The Tech Fridge Audit: Step-by-Step Guide for UK SMBs 2026 | The Small Business Cyber Security Guy

This week’s podcast was about the Milk Carton Test: the idea that your tech, like your food, has an expiry date, and that most small businesses are running on stuff they’d never actually eat.

Good idea. Now let’s make it practical.

I’m going to walk you through the complete tech fridge audit. No specialist software. No expensive consultant. No jargon. Just a structured walkthrough that tells you exactly which devices in your business are fresh, which are approaching their best-before, and which are so far past their use-by date that they’re a liability.

The whole thing should take you about 30 minutes the first time. After that, a quarterly check takes ten.

What You’ll Need

A notepad or a simple spreadsheet. That’s it.

This document also has a secondary value: if you ever pursue Cyber Essentials certification, or face an ICO enquiry following an incident, a maintained asset inventory is evidence of responsible IT governance. It costs you nothing to create. It can be worth a great deal if things go wrong.

Step 1: The Walkthrough (10 minutes)

Physically walk around your workspace. You are looking for anything that:

connects to the internet
handles payment or financial data
stores personal information about customers, staff, or patients
provides connectivity (router, Wi-Fi access points, switches)
stores or backs up data

Do not just look at the obvious. Check under desks. Check the comms cupboard. Check the shelf in the back office. Check the till area. If it has a cable or a light blinking, it goes on the list.

Give every device a simple identifier: “Front counter till,” “Back office PC,” “Router by front door,” “NAS in server cupboard.” You do not need serial numbers at this stage.

High priority (Use By) — check these first:

Laptops and desktop PCs
Routers and Wi-Fi access points
Network switches
Card machines and POS terminals
NAS boxes (network storage)
VPN concentrators or firewalls
Any server equipment

Lower priority (Best Before):

Printers (unless network-connected and internet-facing)
Standalone display screens
Label printers on isolated networks

Step 2: The Three Questions (10 minutes)

For each device on your list, answer three questions.

Question 1: What is it running?

For Windows PCs: open Settings, click System, click About, look at Windows Specifications. Note whether it says Windows 10, Windows 11, or something older.

For Macs: click the Apple icon, click About This Mac. Note the macOS version.

For routers: check the label on the bottom of the unit for the model number. Then search “[model number] firmware support” or “[model number] end of life.”

For NAS boxes: log into the admin interface (usually via a web browser using the device’s IP address). The dashboard usually shows firmware version and whether updates are available.

For card machines: call your payment provider or check their website. They can tell you directly whether your terminal model is still supported.

If you cannot find the information, write “unknown” and mark it for follow-up.

Question 2: Is it still getting security updates?

For Windows: check whether the version is Windows 11 (currently supported), Windows 10 with ESU enrolment, or Windows 10 without ESU (out of support since October 2025). Anything older than Windows 10 is well past its support deadline.

For everything else: the manufacturer’s website is your primary source. Search for “[product name] end of life” or “[product name] end of support.”

Question 3: What does it actually do for the business?

Be specific. “It’s the till” is not enough. “It runs [software name] to process card payments, connects to our broadband router, and holds a local copy of the day’s transactions” is the information you actually need. This tells you how serious it would be if that device were compromised.

Step 3: Applying the Labels (5 minutes)

Colour-code your list using a simple traffic light system:

Green: Running supported software with more than three years of support remaining. No immediate action required. Check again annually.

Amber: Running supported software but with between one and three years of support remaining. Begin planning and budgeting for migration or replacement. No emergency, but it needs to be on the schedule.

Red: Running out-of-support software, or support ends within 12 months. This is your urgent pile. These devices need either a migration path or compensating controls in place immediately.

Grey: Unknown on any of the three questions. These need resolving before you can categorise them. Unknown devices are never benign.

Step 4: The Priority Actions (5 minutes of planning)

For red items: Does the device need to be replaced entirely, or can it be upgraded to a supported version? Many Windows 10 machines can be upgraded to Windows 11 for free. The free Microsoft PC Health Check tool tells you in seconds. If it cannot be upgraded immediately: can it be isolated from the main network? Can internet access be removed? Set a hard date for resolution. Not “Q3.” A specific date.

For grey items: Assign someone to investigate each one this week. If you have an IT support arrangement, ask them directly about any device they don’t already have documented.

For amber items: Note the support end date. Add a calendar reminder for 12 months before that date. Budget for the replacement in the appropriate financial year.

The Completed Audit: What It Looks Like

A completed tech fridge audit is a simple spreadsheet with these columns:

Example row:

Front counter PC | Reception | POS, customer bookings | Windows 10 (no ESU) | OUT OF SUPPORT | RED | Assess Win11 compat., upgrade or ESU | 30 April 2026

That is the whole document. It takes 30 minutes to produce. It should be reviewed every quarter and updated whenever equipment changes.

The Devices People Most Commonly Miss

The ISP router. Most small businesses use the router their broadband provider sent them, connected it, and never thought about it again. Call your ISP and ask: “Does my router model still receive security firmware updates, and is automatic update enabled?”

The backup NAS. Small businesses often set up a NAS box for backups and then treat it as furniture. These devices frequently run outdated firmware and may have known vulnerabilities that have never been patched. They are both your most important asset and your softest target.

Older networked printers. Modern multi-function printers run embedded operating systems and often store copies of recent print jobs. If your printer is more than five years old, check the manufacturer’s security update history.

The CCTV recorder or NVR. If your business has a security camera system, the recorder is almost certainly running an embedded system that may not have been updated in years. This device is often internet-accessible for remote viewing.

What to Do With the Results

If everything is green: well done. Set a quarterly reminder to check again. Say so when clients ask about your data security practices.

If you have amber items: start the planning and budgeting process now. Do not wait until amber becomes red.

If you have red items: treat them as urgent. Start with internet-facing devices and those handling personal or financial data. Get them onto a migration plan this week, not this quarter.

If you have grey items: resolve them before you do anything else. Unknown devices are an open question about your risk surface.

How to Turn This Into a Competitive Advantage

A maintained software asset inventory with documented lifecycle management is a genuine differentiator when clients or procurement processes ask about your data security practices. It is also a requirement for Cyber Essentials certification.

If you handle client data and a client asks “how do you manage your software lifecycle?”, being able to produce a current, reviewed asset inventory is a concrete, credible answer. Most small businesses cannot do that. The ones who can stand out.

How to Sell This to Your Board

This is a 30-minute exercise that produces a document with measurable value: reduced cyber insurance risk, documented GDPR compliance support, and Cyber Essentials readiness. The cost is half an hour of staff time and a spreadsheet. The alternative is discovering what you’re running during an incident investigation.

Sources

Source	Article
NCSC	Obsolete products: guidance for organisations
NCSC	Cyber Essentials: requirements overview
Microsoft Support	Windows 10 support has ended on October 14, 2025
Microsoft	Windows end of support information
ICO	A guide to data security under UK GDPR
endoflife.date	Microsoft Windows end-of-life reference

Related Posts: