10 IT Security Lapses and What You Can Do to Prevent Them
Most security breaches don't begin with a genius hacker in a dark room. They begin with something mundane: a password reused across five services, a server patch postponed "until next sprint," an employee installing an unapproved file-sharing app to get work done faster.
That's actually encouraging news for small and mid-sized businesses. You can't outspend a nation-state attacker, but you absolutely can close the ordinary gaps that cause the overwhelming majority of real-world incidents — and most of the fixes cost more discipline than money.
Below are the ten security lapses we see most often, why each one happens in otherwise sensible organizations, and specifically what to do about it. We've ordered them roughly by how frequently they show up in the small-business horror stories readers share with us.
1. Unpatched Software and Servers
The lapse: Operating systems, CMS platforms, plugins, and server software running months or years behind on security updates. Many of the most damaging breaches in recent memory — including several that made international news — exploited vulnerabilities for which patches had been available for weeks or months before the attack.
Why it happens: Patching is nobody's explicit job. It carries a small risk of breaking something, delivers no visible reward when it works, and is easy to defer indefinitely. In small businesses, the server was often set up once by a contractor and never touched again.
How to prevent it:
- Enable automatic security updates wherever the platform supports them safely (most Linux distributions, WordPress minor releases, and browsers do).
- Maintain a simple patch calendar — a recurring monthly task with a named owner — for anything that can't auto-update.
- Use a staging environment to test major updates before production. If that sounds like overhead you can't staff, this is one of the strongest arguments for managed hosting: reputable managed hosts patch the OS and often the application layer for you as part of the service, which removes the single most commonly exploited gap on this list.
2. Weak, Reused, and Shared Passwords
The lapse: The same password on the company email, the hosting control panel, and a long-forgotten forum that got breached in 2019. Credential-stuffing attacks — where attackers replay username/password pairs leaked from one site against hundreds of others — succeed precisely because reuse is so common.
Why it happens: Humans can't memorize dozens of strong unique passwords, so without tooling, they don't.
How to prevent it:
- Deploy a password manager company-wide (Bitwarden, 1Password, and similar tools have inexpensive business tiers) and make it the default workflow, not an option.
- Require unique, generated passwords for anything business-critical: email, hosting, domain registrar, payment processors, admin panels.
- Check exposure: services like Have I Been Pwned let you monitor whether company email addresses appear in known breach dumps.
- Kill shared logins. Every person gets their own account — this matters enormously for lapse #8 below.
3. No Multi-Factor Authentication on Critical Accounts
The lapse: A single password standing between an attacker and your email, your domain registrar, or your hosting account. If any one of those falls, the attacker can typically reset every other password you own.
Why it happens: MFA feels like friction, and it's often left "for later" on accounts set up years ago.
How to prevent it:
- Turn on MFA today for the crown jewels, in this order: primary email, domain registrar, hosting/server access, financial accounts, cloud admin consoles.
- Prefer app-based authenticators or hardware keys (FIDO2/passkeys) over SMS codes — SMS is vulnerable to SIM-swapping, where an attacker takes over your phone number itself.
- Store backup/recovery codes in your password manager, not in a drawer.
The domain registrar deserves special emphasis for anyone running a website business: an attacker who controls your domain controls your email, your site, and your identity. Registrar MFA plus registrar lock is fifteen minutes of work with outsized protection.
Innovative IT The Skills Gap Unrealistic Expectations and a Flexible Solution
4. Phishing and Social Engineering Blind Spots
The lapse: An employee receives a convincing email — a fake invoice, a spoofed message "from the CEO" requesting an urgent wire transfer or a gift-card purchase, a fake Microsoft login page — and acts on it. Phishing remains the most common initial entry point in reported breaches, and modern AI tooling has made the fakes fluent and personalized.
Why it happens: Phishing exploits helpfulness, urgency, and hierarchy — traits you want in employees. Nobody is immune, including IT staff.
