Return to guide introduction

Basic IT setup for start-ups and small companies

This page explains the core IT foundations a small company should get in place early, why those choices tend to stick, and how to avoid common mistakes. It focuses on ownership, access, and sequencing rather than tools or step-by-step setup.

Purpose of this page

This page is for founders and early teams who need to make sensible IT decisions without deep technical knowledge. It covers the fundamentals that almost every company needs from day one and explains why they matter. It does not try to turn you into an IT administrator, and it avoids vendor-specific advice unless absolutely necessary.

The principle: get the foundations right early
Domains: your company's digital identity
DNS basics (at a glance)
Email: business communication, not just inboxes
Website basics
Accounts and access
Device management and connectivity
Basic policies and procedures
When to pause and get help

The principle: get the foundations right early

Early IT choices tend to last longer than expected because changing them later is painful and risky. Email addresses get printed on business cards, logins are shared across tools, and the person who set everything up may leave. The goal is not perfection, it is to make choices you can live with and build on.

A good early setup prioritises ownership of your core assets, clarity about who controls them, and simple structures that new team members can understand. Convenience is fine as long as it does not create a dependency you cannot undo.

Domains: your company's digital identity

Your domain is your public identity and the foundation for email, websites, and many other services. If your company does not own its domain, it does not fully own its digital presence.

Start by understanding the registrar. A registrar is the company you register the domain through. They hold the official record of who owns it and give you the control panel where you manage DNS and transfer the domain if needed.

Avoid relying on personal domains or someone else's account. If a founder or contractor owns the domain and they leave, you can be locked out of your own email, website, or admin consoles. Buy a domain in the company name, keep it under an account controlled by the company, and make sure at least two people can access it.

Delegation matters. You should never share the registrar password. Instead, use delegate or role-based access so others can help manage DNS and renewals without controlling the whole account.

Domain privacy is also important. Domain registration typically requires contact details that can appear in public WHOIS records. Privacy or proxy services replace your real address, phone number, and email with alternate contact information. This reduces spam and prevents your home address being exposed when a domain is registered to a person.

Keep your domain separate from your hosting when you can. Many hosting providers offer to register the domain for you, which can be convenient, but it can also make it harder to move your site or email later. At minimum, be clear on who controls the registrar account and how you would transfer the domain away if needed. The risk is not the hosting choice itself; it is losing control or getting stuck when you need to change providers.

When you buy a domain, keep it simple. A clear, recognisable name is usually more valuable than a clever one. The main risk is not picking the perfect name, it is losing control of it later.

Advice

Use a registrar that supports delegated access and role-based permissions so you never need to share passwords. GoDaddy and Namecheap are common choices for small teams because they make delegation and access management straightforward. Do not register a domain with a provider that cannot delegate access; if only one login controls the domain, you are creating a single point of failure.

DNS basics (at a glance)

DNS is how the internet finds your website and email. It is simple in concept but unforgiving in practice. A small mistake can take down your email or website without warning.

At a high level, DNS is a set of records that map your domain to services:

A records point a domain to a server IP address, commonly used for websites.
CNAME records point one name to another name, often used when a service hosts your site and gives you a target hostname.
MX records tell the internet which servers handle your email.
TXT records store additional text data and are commonly used to prove ownership or configure email security.

Your registrar lets you control DNS records, but it also allows you to delegate DNS management to another provider. This means you can register your domain with one company and have DNS managed elsewhere, for example by Cloudflare or AWS. There can be benefits to this, such as better tooling, reliability, or security, but it is not always required. If you are considering a change like this, it is usually worth seeking advice first.

Keep DNS configuration as simple as possible. Document changes, avoid unnecessary complexity, and make sure more than one person can access the DNS account. The goal is not to become an expert, it is to avoid being locked out when something breaks.

Email: business communication, not just inboxes

Email is the default identity layer for most business tools. It determines who can sign up, reset passwords, and claim ownership of accounts. If email is set up poorly, everything else becomes fragile.

Businesses should use email addresses at their own domain. An `@gmail.com` address looks less professional and does not give you the same business-level control, security, or continuity. It also makes it harder to prove ownership of accounts and to transfer access when people leave.

The most common choices for business email are Microsoft 365 and Google Workspace. Both are good options. They handle shared inboxes and management slightly differently, but either is a sensible default for small teams.

