Hiring your second or third person is a great problem to have. Then a laptop shows up at your shop in Clarendon or Shirlington, and somebody has to actually set it up. Usually that somebody is the owner, at 9 p.m., guessing.
I get called a lot when those guesses come back to bite—a former employee who still has the books open in their email, one password the whole office shares that nobody can change, a laptop with no backup that walked out the door. None of that is dramatic. It's just steps that got skipped on day one.
So here's the new employee computer setup checklist I actually run when a small business in Arlington brings me a fresh machine. It's short. It just has to be done in the right order.
1. Make them their own account—and only their own
The single most common mistake I see is everybody sharing one login. Don't. Every person gets their own account, on the computer and in every app—email, your accounting tool, your file storage.
And give them the access they need to do the job, not the keys to the whole building. The bookkeeper doesn't need admin rights to install software. The front-desk hire doesn't need the payroll login. That's what "least privilege" means, and it's the difference between a mistake costing you one account versus your whole company. When someone leaves or clicks the wrong link, a tight account keeps the damage in one room instead of the whole house.
On a Windows machine, that means a standard user account, not an administrator. On a Mac, same idea—an admin login for you, a standard one for them.
2. Turn on MFA before they log into anything important
Multi-factor authentication—the code on their phone—is the one setting that stops most account break-ins cold. A stolen password alone won't get anyone in.
Turn it on for email first, then accounting, then file storage. Use an authenticator app (Microsoft Authenticator or Google Authenticator) over text-message codes when you have the choice; texts can be intercepted, and a swapped SIM gives a stranger your codes. Figure five minutes per account. I walk owners through it all the time, and it's the cheapest security you'll ever buy.
3. Switch on disk encryption
If that laptop gets left at a coffee shop on Wilson Boulevard, encryption is what keeps a stranger from pulling files straight off the drive. Without it, they don't even need the password—they pop the drive into another machine and read it.
It's built in and free. Windows Pro has BitLocker; Mac has FileVault. Both are a toggle in settings—just save the recovery key somewhere safe that isn't the laptop itself (a password manager or your own files, not a sticky note on the lid). Flip it on before the machine has anything real on it.
4. Set up backup on day one, not after the first scare
A new laptop with no backup is a single point of failure you handed to someone you've known for a week. Set up backup before they save their first file.
For most small offices that's OneDrive or Google Drive syncing their work folders, plus an automatic cloud or external-drive backup of the whole machine. The test that matters: if this laptop died today, what's gone? If the honest answer is "I'm not sure," you're not backed up yet.
5. Install the real software—and nothing else
Put on what the job needs: the office suite, your accounting or scheduling tools, a browser, and reputable antivirus (Windows Defender is fine for most offices). Run every pending update before you hand it over.
Then stop. The fewer random programs on a work machine, the fewer ways in for trouble. If they want a side app later, that's a conversation, not a default. While you're in there, it's worth running through a broader cybersecurity checklist for small businesses so the new machine matches the standard you hold the rest of the office to.
6. Write down the offboarding plan now
This is the step everyone skips, and it's the one that actually bites. The day to figure out how to cut off access is not the day someone quits—or gets walked out.
Keep a simple list for each person: every account they log into, every app, every shared password they know. When they leave, you work the list—disable the accounts, change shared passwords, get the laptop back, pull their access from email and files. Twenty minutes with a list beats three weeks of wondering whether your former hire can still read your inbox.
A quick reality check
If your office has grown past a few people and a couple of laptops, it's worth having someone look at the whole setup with fresh eyes—not just the new machine, but where the gaps are across all of them. That's what a vulnerability assessment is for, and for a small NoVA business it starts at $450.
You don't need an IT department to do this right. You need to do it once, in order, and write down what you did. If you'd rather not spend your evening on it, that's literally my job—small-business IT support here in Arlington, on-site or remote across Northern Virginia. I'll set up the new hire's machine the right way, or I'll look at what you've got and tell you straight if you're already fine.
Either way, call or text me at 571-680-5334. Better to spend a half hour on the front end than a bad week on the back end.
— Sammy