How to prevent it:
- Establish out-of-band verification as policy: any request involving money, credentials, or sensitive data gets confirmed through a second channel (a phone call to a known number, not a reply to the email).
- Run short, blame-free phishing awareness refreshers a couple of times a year. Punitive "gotcha" simulations backfire; people hide mistakes instead of reporting them.
- Configure SPF, DKIM, and DMARC on your own domain — this makes it harder for attackers to spoof email as you, protecting both your staff and your customers.
- Make reporting easy and celebrated. The employee who reports a suspicious email in two minutes is your best detection system.
5. Shadow IT: Unauthorized Apps and Services
The lapse: Employees adopting unapproved tools — personal Dropbox accounts for client files, free browser extensions, unvetted AI tools pasted full of company data — because the official tooling is slow or missing. Cisco's research on this problem was cited widely for a reason: analyses of corporate data-loss incidents consistently find a substantial share traces back to software and services IT never knew existed.
Why it happens: Almost never malice. Shadow IT is employees routing around friction to do their jobs. Every unauthorized app is a signal about an unmet need.
How to prevent it:
- Provide sanctioned, genuinely usable alternatives for the big categories: file sharing, messaging, note-taking, and AI assistance. If the approved tool is worse than the free consumer one, you'll lose.
- Publish a lightweight approval path — "ask, and we'll answer within two days" — instead of a blanket ban nobody follows.
- Periodically review OAuth grants and connected apps on your Google Workspace or Microsoft 365 tenant; that's where shadow IT is most visible.
- Set a clear, specific policy on pasting company or customer data into external AI tools, and offer an approved option so the policy is followable.
6. Backups That Don't Exist — or Have Never Been Restored
The lapse: Either no backups at all, backups stored on the same server they're protecting, or backups that have existed for years without anyone ever attempting a restore. Ransomware turned this from an availability problem into an existential one: organizations with clean, offline backups can refuse to pay; organizations without them face a brutal choice.
Why it happens: Backups are invisible until the day they're everything. "The host handles it" is often assumed rather than verified.
How to prevent it:
- Follow the 3-2-1 rule: three copies of your data, on two different types of storage, with one copy off-site (and ideally offline or immutable, so ransomware can't encrypt it too).
- Test restores quarterly. Pick a file, a database, or a full site, and actually restore it to a staging location. A backup that has never been restored is a hope, not a backup — this is the single most common gap we find.
- If you rely on your hosting provider's backups, read the actual policy: frequency, retention window, whether restores are self-service or ticket-based, and whether they cost extra. These details vary dramatically between hosts, and it's one of the criteria we weight heavily in our hosting reviews for exactly this reason.
7. Expired SSL Certificates and Unencrypted Traffic
The lapse: An SSL/TLS certificate silently expires, browsers start showing "Your connection is not private" warnings, and customers flee — or worse, parts of the site (a legacy subdomain, an internal tool) never had HTTPS at all, exposing logins and data in transit.
Why it happens: Certificates historically required manual renewal on a schedule nobody remembered. Public certificate lifetimes have also been getting progressively shorter industry-wide, which makes manual renewal even less viable than it used to be.
How to prevent it:
- Automate issuance and renewal. Let's Encrypt with an ACME client (or a host that manages certificates for you) removes the human from the loop entirely — this is now standard on most quality hosting plans.
- Enforce HTTPS everywhere with redirects and HSTS, covering every subdomain.
- Set an external monitor (many uptime-monitoring tools do this free) to alert you two weeks before any certificate expires, as a belt-and-braces check on the automation.
8. Orphaned Accounts and Excessive Access
The lapse: A contractor's admin login still active a year after the project ended; a former employee whose email, VPN, and hosting access were never revoked; and, more subtly, everyone having admin rights to everything because narrowing permissions was never a priority.
Why it happens: Onboarding has a checklist because a new hire complains when access is missing. Offboarding has no such feedback loop — nothing visibly breaks when an old account lingers.
