Big breaches usually start small. Not movie-style hacking—just basics that weren’t done well or done consistently.
1) MFA missing where it matters
MFA should cover email, remote access, finance systems, and anything admin-level.
If it’s “only for some people,” “we’ll roll it out later,” or shared accounts bypass it, the door’s half-open.
Admins, or remote users logging in without MFA—and shared/guest accounts that bypass prompts—are dead giveaways.
This is how business email compromise starts: one inbox gets popped, forwarding rules get added, invoices get “updated,” and password resets for other apps go through that mailbox unnoticed. When finance or owner inboxes are hit, cash flow takes the punch—fraudulent wires, delayed payments, and brand-damage cleanup.
2) Patching drifts
Unpatched systems are easy targets.
Operating systems, browsers, and common apps need routine updates—so do firewalls and WiFi gear.
Devices that haven’t rebooted in months and piles of “critical” updates waiting everywhere are telltale signs.
Another giveaway: “no-reboot” culture to avoid complaints, VPN/firewall firmware “on the list” for a year, and old runtimes or extensions (Java, PDF tools, browser add-ons) that never get touched. Unpatched endpoints become the infection path; downtime and cleanup time dwarf the “we didn’t want to reboot” savings.
3) Access hygiene slips
People join, people leave, roles change. Access should change with them.
If accounts and permissions lag, old logins linger and “temporary” admin rights never go away.
Former staff still active in key systems and shared passwords on important services are warning signs.
No way to tell who did what because five people share a login—and you can’t prove who made a change when it matters. Bad for audits, worse for incident response.
Quick self-check (prevention edition)
- MFA isn’t on for email, remote access, finance tools, or admin accounts
- Updates pile up and reboots get deferred for weeks
- You can’t say, today, which former staff accounts are disabled
- Shared accounts are still in use on important systems
If two or more hit, you’ve got preventable risk.
Want the full checklist of red flags (and how to avoid them)? Grab the white paper:
The IT Provider Trap – How to Spot Danger Signs Before Your Business Pays the Price