You can also use aliases. An alias is an extra address that delivers mail into the same inbox, such as having both `firstname@domain` and `firstname.surname@domain` without paying for another account. Aliases help keep addresses consistent, reduce missed emails, and make it easier to handle name changes or corrections later.

Use company email addresses for company work. Personal email accounts create confusion and make it hard to transfer ownership when someone leaves. Shared mailboxes and role-based addresses like `info@` or `billing@` help with continuity and reduce dependence on any single person.

Avoid low-cost email hosting that lacks modern authentication features. If a provider does not support SPF, DKIM, and DMARC, or makes them difficult to configure, it will cause delivery and security problems later.

If multiple people need access to the same inbox, use shared mailboxes or proper delegation instead of sharing passwords. Never share the email admin password. Enable multi-factor authentication for email accounts, especially administrator accounts. The security section will cover MFA in more depth, but it should be treated as a baseline.

Email setup also requires the right DNS records. SPF, DKIM, and DMARC help prove that your email is legitimate and reduce the chance of your messages landing in spam. These records need to be configured correctly, especially if more than one system sends email on your behalf.

SPF is particularly sensitive because you should only publish one SPF record, and it must include every system allowed to send email for your domain. If you use tools like SendGrid or marketing platforms like HubSpot, they must be included in your SPF and other email authentication settings. If you are unsure, seek professional help. Incorrect settings can break delivery or harm your domain reputation.

If you want a quick check, tools like MXToolbox can flag obvious issues, but they do not replace proper setup or advice when things are complex.

Website basics

A company website does not need to be complex early on. At minimum it should explain what you do, how to contact you, and establish legitimacy. The important part is ownership and access, not fancy design.

It is usually a good idea to use the `www` subdomain (for example `www.company.com`) and redirect the bare domain to it. This makes it easier to move hosting later and gives you clearer control over how traffic is routed.

Website platforms and trade-offs

WYSIWYG systems (What You See Is What You Get) like Squarespace and Wix let non-technical people build and update a site without code. The trade-off is that these platforms often add extra overhead, which can make sites slower or less mobile-friendly. They are also harder to move away from because you do not own the underlying code and export options are limited.

If your site will be mostly static and you do not mind paying someone for changes, a developer-built site can be a better long-term asset. It is usually a one-time larger cost, hosting is not expensive, and you can fully own the code and hosting. If you expect regular changes or want to spread out cost over time, a WYSIWYG platform can be a practical choice. There are always trade-offs. If you are unsure, seek professional advice.

Regardless of approach, make sure the company controls the hosting account and the domain. If a contractor builds the site, ensure you have admin access and can move the site if needed.

SEO and discoverability

Search engines decide how and when your site appears in results. That means you need to think about the words on your site and how they match what people are searching for. Most sites also need to be submitted to search engines and updated over time so the content stays relevant.

SEO advice changes constantly because search engines update their algorithms. What worked six months ago might not work today. There is also a growing impact from AI systems that summarise or quote content directly, which can change how people find and interpret your site. This area is still evolving, but it is worth keeping in mind.

Mobile, accessibility, and design basics

Many users will view your site on a phone, and others on large screens. Your design needs to work well across both. Test on multiple devices, especially if your audience is likely to be mobile-first.

Images, colours, and layout choices also affect accessibility. There is a whole field dedicated to making websites usable for people with visual, motor, or cognitive limitations. If this is new to you or you want to do it properly, seek professional help.

Cookies and analytics

Most websites use cookies even if the site itself is simple, because hosting platforms and embedded tools often set them by default. In many jurisdictions you must obtain user consent before setting non-essential cookies. This is not optional and failing to do it properly can cause legal trouble. If you are unsure, seek professional advice.

Basic analytics can be valuable early on. Even simple page view and referral tracking helps you understand whether the site is being seen, which pages matter, and where people come from. Use analytics with care and make sure your cookie and privacy practices align with the tools you choose.

Accounts and access

Access control is an early design decision. Decide who owns key accounts, how access is granted, and how it will be revoked when someone leaves.

Create a dedicated administrator account for core systems. It does not have to be called `admin@`, but it should be a controlled account with limited day-to-day use that holds the main keys. Treat digital assets like bank accounts: if you would not give someone the ability to send money, you should not give them unrestricted access to your domain, email, or core systems.

Avoid single points of failure where only one person has access to a critical account. Use shared ownership where possible, and make sure company accounts are not tied to a single personal email address or phone number.

