I’ve lost count of how many small and mid-sized business networks our team has audited over the years. But there’s something funny about the work. After a while, you stop being surprised. The same security gaps keep showing up in company after company, in completely different industries, in businesses run by smart, capable people.
It isn’t that anyone is being careless. Most owners genuinely believe their network is in good shape. The problem is that the gaps are quiet. They don’t trigger alarms. They don’t slow anything down. They just sit there, waiting for the wrong day.
In this post, I want to share the most common cybersecurity gaps we keep finding during SMB audits, why they happen so often, and what you can actually do to close them. Some of these will probably sound familiar. A few might catch you off guard.
Gap 1: Old User Accounts That Should Have Been Deleted Years Ago
This is hands down the most common finding. Almost every SMB we audit has active user accounts belonging to people who left the company months, sometimes years, ago.
Sometimes it’s an ex-employee. Sometimes it’s a contractor who finished a project in 2022. Sometimes it’s a generic account like “admin2” or “tempuser” that nobody remembers creating.
The risk is obvious once you say it out loud. Every one of those accounts is a working door into your network. If credentials ever leaked in a past breach, attackers can quietly try them whenever they want. And because nobody is using these accounts day to day, nobody notices when someone else does.
The fix is boring but powerful. A simple quarterly account review, paired with a strict offboarding checklist, closes this gap permanently. If you’d rather not chase that internally, this is exactly the kind of housekeeping our managed IT services team handles automatically.
Gap 2: Multi-Factor Authentication Is Only Half Turned On
Most owners tell us, “Yeah, we have MFA.” And technically, they do. The problem is, MFA is usually only enabled on email, and nothing else.
Their VPN doesn’t require it. Their remote desktop access doesn’t require it. Their accounting software, their CRM, their file storage, all wide open with just a password. We even see admin-level cloud accounts protected by nothing but a 9-character password from 2019.
If an attacker phishes one set of credentials, half-enabled MFA still hands them the keys to the building. Full MFA coverage across every business-critical system is one of the highest-impact security upgrades any SMB can make, and it usually takes less than a week to roll out properly.
Gap 3: Backups That “Work” but Have Never Actually Been Tested
I’d say nine out of ten businesses we audit are running backups. Maybe seven out of ten can show me a green checkmark on the backup dashboard. But when I ask, “When was the last time you actually restored from one of these?” the answer is almost always silence.
A backup you’ve never tested isn’t a backup. It’s a hope. We’ve seen companies discover during an actual ransomware incident that their backups had been silently failing for months, or that the restore process took 40 hours instead of the 2 hours they assumed. By then, it’s already a disaster.
A working backup strategy needs three things. Backups that complete. Backups stored somewhere isolated from the main network. And restore tests done at least once a quarter, with the results written down.
Gap 4: One Flat Network Where Everything Talks to Everything
This one is invisible until it hurts you. In most small business networks, everything sits on the same flat network. Workstations, servers, security cameras, smart TVs, guest Wi-Fi, the receptionist’s laptop, the CEO’s laptop, all on one big happy LAN.
The moment any single device gets compromised, whether it’s a phishing click, a vulnerable IoT camera, or an old printer with default credentials, the attacker can move sideways across the entire network without resistance.
Proper network segmentation puts guest devices, IoT gear, workstations, and servers on separate VLANs with controlled traffic between them. It isn’t expensive to set up, but it’s almost never done by default, and very few SMB owners know to ask for it.
Gap 5: Patching Is “Mostly” Done
When we ask about patching, most teams confidently say, “We’re up to date.” Then we run a scan and find dozens of unpatched vulnerabilities, often on the most important machines.
It’s usually not the workstations. It’s the things people forget. The old print server in the back room. The Linux box running a single internal app. The network switch firmware that hasn’t been updated since installation. The third-party software that auto-updates, except it stopped auto-updating two years ago and nobody noticed.
Attackers love forgotten systems. Most successful breaches don’t use exotic zero-day exploits. They use known vulnerabilities, in known software, that already had a patch available for months or years.
A documented patch management process, with monthly verification, takes this from “we think we’re good” to actually being good.
Gap 6: No Real Visibility Into What’s Happening on the Network
This one connects directly to a piece we published recently about the monitoring alert in-house IT teams usually miss, and it’s worth reading alongside this article.
Most SMBs we audit have very limited visibility. They know if a server is up or down. That’s about it. They have no real view of who’s logging in, from where, at what time, with what device. They can’t tell if a user’s account is being accessed from two countries in the same hour. They can’t see when an internal machine starts making suspicious DNS requests.
