ArdentSupport
ReviewsBlogNewsCompareBest Picks
ArdentSupport

Independent reviews and guides for web hosting, written by engineers who actually use the products.

Reviews

  • WordPress Hosting
  • VPS Hosting
  • Managed Hosting
  • Dedicated Servers
  • Cloud Hosting

Guides

  • Getting Started
  • Migration Guides
  • Speed & Performance
  • Security

Company

  • About Us
  • Editorial Policy
  • Affiliate Disclosure
  • Contact
  • Privacy Policy

© 2026 ArdentSupport. All rights reserved.

ArdentSupport earns commissions from some links on this site. Our editorial opinions are independent and never influenced by advertisers. Learn more.

Home/Blog/10 IT Security Lapses and What You Can Do to Prevent Them
Article11 min read

10 IT Security Lapses and What You Can Do to Prevent Them

Most security breaches don't begin with a genius hacker in a dark room. They begin with something mundane: a password reused across five services, a server patch postponed "until next sprint," an employee installing an unapproved file-sharing app to get work done faster.

by Sachin Jangid• July 17, 2026
10 IT Security Lapses and What You Can Do to Prevent Them

That's actually encouraging news for small and mid-sized businesses. You can't outspend a nation-state attacker, but you absolutely can close the ordinary gaps that cause the overwhelming majority of real-world incidents — and most of the fixes cost more discipline than money.

Below are the ten security lapses we see most often, why each one happens in otherwise sensible organizations, and specifically what to do about it. We've ordered them roughly by how frequently they show up in the small-business horror stories readers share with us.

1. Unpatched Software and Servers

The lapse: Operating systems, CMS platforms, plugins, and server software running months or years behind on security updates. Many of the most damaging breaches in recent memory — including several that made international news — exploited vulnerabilities for which patches had been available for weeks or months before the attack.

Why it happens: Patching is nobody's explicit job. It carries a small risk of breaking something, delivers no visible reward when it works, and is easy to defer indefinitely. In small businesses, the server was often set up once by a contractor and never touched again.

How to prevent it:

  • Enable automatic security updates wherever the platform supports them safely (most Linux distributions, WordPress minor releases, and browsers do).
  • Maintain a simple patch calendar — a recurring monthly task with a named owner — for anything that can't auto-update.
  • Use a staging environment to test major updates before production. If that sounds like overhead you can't staff, this is one of the strongest arguments for managed hosting: reputable managed hosts patch the OS and often the application layer for you as part of the service, which removes the single most commonly exploited gap on this list.

2. Weak, Reused, and Shared Passwords

The lapse: The same password on the company email, the hosting control panel, and a long-forgotten forum that got breached in 2019. Credential-stuffing attacks — where attackers replay username/password pairs leaked from one site against hundreds of others — succeed precisely because reuse is so common.

Why it happens: Humans can't memorize dozens of strong unique passwords, so without tooling, they don't.

How to prevent it:

  • Deploy a password manager company-wide (Bitwarden, 1Password, and similar tools have inexpensive business tiers) and make it the default workflow, not an option.
  • Require unique, generated passwords for anything business-critical: email, hosting, domain registrar, payment processors, admin panels.
  • Check exposure: services like Have I Been Pwned let you monitor whether company email addresses appear in known breach dumps.
  • Kill shared logins. Every person gets their own account — this matters enormously for lapse #8 below.

3. No Multi-Factor Authentication on Critical Accounts

The lapse: A single password standing between an attacker and your email, your domain registrar, or your hosting account. If any one of those falls, the attacker can typically reset every other password you own.

Why it happens: MFA feels like friction, and it's often left "for later" on accounts set up years ago.

How to prevent it:

  • Turn on MFA today for the crown jewels, in this order: primary email, domain registrar, hosting/server access, financial accounts, cloud admin consoles.
  • Prefer app-based authenticators or hardware keys (FIDO2/passkeys) over SMS codes — SMS is vulnerable to SIM-swapping, where an attacker takes over your phone number itself.
  • Store backup/recovery codes in your password manager, not in a drawer.

The domain registrar deserves special emphasis for anyone running a website business: an attacker who controls your domain controls your email, your site, and your identity. Registrar MFA plus registrar lock is fifteen minutes of work with outsized protection.

Innovative IT The Skills Gap Unrealistic Expectations and a Flexible Solution

4. Phishing and Social Engineering Blind Spots

The lapse: An employee receives a convincing email — a fake invoice, a spoofed message "from the CEO" requesting an urgent wire transfer or a gift-card purchase, a fake Microsoft login page — and acts on it. Phishing remains the most common initial entry point in reported breaches, and modern AI tooling has made the fakes fluent and personalized.