Passwords and sharing

Never share passwords. Any system you use should allow individual accounts or delegated access instead of a single shared login. Sharing passwords is a security risk and removes your audit trail, because everything appears to be done by one person even when it was not.

Use strong, unique passwords for each system. Reusing a single password across tools is one of the fastest ways to lose multiple accounts at once.

Multi-factor authentication (MFA)

MFA adds a second check beyond a password. The most common methods are one-time codes from an app and SMS or phone codes. App-based codes from tools like Authy or Google Authenticator are generally more reliable than SMS. Whatever method you choose, make sure you know which app or device is being used and who controls it.

Enable MFA on all admin accounts and on critical systems like email, domains, and finance tools. Where possible, enforce MFA for all employees.

Device encryption

Laptops and phones can be lost or stolen. Make sure encryption is enabled on company devices so that data is not accessible without the account credentials. This will be covered in more detail in device management, but it should be treated as a baseline expectation.

Device management and connectivity

Your devices are where most company data actually lives day to day. Laptops and phones need to be treated as business assets, even if they are personally owned or used for mixed purposes.

Avoid sharing devices where possible. When two or more people use the same laptop or phone, you lose accountability and it becomes harder to keep data separated. If a device must be shared, use separate user accounts and ensure access can be removed when someone leaves.

Data loss and backups

Data loss is common and usually accidental. Devices get lost, damaged, or stolen. Make sure important data is stored in services that can be recovered and that device encryption is enabled. The goal is to avoid a single lost laptop becoming a business‑ending event.

Working from home and public Wi‑Fi

Remote work increases risk because devices leave the controlled office environment. Employees should treat device security as part of their job, not an optional extra. This means locking screens, updating software, and not installing untrusted apps.

Public Wi‑Fi can be risky. Avoid logging into critical systems on unknown networks, and consider using a trusted VPN if remote access is frequent. At minimum, make sure core accounts use MFA so a stolen password is not enough to gain access.

Office internet and Wi‑Fi

For a 1–3 person team, a standard business-grade internet connection is usually sufficient. For 5–10 people, reliability matters more than raw speed. Video calls, file sharing, and cloud tools can saturate cheap connections quickly.

Choose an internet provider that offers consistent uptime and support. If the internet is down, work often stops. Make sure the Wi‑Fi network is secure and that the company controls the router and admin credentials.

Basic policies and procedures

Even a very small company benefits from a few simple, written policies. These do not need to be long or legalistic. The goal is clarity: everyone should know what is expected and what happens if something goes wrong.

Here are the core policies most small businesses should have:

Account and access policy: Who can create accounts, how admin access is granted, how access is removed when someone leaves, and the requirement for individual logins rather than shared passwords.
Password and MFA policy: Minimum password standards, no password sharing, and which systems must have MFA enabled.
Device policy: Rules for company and personal devices, encryption requirements, screen locking, and what to do if a device is lost or stolen.
Data handling policy: Where company data can be stored, whether personal storage or email is allowed, and how sensitive information should be shared.
Backup and recovery policy: What data is backed up, how often, and who is responsible for restoring it if something goes wrong.
Software and updates policy: Who can install software, how updates are handled, and expectations around security patches.
AI usage policy: Which AI tools are allowed, what data can be shared with them, and how outputs should be checked before use.

Each policy should be short and practical. If you are unsure what to include, ask for help and keep it lightweight rather than skipping it entirely.

Risk register (start early)

A risk register is a simple list of things that could hurt the business, how likely they are, and what you are doing about them. It does not need to be complex. A spreadsheet is enough for a simple risk register. It is not a good tool for a roadmap, but it works here because the structure is stable.

Start with a short list of real risks: losing access to the domain, data loss, email misconfiguration, or key systems owned by a single person. For each risk, note:

The risk itself (what could go wrong)
Likelihood (low/medium/high)
Impact (low/medium/high)
Current controls (what reduces the risk today)
Next action (what you plan to do and when)

Review the list regularly, especially after major changes like hiring, switching tools, or moving offices. The goal is not to eliminate every risk, but to make them visible and to avoid being surprised by the obvious ones.

When to pause and get help

Get help if you are unsure who owns your domain, if you cannot access key accounts, or if your email setup is already messy. These are signs that small problems are becoming structural risks.

Good advice should clarify options and trade-offs, not push you into expensive tools. If someone cannot explain why a decision matters or how to reverse it later, be cautious.

If you want a quick sanity check, a short conversation can often save weeks of cleanup later. We can help directly or point you toward the right kind of specialist.