You can’t defend what you can’t see. Proper logging, monitoring, and alerting are the foundation that every other security control sits on top of. Without it, even the best firewall is just an expensive box.
Gap 7: Employees Have Never Had Real Security Training
Almost every breach starts with a human, not a machine. Yet most of the SMBs we audit have either no security awareness training, or training that consists of one PDF the new hire reads on day one and never sees again.
We’ve watched well-meaning, smart employees click on phishing emails that any quick training session would have flagged. We’ve seen accounting staff wire money to “the CEO” based on a spoofed email. We’ve seen IT admins click malicious links because they were tired at the end of a long day.
Ongoing, short, realistic security training, including simulated phishing tests, is one of the cheapest and most effective investments a business can make. It works because it shifts your people from being your biggest risk into being your first line of defense.
Gap 8: The Cybersecurity Insurance Policy Nobody Has Actually Read
This one isn’t strictly a technical gap, but it shows up in almost every audit and it can be the most expensive of all.
Many SMBs have cyber insurance. Very few have actually read the fine print. The policy often requires specific controls, like MFA everywhere, regular backup tests, documented patching, employee training, and endpoint detection software. If you don’t have those controls in place when an incident happens, the policy may not pay out.
We’ve seen businesses assume they were covered, only to find out after a ransomware attack that their policy was effectively void because they weren’t meeting the basic security requirements they had agreed to.
If you have a cyber policy, pull it out today and read the security requirements section. If anything on that list isn’t fully in place at your business, that’s a gap worth closing this month, not next quarter.
A Quick Reality Check for Your Own Business
If you want a fast self-assessment, ask yourself these questions honestly.
When was the last time we reviewed every user account in our systems? Is MFA required on every business-critical login, not just email? Have we actually restored from a backup in the last 90 days? Is our network segmented, or is everything on the same LAN? Can we prove that every server, workstation, and device is fully patched right now? Do we have logs and monitoring covering more than just “server up or down”? When did our employees last receive real security training? Do we know what our cyber insurance policy actually requires?
If you hesitated on more than two of those, you have the same gaps we find in almost every SMB audit. The good news is that none of them are particularly hard to fix once someone is actually focused on closing them.
Where to Go From Here
The pattern across every audit we’ve done is pretty clear. The companies that get breached aren’t the ones with exotic, sophisticated vulnerabilities. They’re the ones with basic gaps that nobody got around to closing.
Closing these gaps doesn’t require a massive budget or a complete tech overhaul. It requires someone whose job is to actually own security day to day, not squeeze it in between support tickets. That’s the entire reason our cybersecurity team exists, and it’s the work we do quietly in the background for every client we take on.
If you’ve never had a proper outside audit of your environment, or it’s been more than a year since your last one, that’s the single most useful next step you can take. You can’t fix what you don’t know about, and almost everything we find during an audit turns out to be cheaper and easier to fix than business owners expect.
Frequently Asked Questions
What is a cybersecurity audit and what does it involve?
A cybersecurity audit is a structured review of your business’s IT environment to identify security gaps, misconfigurations, missing controls, and risks. A good audit covers user accounts, access controls, patching, backups, monitoring, network design, employee practices, and policy compliance. The output is a prioritized list of issues with recommended fixes.
How often should a small business get a cybersecurity audit?
Once a year at a minimum, and any time there’s a major change like new software, a move to the cloud, opening a new office, or after an incident. Many businesses also do a lighter quarterly review of high-risk areas like user accounts and patching status.
What’s the difference between an audit and a penetration test?
An audit looks at how your environment is configured and whether the right controls are in place. A penetration test actively tries to break in, simulating what a real attacker would do. Both are valuable, and they answer different questions. Most SMBs benefit more from a thorough audit first, then a pen test once the basics are solid.
How long does a typical SMB audit take?
For a business with 20 to 100 employees, a full audit usually takes one to two weeks from kickoff to final report. Light-touch audits can be done faster, but they tend to miss the deeper, more important issues.
Do small businesses really get targeted by attackers?
Yes, and increasingly so. Attackers know that smaller businesses often have weaker defenses, less monitoring, and fewer resources to recover. Automated attacks don’t care how big you are, and ransomware groups specifically target small and mid-sized companies because they often pay quickly to get back online.
Final Thought
The same gaps keep showing up because nobody is actively looking for them. That’s it. The technology to close every gap on this list already exists, is well understood, and is within reach of any SMB budget. What’s usually missing is attention.
If you’re not sure where your business stands today, that’s the most important thing to find out. Everything else gets easier once you know.
