"We're too small to be a target"

This is the costliest assumption in small business IT. Automated attacks don't pick targets by size — they pick by exposure. A 12-person firm with an unpatched VPN is a better target than a hardened enterprise.

The five mistakes

  1. No MFA on email. The single highest-impact gap; it blocks the vast majority of account-takeover attempts.
  2. Treating antivirus as enough. Modern threats need behavior-based EDR, not signature scanning.
  3. Untested backups. A backup you've never restored is a hope, not a recovery plan.
  4. Shared and stale admin accounts. Standing privileged access is what turns a small breach into a full compromise.
  5. No security awareness training. People remain the most-targeted layer; a 20-minute quarterly habit measurably reduces click rates.

Fixing them is cheaper than a breach

Each of these is inexpensive relative to the cost of downtime and recovery. Book a quick assessment and we'll tell you which gaps you actually have.