Why it happens: Phishing exploits helpfulness, urgency, and hierarchy — traits you want in employees. Nobody is immune, including IT staff.

How to prevent it:

  • Establish out-of-band verification as policy: any request involving money, credentials, or sensitive data gets confirmed through a second channel (a phone call to a known number, not a reply to the email).
  • Run short, blame-free phishing awareness refreshers a couple of times a year. Punitive "gotcha" simulations backfire; people hide mistakes instead of reporting them.
  • Configure SPF, DKIM, and DMARC on your own domain — this makes it harder for attackers to spoof email as you, protecting both your staff and your customers.
  • Make reporting easy and celebrated. The employee who reports a suspicious email in two minutes is your best detection system.

5. Shadow IT: Unauthorized Apps and Services

The lapse: Employees adopting unapproved tools — personal Dropbox accounts for client files, free browser extensions, unvetted AI tools pasted full of company data — because the official tooling is slow or missing. Cisco's research on this problem was cited widely for a reason: analyses of corporate data-loss incidents consistently find a substantial share traces back to software and services IT never knew existed.

Why it happens: Almost never malice. Shadow IT is employees routing around friction to do their jobs. Every unauthorized app is a signal about an unmet need.

How to prevent it:

  • Provide sanctioned, genuinely usable alternatives for the big categories: file sharing, messaging, note-taking, and AI assistance. If the approved tool is worse than the free consumer one, you'll lose.
  • Publish a lightweight approval path — "ask, and we'll answer within two days" — instead of a blanket ban nobody follows.
  • Periodically review OAuth grants and connected apps on your Google Workspace or Microsoft 365 tenant; that's where shadow IT is most visible.
  • Set a clear, specific policy on pasting company or customer data into external AI tools, and offer an approved option so the policy is followable.

6. Backups That Don't Exist — or Have Never Been Restored

The lapse: Either no backups at all, backups stored on the same server they're protecting, or backups that have existed for years without anyone ever attempting a restore. Ransomware turned this from an availability problem into an existential one: organizations with clean, offline backups can refuse to pay; organizations without them face a brutal choice.

Why it happens: Backups are invisible until the day they're everything. "The host handles it" is often assumed rather than verified.

How to prevent it:

  • Follow the 3-2-1 rule: three copies of your data, on two different types of storage, with one copy off-site (and ideally offline or immutable, so ransomware can't encrypt it too).
  • Test restores quarterly. Pick a file, a database, or a full site, and actually restore it to a staging location. A backup that has never been restored is a hope, not a backup — this is the single most common gap we find.
  • If you rely on your hosting provider's backups, read the actual policy: frequency, retention window, whether restores are self-service or ticket-based, and whether they cost extra. These details vary dramatically between hosts, and it's one of the criteria we weight heavily in our hosting reviews for exactly this reason.

7. Expired SSL Certificates and Unencrypted Traffic

The lapse: An SSL/TLS certificate silently expires, browsers start showing "Your connection is not private" warnings, and customers flee — or worse, parts of the site (a legacy subdomain, an internal tool) never had HTTPS at all, exposing logins and data in transit.

Why it happens: Certificates historically required manual renewal on a schedule nobody remembered. Public certificate lifetimes have also been getting progressively shorter industry-wide, which makes manual renewal even less viable than it used to be.

How to prevent it:

  • Automate issuance and renewal. Let's Encrypt with an ACME client (or a host that manages certificates for you) removes the human from the loop entirely — this is now standard on most quality hosting plans.
  • Enforce HTTPS everywhere with redirects and HSTS, covering every subdomain.
  • Set an external monitor (many uptime-monitoring tools do this free) to alert you two weeks before any certificate expires, as a belt-and-braces check on the automation.

8. Orphaned Accounts and Excessive Access

The lapse: A contractor's admin login still active a year after the project ended; a former employee whose email, VPN, and hosting access were never revoked; and, more subtly, everyone having admin rights to everything because narrowing permissions was never a priority.

Why it happens: Onboarding has a checklist because a new hire complains when access is missing. Offboarding has no such feedback loop — nothing visibly breaks when an old account lingers.

How to prevent it:

  • Write an offboarding checklist that mirrors onboarding: every system granted gets a revocation line item, executed the day a person leaves.
  • Apply least privilege: people get the minimum access their role requires. Editors don't need server SSH; marketers don't need billing.
  • Run a quarterly access review — thirty minutes listing who has access to the domain registrar, hosting panel, admin dashboards, and financial tools, and removing anyone who shouldn't.
  • Prefer individual accounts with role-based permissions over shared credentials, so revoking one person never means resetting everyone.