How to prevent it:
- Write an offboarding checklist that mirrors onboarding: every system granted gets a revocation line item, executed the day a person leaves.
- Apply least privilege: people get the minimum access their role requires. Editors don't need server SSH; marketers don't need billing.
- Run a quarterly access review — thirty minutes listing who has access to the domain registrar, hosting panel, admin dashboards, and financial tools, and removing anyone who shouldn't.
- Prefer individual accounts with role-based permissions over shared credentials, so revoking one person never means resetting everyone.
9. Unsecured Devices and Networks
The lapse: Company data on personal laptops without disk encryption, phones without screen locks, work done over coffee-shop Wi-Fi, and — increasingly relevant since remote work became normal — home routers with default admin passwords and IoT gadgets sharing the same network as the work laptop. The IoT dimension deserves emphasis: cheap connected devices frequently ship with default credentials and never receive security updates, making them the softest entry point on many networks.
Why it happens: Small businesses rarely have device management, and the office perimeter dissolved without security practices following it home.
How to prevent it:
- Require full-disk encryption (BitLocker on Windows, FileVault on macOS — both free and built-in), automatic screen locks, and OS auto-updates on any device touching company data.
- Use a reputable VPN or, better, services fronted by zero-trust access controls for anything sensitive accessed remotely.
- For remote workers: change router default passwords, keep firmware updated, and where possible put IoT devices on a separate guest network from work machines.
- For company-owned fleets, even lightweight MDM (mobile device management) tooling lets you enforce these rules and remotely wipe a lost laptop.
10. No Incident Response Plan — or Logs to Investigate With
The lapse: The breach happens (statistically, eventually, one will) and the organization improvises: nobody knows who decides to take systems offline, who calls the lawyer or insurer, what to tell customers, or even what happened — because logging was never enabled.
Why it happens: Planning for failure feels pessimistic, and unlike the other items on this list, an incident response plan delivers zero value right up until the moment it's the most valuable document you own.
How to prevent it:
- Write a one-page plan: who leads, who communicates, first technical steps (isolate, preserve evidence, change credentials), key contacts (host, insurer, legal counsel, and any regulator your industry answers to), and where offline copies of this plan live.
- Enable and retain logs — server access logs, admin-panel audit logs, authentication logs — for at least 90 days. You cannot investigate what you didn't record.
- Run a tabletop exercise once a year: gather the relevant people for an hour and walk through a scenario ("our site is serving ransomware to visitors — go"). The gaps you find in the exercise are gaps you won't have in the real event.
- Check whether cyber insurance makes sense for your exposure; insurers increasingly require several items on this list anyway, which usefully forces the discipline.
The Pattern Behind All Ten
Read back through the list and a theme emerges: none of these lapses require advanced technology to fix. They require ownership — a named person, a recurring calendar entry, a written checklist. Security fails in small businesses not because the defenses are unaffordable but because the maintenance is unowned.
That's also why infrastructure choices matter more than they first appear. Several of the most dangerous lapses on this list — unpatched servers, missing backups, expired certificates — are precisely the responsibilities a quality managed hosting provider absorbs by default. Outsourcing doesn't eliminate your security obligations, but it converts three of the ten most common failure modes from "tasks someone must remember" into "services someone is contractually paid to perform." For a business without dedicated IT staff, that's not a convenience; it's a meaningful reduction in attack surface. Just verify the scope in writing — as we noted in our piece on the IT skills gap, "managed" is a marketing term with wildly inconsistent definitions.
Start with the fixes that take under an hour: MFA on email, registrar, and hosting; a password manager trial; a certificate-expiry monitor; one test restore. You'll have closed more real-world risk this afternoon than most breach victims had closed the day before their incident.
About this article: Ardent Support independently reviews web hosting providers, including their security practices — patching policy, backup scope and restore process, SSL automation, and support response to security incidents. We update our guidance when the threat landscape or providers' practices materially change.
Sachin Jangid
Staff Writer
Discussion