10 Signs Your Business Has an IT Security Problem (And What to Do About It)
Most small business owners don’t find out they have an IT security problem until something goes wrong. A phishing email lands. An account gets compromised. A ransomware message appears on screen. By then, the damage is already done.
The frustrating part? The warning signs are almost always visible in advance — if you know what to look for.
Here are 10 signs that your business may be more exposed than you think, and what to do about each one. If you’re based in the North West, we’ve added some local context too.
You don’t have Multi-Factor Authentication (MFA) switched on
MFA is the single most effective thing a business can do to protect its accounts right now. According to Microsoft, it prevents 99.9% of automated account compromise attacks. Yet most small businesses either haven’t enabled it or have only switched it on for a handful of users.
If one of your team’s Microsoft 365 passwords is stolen — through a phishing email, a data breach on another site, or simply a weak guess — MFA is the last line of defence that stops an attacker walking straight in.
What to do: Enable MFA across every Microsoft 365 account in your organisation — not just admins. It takes a couple of hours and costs nothing if you’re already on Microsoft 365.
2. You’re using shared passwords or weak credentials
Shared passwords and predictable credentials are an open door for attackers. If one team member uses the same password for their work email and a personal account that gets breached elsewhere, your entire business could be at risk.
What to do: Implement a password policy requiring unique, complex passwords for all accounts. Enterprise password managers give the business full visibility and control over credentials — including the ability to revoke access instantly when someone leaves. We can help you procure and deploy the right solution for your team size and setup.
3. You’ve never tested whether staff can spot a phishing email
Phishing is the number one way attackers get into business systems. Your firewall won’t stop an email that looks like it’s from a colleague, a supplier, or HMRC. If your team hasn’t had any awareness training or been through a phishing simulation, you’re relying on luck.
The NCSC’s Cyber Security Breaches Survey found that phishing remains the most common type of attack on UK businesses — affecting 84% of those that reported a breach.
What to do: Run a simulated phishing exercise to see how your team responds. The results are usually eye-opening — and give you a clear baseline to work from. We can run these as part of a broader security awareness programme.
4. When someone leaves, their access isn’t removed the same day
Former employees retaining access to business systems is one of the most common — and most avoidable — security risks. Whether through malice, curiosity, or simply not knowing better, an ex-staff member with live credentials is a vulnerability entirely within your control to eliminate.
What to do: Build an offboarding checklist that includes disabling the account, revoking device access, and removing them from shared inboxes and cloud storage on their last day. Not a week later — the same day. We can help you automate this process so it never gets missed.
5. You don’t know exactly where your data is stored
If you can’t answer “what data do we hold, where does it live, and who has access to it?” — that’s a problem for both security and GDPR compliance. Data spread across personal cloud accounts, old laptops, and USB sticks is data you can’t protect.
Under GDPR, businesses are required to take appropriate technical measures to protect personal data. “I didn’t know where it was” is not a defence the ICO will accept.
What to do: Conduct a data audit — list what types of personal or sensitive data you hold, where it’s stored, and who needs access. Centralise everything into Microsoft 365 (SharePoint/OneDrive) with proper permissions. We can help you map your data landscape and close the gaps.
6. You’re not running the latest software updates
Unpatched software is how most malware enters business networks. Attackers actively scan for businesses running outdated operating systems or applications because the vulnerabilities are publicly known — and exploitation is largely automated.
What to do: Enable automatic updates on all devices. If you’re managing Windows devices, Microsoft Intune can enforce update policies centrally — it’s included in most Microsoft 365 Business Premium plans. We can configure and manage this for you as part of a fully managed IT service.
7. Staff work from personal devices with no security controls
Remote and hybrid working has blurred the line between personal and business devices. If your team access company email or files from personal laptops and phones with no management controls, you have no visibility into what’s happening to that data — and no way to protect it if a device is lost or stolen.
What to do: Enrol company devices into a Mobile Device Management (MDM) solution such as Microsoft Intune. This lets you enforce encryption, apply security policies, and remotely wipe a device if needed. We can deploy and manage this as part of your IT setup.
8. You have a backup — but you’ve never tested it
Ransomware encrypts your data and demands payment for the decryption key. The only real defence is a reliable backup that isn’t also encrypted. Many businesses have something they call a backup but have never actually tested whether it restores correctly.
A backup you’ve never restored from isn’t a backup. It’s an assumption.
What to do: Implement the 3-2-1 rule — 3 copies of your data, on 2 different types of media, with 1 copy offsite or in the cloud. Run a test restore every quarter to confirm it works. We can set up and monitor enterprise-grade backup solutions and handle the testing on your behalf.
9. Nobody is monitoring your systems for unusual activity
Most small businesses find out about a security incident because something stops working — or a customer tells them. Proactive monitoring — watching for unusual logins, unexpected data transfers, or repeated failed authentication — dramatically reduces the time between an attack starting and you knowing about it.
The average time to detect a data breach in the UK is over 200 days. Most of the damage is done in the first 24 hours.
What to do: Microsoft 365 Business Premium includes Microsoft Defender, which provides basic threat detection and alerting. For comprehensive coverage, a managed security service will monitor your environment around the clock — we offer this as part of our security pillar.
10. You've never had an independent security review
Even businesses that feel on top of their IT often have blind spots. Configuration errors, legacy accounts, overpermissioned staff, and out-of-date policies are the kinds of things that are hard to spot from the inside — but obvious to an experienced pair of eyes.
A security review doesn’t have to be expensive or disruptive. A good MSP can assess your current setup in under an hour and give you a clear, prioritised action list.
What to do: Book a free security assessment with MJM Technology. We’ll review your current setup, identify the gaps, and give you a clear action plan — with no obligation. We’re a Microsoft Partner based in the North West, and we work with SMBs to cut through the noise and give honest, practical advice.
How many applied to your business?
If you recognised your business in even two or three of the above, it’s worth taking action before something forces your hand. Most of these issues can be fixed quickly and without a large budget — the challenge is knowing where to start.
MJM Technology offers free security assessments for SMBs across the North West. We’ll review your current setup, identify the gaps, and give you a clear action plan — with no obligation to use us to fix it.
Book your free assessment below.