9. Unsecured Devices and Networks

The lapse: Company data on personal laptops without disk encryption, phones without screen locks, work done over coffee-shop Wi-Fi, and — increasingly relevant since remote work became normal — home routers with default admin passwords and IoT gadgets sharing the same network as the work laptop. The IoT dimension deserves emphasis: cheap connected devices frequently ship with default credentials and never receive security updates, making them the softest entry point on many networks.

Why it happens: Small businesses rarely have device management, and the office perimeter dissolved without security practices following it home.

How to prevent it:

  • Require full-disk encryption (BitLocker on Windows, FileVault on macOS — both free and built-in), automatic screen locks, and OS auto-updates on any device touching company data.
  • Use a reputable VPN or, better, services fronted by zero-trust access controls for anything sensitive accessed remotely.
  • For remote workers: change router default passwords, keep firmware updated, and where possible put IoT devices on a separate guest network from work machines.
  • For company-owned fleets, even lightweight MDM (mobile device management) tooling lets you enforce these rules and remotely wipe a lost laptop.

10. No Incident Response Plan — or Logs to Investigate With

The lapse: The breach happens (statistically, eventually, one will) and the organization improvises: nobody knows who decides to take systems offline, who calls the lawyer or insurer, what to tell customers, or even what happened — because logging was never enabled.

Why it happens: Planning for failure feels pessimistic, and unlike the other items on this list, an incident response plan delivers zero value right up until the moment it's the most valuable document you own.

How to prevent it:

  • Write a one-page plan: who leads, who communicates, first technical steps (isolate, preserve evidence, change credentials), key contacts (host, insurer, legal counsel, and any regulator your industry answers to), and where offline copies of this plan live.
  • Enable and retain logs — server access logs, admin-panel audit logs, authentication logs — for at least 90 days. You cannot investigate what you didn't record.
  • Run a tabletop exercise once a year: gather the relevant people for an hour and walk through a scenario ("our site is serving ransomware to visitors — go"). The gaps you find in the exercise are gaps you won't have in the real event.
  • Check whether cyber insurance makes sense for your exposure; insurers increasingly require several items on this list anyway, which usefully forces the discipline.

The Pattern Behind All Ten

Read back through the list and a theme emerges: none of these lapses require advanced technology to fix. They require ownership — a named person, a recurring calendar entry, a written checklist. Security fails in small businesses not because the defenses are unaffordable but because the maintenance is unowned.

That's also why infrastructure choices matter more than they first appear. Several of the most dangerous lapses on this list — unpatched servers, missing backups, expired certificates — are precisely the responsibilities a quality managed hosting provider absorbs by default. Outsourcing doesn't eliminate your security obligations, but it converts three of the ten most common failure modes from "tasks someone must remember" into "services someone is contractually paid to perform." For a business without dedicated IT staff, that's not a convenience; it's a meaningful reduction in attack surface. Just verify the scope in writing — as we noted in our piece on the IT skills gap, "managed" is a marketing term with wildly inconsistent definitions.

Start with the fixes that take under an hour: MFA on email, registrar, and hosting; a password manager trial; a certificate-expiry monitor; one test restore. You'll have closed more real-world risk this afternoon than most breach victims had closed the day before their incident.


About this article: Ardent Support independently reviews web hosting providers, including their security practices — patching policy, backup scope and restore process, SSL automation, and support response to security incidents. We update our guidance when the threat landscape or providers' practices materially change.

S

Sachin Jangid

Staff Writer

Discussion

Leave a comment

Comments are moderated before publishing.

Related articles

Innovative IT The Skills Gap Unrealistic Expectations and a Flexible Solution
Article8 min read

Innovative IT The Skills Gap Unrealistic Expectations and a Flexible Solution

The IT skills gap has been debated for over a decade, and the conversation hasn't changed much: companies say they can't find qualified technical talent, while analysts point out that many of those same companies are searching for candidates who simply don't exist.

by Sachin JangidJul 17, 2026
How to Build a Self Drive Car Rental Website in India (Free & Paid Methods, AI Tools, Templates + Ranking Tips)
Article8 min read

How to Build a Self Drive Car Rental Website in India (Free & Paid Methods, AI Tools, Templates + Ranking Tips)

Learn how to build a self drive car rental website in India using free templates, paid platforms, and AI tools. Complete guide with requirements, license info, costs, pros & cons.

by Sachin JangidJul 15, 2026
How to Modify/Adjust User Roles and Permissions in WordPress
Article9 min read

How to Modify/Adjust User Roles and Permissions in WordPress

If you've ever handed someone access to your WordPress site and then quietly panicked about what they could break, this one's for you. Roles and permissions are one of those things nobody thinks about until they have to. You start a site solo, everything's fine, and then one day you bring on a writer. Or a client. Or a developer who needs to poke around the backend. Suddenly the question isn't how do I add them — it's how much do I let them touch?

by Sachin JangidJul 6, 2026