7 Security Mistakes Every Small Business Makes (We See All of Them)

#92% of small businesses have security tools. 1 in 4 got breached anyway.

That stat should make you uncomfortable. It means having tools isn't the problem. It's how they're configured, maintained, and supplemented with training and process.

We've done a lot of assessments since we started this firm. Law firms, medical practices, restaurants, manufacturers, professional services. Different industries, different sizes, different technology stacks. But the same seven mistakes show up in almost every single one.

Here's the list. Be honest with yourself about how many apply to your business right now.

#1. Weak or reused passwords with no MFA.

This is still number one. In 2026. I wish I was joking.

We walk in, check the admin panel of the firewall, and the password is "admin." We check the shared QuickBooks login and three people use the same password. We check the owner's Microsoft 365 account and the password is the same one they use for their personal Amazon account.

87% of breaches involve stolen credentials. Not zero-days. Not sophisticated hacking. Stolen, guessed, or reused passwords.

The fix takes an afternoon: deploy Bitwarden (free), generate unique passwords for every account, enable MFA on everything. An afternoon of work that addresses the most common attack vector in existence.

#2. No employee security training. At all.

Not bad training. Not outdated training. No training. Nobody has ever shown the team what a phishing email looks like. Nobody has explained why you don't plug in USB drives you found in the parking lot. Nobody has practiced what to do when someone calls pretending to be IT support.

72% of workers say phishing attempts are more convincing than a year ago because of AI. Your team is facing better attacks than ever with zero preparation.

Our training isn't a video. It's hands-on simulations tailored to your industry. Fake emails that look like your real vendors. Phone calls that sound like your real IT provider. The skills your team builds protect them at work and at home.

#3. Outdated software everywhere.

The firewall firmware is two versions behind. The WordPress plugins haven't been updated in 8 months. The Windows machines are running a version that's past end of life. The NAS is running firmware from 2023.

Every unpatched system is a known vulnerability with a public exploit. Attackers scan for these automatically. The scanning runs at 36,000 probes per second. Your unpatched system will be found. It's a matter of when, not if.

#4. Backups that exist but have never been tested.

"We have backups" is the second most dangerous sentence in IT security, right after "we've never had a problem."

When we ask "when did you last restore from backup?" the answer is almost always "never" or "I'm not sure." That means you don't know if your backup works. You don't know how long a restore takes. You don't know if the data is intact. You have a false sense of security.

Ransomware encrypts backup drives too when they're on the same network. Test monthly. Isolate from your main network. Know your recovery time.

#5. No network segmentation.

Guest Wi-Fi, business computers, POS terminals, security cameras, and the owner's personal laptop all on the same network. One flat subnet. If an attacker gets on any device, they can reach every device.

Someone connects to your guest Wi-Fi with a laptop and scans the network. They find your POS terminal. They find your file server. They find your security cameras (which probably have default passwords).

VLANs. Separate your guest, business, and IoT traffic. It's a one-time setup that costs a few hundred dollars and limits the blast radius of any compromise.

#6. Former employees still have access.

The IT person who left 18 months ago? Their VPN credentials still work. The marketing agency you stopped using last year? Still has admin access to your website. The old accountant? Still in QuickBooks. The intern from summer 2024? Still in Slack.

Every active credential for someone who no longer needs it is a door left unlocked. We find orphaned accounts in every assessment. Sometimes dozens of them. Takes an afternoon to audit and clean up.

#7. No incident response plan.

Ransomware hits at 2am Saturday. What do you do? Who do you call? What do you disconnect? Who tells the clients? Who contacts law enforcement?

If those answers aren't written down somewhere your team can find them at 2am on a Saturday, you don't have a plan. You have panic.

A basic incident response plan fits on one page. Print it. Tape it inside the server closet door. Make sure at least three people know it exists.

#Here's the thing.

None of these are hard fixes. None of them require expensive software or specialized hardware. Most of them are free or near-free. An afternoon of work each.

But they don't get done because nobody assigns them. Nobody owns security. The owner is focused on running the business. The IT person (if there is one) is focused on keeping things working. Security falls into the gap between "someone should do this" and "someone actually did this."

That's the gap we fill. Book a time and we'll walk through these seven items for your business specifically. Which ones apply, which ones are urgent, and what to do first.

#Further reading

• Our full security checklist - the 10-item version
• Free cybersecurity tools - implement most of these fixes for $0
• NIST Small Business Cybersecurity - federal framework
• CIS Controls Implementation Group 1 - the minimum security controls every business needs
• CISA Cyber Essentials - starter kit for small businesses