looks like: Verify the current state of the backup. If it’s running, test a restore. If it’s not running, fix or replace it. Add an offsite component — a cloud backup that stores a copy of the data somewhere physically separate from the office. Set up monitoring so failures generate an alert rather than a silent icon nobody checks. Estimated time: one to two hours. Estimated monthly cost for managed backup: $50–$150.

Finding 4: Outdated OS on at Least One Machine

Somewhere in the office — usually the machine that “works fine” and nobody wants to touch — there’s a computer running a version of Windows that’s no longer receiving security updates. Sometimes it’s a machine that was too old to upgrade to the current version. Sometimes the update was deferred so many times that the machine stopped offering it. The employee who used to “handle updates” left, and nobody picked up the task.

What this means: A machine running an unsupported operating system is not receiving security patches. Every vulnerability discovered since the end-of-support date is an open door. The machine may work fine for daily tasks, but it’s a known-vulnerable entry point to the network.

What the fix looks like: If the hardware supports the current OS, upgrade it. If it doesn’t, the machine needs to be replaced. In some cases, the machine is running a specific legacy application that doesn’t work on the current OS — that’s a harder conversation, but it still needs to happen. Estimated cost: $0 (upgrade only) to $800–$1,200 (replacement machine).

Finding 5: Email with No SPF/DKIM

The business email was set up years ago. The domain was purchased, the hosting was configured, email was turned on. SPF and DKIM records — the DNS entries that tell the world “this email actually came from us” — were never configured. The result: the business’s outbound email has been landing in recipients’ spam folders for years. The owner thought business was slow. It wasn’t slow — their proposals, invoices, and appointment confirmations were being filtered into junk folders and never seen.

What this means: Lost revenue from proposals that were never read. Lost trust from clients who thought the business was unresponsive. Ongoing deliverability problems that compound over time as the domain’s sending reputation degrades.

What the fix looks like: Add SPF and DKIM records to the domain’s DNS configuration. Verify with a test email. Monitor deliverability for a few weeks to ensure the issue is resolved. Estimated time: fifteen to thirty minutes. No cost beyond labor.

Finding 6: Open RDP Port

This one is the scariest finding, and it’s more common than it should be. The main workstation or server has Remote Desktop Protocol enabled and the port is accessible from the public internet. Sometimes it was enabled intentionally — the owner wanted to access the office computer from home. Sometimes it was enabled by a previous IT provider for remote support and never disabled. Sometimes it was enabled by default during setup and nobody knew.

What this means: Anyone on the internet can attempt to log into the computer. Automated scanning tools try default and common credentials against open RDP ports continuously. If the password is weak — and on a shared Windows login, it often is — the machine is essentially unlocked and facing the entire internet. Ransomware deployment through open RDP ports is one of the most common attack vectors against small businesses nationally.

What the fix looks like: Disable RDP if it’s not needed. If remote access is required, close the public port and set up a VPN, which provides encrypted, authenticated access without exposing the machine directly. Estimated time: fifteen to thirty minutes. No cost beyond labor.

Finding 7: No Documented Passwords

Nobody knows the admin password for the router. The ISP account login is “somewhere in an old email.” The server password is known to the owner but not written down anywhere. The email admin credentials are unknown — whoever set it up didn’t leave the information. The business is functionally dependent on a collection of passwords that are either in one person’s head, on a sticky note that might have been thrown away, or lost entirely.

What this means: When something needs to be fixed, the first step is often a password recovery process rather than the actual repair. This adds time, cost, and sometimes makes certain tasks impossible until credentials are recovered or reset. If the one person who knows the passwords is unavailable, the business is locked out of its own infrastructure.

What the fix looks like: Inventory every credential — router, ISP, email, software, online accounts, everything. Store them in a password manager owned by the business (not by an individual). Document the password manager’s master credentials in a secure, separate location. Estimated time: one to two hours. Password manager cost: $0–$50/year.

The Remediation Sequence

You don’t fix all of this at once. The remediation is prioritized by actual risk:

Immediate (this week):

  1. Close the open RDP port
  2. Change default router admin password
  3. Verify backup status — is it running?

Near-term (this month): 4. Add SPF/DKIM to email DNS 5. Create individual Windows user accounts 6. Set up managed backup with offsite component 7. Inventory and document all credentials

Planned (next quarter): 8. Replace consumer router with business-grade unit 9. Upgrade or replace machines running unsupported OS 10. Implement network segmentation

If you’d like us to audit your IT setup and tell you honestly what we find — with a prioritized remediation plan and clear costs — we’re at 252-777-2488. The audit typically takes two to three hours on-site, and you’ll know exactly where you stand. More at /services/business-technology-consultation.

Related service Our Services

Ready to get started? Call us or send a message.

Call 252-777-2488 Send an email

Contact

Phone
252-777-2488
Email
contact@carterettech.com
Hours
Monday–Friday · 8AM–6PM
Emergency
Available after hours with a service fee.