We've audited the IT setups of several dozen small businesses over the past two years. The same five problems show up in roughly 9 out of 10 of them β regardless of industry, size, or technical sophistication.
The good news: none of them require enterprise tooling to fix. They require an afternoon and the willingness to follow through.
Hole #1 β The "everyone is admin" Wi-Fi
The single most common finding: a flat office Wi-Fi where guests, IoT devices (security cameras, printers, smart TVs), employee laptops, and the file server all sit on the same network. If anyone's phone is compromised, the whole office is compromised.
The fix: Three separate networks on the same router (any decent business router supports this β Ubiquiti, MikroTik, even Netgear ProSAFE):
- Trusted β employee work devices only
- IoT β printers, cameras, thermostats (no internet access to the trusted network)
- Guest β for visitors, isolated from everything else
Cost to implement: usually $0 in hardware (your existing router can probably do it), 2 hours of work.
Hole #2 β Shared logins for shared accounts
"What's the password for the company Instagram?" β written in a sticky note in the kitchen. Or worse, in a shared Excel called Passwords.xlsx.
This becomes a real problem the day someone leaves on bad terms. They still know every password.
The fix: A password manager with team sharing β 1Password Business, Bitwarden Teams, or Dashlane Business. Plans start at around $4 per user per month. Set it up once, force everyone to use it, and rotate any password that was ever in the spreadsheet.
Hole #3 β No real backups (or untested ones)
Here's the question we ask every new client: "If your main server failed right now, how long until you'd be back to normal?"
The answers we get:
- "We have a backup somewhereβ¦" (they don't)
- "Our cloud provider does it" (they do, but only for 30 days)
- "We have a USB drive in the safe" (last updated 7 months ago)
The fix: Follow the 3-2-1 rule:
- 3 copies of any important data
- 2 different types of storage (e.g., local NAS + cloud)
- 1 copy off-site (e.g., Backblaze B2, AWS S3 with versioning)
Then β and this is the part everyone skips β test the restore once a quarter. A backup you've never restored from is not a backup; it's a hope.
Hole #4 β The unpatched router from 2019
Your business-grade router from a few years ago probably hasn't received a firmware update in 18 months. The CVE database has a few hundred entries against most consumer/SMB router models. Some of them allow remote takeover.
Same goes for: NAS units, security camera DVRs, printers exposed to the internet, and any "smart" device on your network.
The fix:
- List every device that has an IP address in your office
- For each, check the manufacturer's site for the latest firmware version
- Update them, or replace anything no longer supported
- Disable remote management on anything that doesn't need it
This typically takes a Saturday morning the first time, then 30 minutes a quarter going forward.
Hole #5 β Phishing-vulnerable email setup
The single most common breach vector for SMBs is still the same as it was 10 years ago: someone gets a convincing email asking them to wire money or hand over a password, and they do.
The fix is layered, but each layer takes less than an hour:
- Set up SPF, DKIM, and DMARC on your email domain. This stops attackers from spoofing your own domain.
- Enable mandatory 2FA on every email account. No exceptions, including the owner.
- Set a "wire transfer rule": any wire request received by email must be confirmed by a phone call to a known number. Train your team. Practice it.
- Disable auto-forwarding on inboxes (a common attacker trick after they get in).
- Use a spam filter beyond the default β Microsoft Defender for Office 365 or Google Workspace's advanced settings catch a lot more.
"In every breach we've helped a client recover from, the attack started with a phishing email and a password without 2FA. Both are free to fix."
Bottom line
You don't need a six-figure security budget. You need an afternoon, a checklist, and the discipline to actually do it. The vast majority of small business breaches we see could have been prevented by these five fixes.
If you'd like a free walk-through of these five items applied to your specific setup, we offer a 60-minute IT security audit at no cost. We'll come back with a written punch list β what to fix, in what order, and roughly what it'll cost.
