We do a lot of IT assessments. First assessment for new clients, assessments when businesses are acquiring other businesses, assessments when something went wrong and someone wants to understand why. After enough of them, patterns emerge — not in the interesting "sophisticated nation-state attack" sense, but in the very ordinary "we've seen this exact thing fifteen times" sense.
These are the five mistakes that show up most consistently. None of them require a security specialist to understand. All of them have practical fixes. Most of them are being made by businesses that would be mortified to know it.
Mistake 1: Assuming Cloud = Backed Up
This might be the most widespread misconception in small business IT right now. The logic goes: our data is in Microsoft 365 / Google Workspace / Dropbox / Salesforce, therefore it's in the cloud, therefore it's safe.
Cloud storage is not cloud backup. Microsoft, Google, and most SaaS providers guarantee the availability of their infrastructure — meaning the service will be up and accessible. They do not guarantee the safety of your data within it. If an employee deletes a shared drive, if ransomware encrypts your OneDrive, if a malicious OAuth app wipes your calendar — that data may be gone.
Microsoft's own documentation recommends backing up your Microsoft 365 data. They say this clearly. Most businesses haven't read it.
The fix is a dedicated SaaS backup product — we use Datto SaaS Protection — that creates independent copies of your Microsoft 365 or Google Workspace data multiple times per day, with granular restore capability. It's not expensive relative to what it protects.
Mistake 2: Everyone Has Admin Rights
This one is almost universal in businesses that haven't had managed IT. Admin rights get handed out liberally because it's easier than dealing with permission requests. The new person can't install something — just give them admin. The owner's laptop needs to run software — just make it admin. Nobody ever takes admin away because that creates complaints.
The problem: when a user with admin rights clicks a bad link, the malware that runs does so with admin privileges. It can install itself persistently. It can disable security tools. It can spread laterally. The attack surface of a compromised admin account is the entire machine — and potentially the entire network.
Least privilege is the principle that users should have the minimum access needed to do their job. Most employees don't need admin rights to do their jobs. The ones who do can have them provisioned on request with proper approval — which is what just-in-time privilege management tools like AutoElevate provide.
Mistake 3: Outdated Hardware Running Critical Systems
The server in the closet that's been running for eight years. The workstations that are on Windows 10 with no upgrade plan. The network switch from 2014 that gets hot sometimes.
Old hardware fails. It fails at the worst possible times, usually when you can't afford downtime. Older operating systems stop receiving security patches — Windows 10 support ends October 2025, at which point every new vulnerability discovered will remain unpatched forever on any machine still running it.
Hardware lifecycle planning is part of managed IT that often gets ignored when IT is being handled reactively. When you're in break/fix mode, you replace things when they break. The problem with that approach is that emergency hardware replacements cost significantly more than planned ones — and the downtime while you wait for new hardware to arrive and get configured costs more still.
A proper IT inventory with replacement schedules — knowing which hardware is when, what's coming up for replacement, and budgeting accordingly — prevents this. It's not glamorous. It prevents a lot of terrible weeks.
Mistake 4: No Offboarding Process
When an employee leaves — especially one who leaves badly — how quickly do you revoke their access? Email, the CRM, the accounting software, the admin console, the shared password for the office Wi-Fi they probably know?
Most small businesses have no documented offboarding process. Access gets revoked eventually, when someone remembers, often days or weeks later. In some cases we do assessments and find active accounts belonging to people who left years ago.
This is a meaningful security risk. Disgruntled ex-employees with active email access can do a lot of damage — read communications, export customer data, send emails as the company, access client systems. The time window between departure and access revocation is the risk window.
A good offboarding checklist, triggered automatically when HR marks someone as terminated, closes this gap. So does identity management tooling that can suspend all accounts from a central console in one action.
Mistake 5: No Incident Response Plan
If ransomware hit your network right now, what would happen? Who gets called? In what order? Who has authority to make decisions about paying a ransom or not? Who handles communications to customers? Who contacts your cyber insurer?
If the answer is "we'd figure it out," that's the mistake. The moment of an active incident is the worst possible time to figure it out, because everyone is panicking, decisions get made under pressure that shouldn't be, and the absence of a plan means the incident takes longer to contain.
An incident response plan doesn't need to be long. It needs to be: clear about who does what, documented somewhere people can find it when they can't access their computers, tested at least once so the steps are familiar, and updated when your environment changes.
Most of the businesses we work with didn't have one before they started with us. Creating one takes a few hours. Having it takes nothing. Using it in a real incident is where it pays for itself.
The Common Thread
All five of these mistakes share the same root cause: IT managed reactively instead of proactively. Each one is easy to miss when you're focused on today's problems. Each one creates a significantly larger problem when it surfaces — and they surface unpredictably.
If you're not sure how many of these apply to your environment, an IT assessment will tell you. It takes a few hours, it's not painful, and it gives you a clear picture of what you're working with.