How JCPIT Hardens a Small Business in 30 Days

This is a typical onboarding sequence, not a case study. The order changes with the business, but the aim is always the same: remove the easiest attack paths first, then tighten the controls that matter most.

First 30 days: the usual sequence

1. Days 1-3: discovery — confirm who owns Microsoft 365, the domain, backups, admin accounts, and recovery options. We also note any urgent gaps that need attention before anything else.
2. Days 4-7: account hardening — turn on MFA where it is missing, split daily and admin accounts, remove legacy authentication, and review mailbox rules and app consent.
3. Days 8-14: email and domain controls — check SPF, DKIM, and DMARC, look for spoofing risk, and tighten settings that make invoice fraud or impersonation easier.
4. Days 15-21: device protection and backups — confirm endpoint protection is deployed, patch the devices that matter most, and test at least one restore so backup coverage is not just assumed.
5. Days 22-30: reporting and next steps — send a plain-English summary of what was changed, what remains open, and what should be done next.

What usually gets fixed first

• Shared Microsoft 365 admin logins
• No MFA on finance or owner accounts
• Mailbox rules that forward mail outside the business
• Missing or weak SPF, DKIM, or DMARC records
• Devices without managed protection or patch oversight
• Backups that exist but have never been tested

What the process is trying to achieve

The goal is not to pretend risk disappears. It is to make the business harder to compromise, easier to recover, and clearer to support. If we find a bigger issue, we stop and deal with that first.

Where to start

If you want a quick external snapshot, begin with the Free Domain Health Check. If you want the broader business review, use the Free Security Check. If you already know you need help, contact us.

Related reading: Microsoft 365 Security, Managed IT vs Break-Fix Support, Small Business IT Support Checklist, and Switch IT Providers.