Security spending keeps rising, yet most breaches still start with something mundane: a reused password, a forgotten server, an over-permissioned account. In the assessments we run for clients, the same five gaps appear over and over. None of them require a new product to fix.
1. Multi-factor authentication — everywhere, not just email
MFA on the company email is now common. MFA on the VPN, the admin panels, the cloud console and the CI/CD system is not. Attackers go where the second factor isn't. Rule of thumb: if a login can change production or read customer data, it needs MFA — no exceptions for "internal" tools.
2. Nobody owns offboarding
When a colleague or contractor leaves, who removes their access — from every system? In most companies the honest answer is "someone, usually, mostly". Keep a joiner/mover/leaver checklist and audit dormant accounts quarterly. Orphaned accounts are free real estate for attackers.
3. Backups exist, restores were never tested
A backup you've never restored is a hope, not a plan. Schedule a restore test twice a year: pick a random system, restore it to an isolated environment, measure how long it takes. The first test is always educational.
4. Secrets live in chat and code
API keys pasted into Slack, passwords in config.php, tokens in git history — every team has some. Adopt a secrets manager, rotate anything that ever touched a chat message, and add secret scanning to your CI pipeline so new leaks are caught at commit time.
5. No one knows what "incident response" means until the incident
You don't need a 40-page plan. You need one page that answers:
- Who is in charge when something happens?
- How do we communicate if email/Slack is compromised?
- Who can decide to take systems offline?
- Which external parties (lawyer, insurer, authorities) do we call, and when?
Print it. An incident at 2 a.m. is the wrong time to design a process.
Start here, not with a new tool
Every item above costs mostly attention, not money. Fix these first and you'll be ahead of the majority of companies your size — then the security products you buy will actually have a solid foundation to stand on.
Want an honest, jargon-free look at your security posture? Book a security assessment with our team.