IT security vulnerabilities almost always show warning signs before an incident occurs. The challenge is knowing what to look for. Here are ten of the most common security gaps we see in small and medium-sized businesses — and what you can do about each one.
1. Multi-Factor Authentication (MFA) Is Not Enabled
If your team can log in to Microsoft 365, email, or any business system with just a username and password, you have a serious exposure. According to Microsoft's own research, MFA prevents 99.9% of automated account compromise attacks.
What to do: Enable MFA across all Microsoft 365 accounts organisation-wide. This is one of the highest-impact, lowest-cost security improvements available to any business.
2. Shared Passwords and Weak Credentials
When staff reuse passwords across work and personal accounts — or share credentials between colleagues — a single breach elsewhere can compromise your entire business. Weak or reused passwords remain one of the leading causes of account takeover.
What to do: Implement password policies requiring unique, complex credentials for every account. Deploy an enterprise password manager to make this manageable for your team without relying on memory.
3. No Phishing Email Testing
Your team is your first and last line of defence against phishing. Yet most businesses have never tested whether their staff can spot a convincing attack. The NCSC's Cyber Security Breaches Survey found that phishing affects 84% of businesses that reported a breach.
What to do: Run simulated phishing exercises to understand your current risk. The results often surprise people — and they create a natural prompt for awareness training.
4. Former Employees Still Have Access
This is one of the most common — and most avoidable — security risks we encounter. When someone leaves the business, how quickly are their accounts disabled? Their access to email, SharePoint, and line-of-business systems?
What to do: Create a documented offboarding checklist that includes disabling all accounts on the employee's final day. Ideally, this is automated rather than relying on someone remembering.
5. You Don't Know Where Your Data Is Stored
If you can't answer the question "where does our customer data live?", you have a GDPR problem as well as a security problem. Data scattered across personal email accounts, local drives, and unsanctioned cloud storage is data you cannot protect.
What to do: Conduct a data audit to map where information is stored and who has access to it. Centralise data in Microsoft 365 where it can be protected, governed, and monitored.
6. Software and Systems Are Not Kept Up to Date
Unpatched software is how most malware enters business networks. Vendors release security updates for a reason — they fix known vulnerabilities that attackers actively exploit.
What to do: Enable automatic updates wherever possible. For managed devices, use Microsoft Intune to enforce update compliance across your entire fleet without manual intervention.
7. Personal Devices Are Used for Work Without Security Controls
Remote and hybrid working has blurred the lines between personal and work devices. When staff access company data on a personal laptop or phone, you lose visibility — and control.
What to do: Enrol devices in a Mobile Device Management solution such as Microsoft Intune. This lets you enforce security policies, remotely wipe data if a device is lost, and keep company data separate from personal use.
8. Backups Are Not Tested
A backup you've never restored from isn't a backup — it's a comfort blanket. We regularly find businesses whose backups have been silently failing for months, often only discovered when they're needed most.
What to do: Follow the 3-2-1 rule: three copies of data, on two different media, with one offsite. Then test your restoration process quarterly. Don't forget that Microsoft 365 data — email, SharePoint, Teams — also needs to be backed up independently.
9. There Is No Monitoring for Suspicious Activity
The average time to detect a data breach in the UK is over 200 days. That's nearly seven months in which an attacker may have access to your systems, data, and communications.
What to do: Use Microsoft Defender or a managed security service to provide continuous monitoring for suspicious activity. Early detection is the difference between a contained incident and a serious breach.
10. You've Never Had an Independent Security Review
It's difficult to spot your own blind spots. An external review brings objectivity — and often surfaces issues that internal teams have either missed or normalised over time.
What to do: Schedule an independent security review. At MJM Technology, we offer a free IT security assessment for small and medium-sized businesses across the UK.
If two or three of the above ring true for your business, it's worth acting sooner rather than later. Security issues rarely resolve themselves — but they're almost always cheaper to address before an incident than after one.
Get in touch to arrange your free security assessment, with no obligation and no sales pitch — just a straight conversation about where you stand and what, if anything, needs to change.