freecloud solutions

Top 10 SMB Tech Issues: Security by Assumption

11 August 2025

Issue 9: Security by Assumption. "Assumptions are made, and most assumptions are wrong" (thanks, AE)

“I thought backups were running.” “I assumed MFA was on for everyone.” “The MSP handles patching, right?” — this is how breaches happen. Not usually because of a nation-state attack, but because everyday controls were never turned on, went stale, or no one was explicitly accountable (see: Top 10 SMB Tech Issues: Service Ownership).

The problem

• Implicit ownership: Security is “with IT,” the MSP, or “whoever set it up,” but no one is clearly accountable.
• Invisible controls: Backups, MFA, EDR, patching and logging exist… somewhere. But status and coverage aren’t reported.
• One-and-done mindset: Security is treated as a project, not a practice. Policies age. People change. Tools drift.

The real-world impact

• Backups succeed for months — then silently fail. You discover it during a ransomware event.
• Admins have MFA; the rest don’t. A phished credential becomes a business-wide compromise.
• Critical patches wait for a “maintenance window” that never comes; attackers don’t wait.

What good looks like

• Named owners for each control (MFA, backups, EDR, patching, logging, email security, identity).
• Coverage, not just capability: who’s protected, who isn’t — reported monthly.
• Tested recovery: restores are rehearsed and timed; RPO/RTO are known and met.
• Least privilege & conditional access applied by default; standing admin rights removed.
• Alerting with action: clear runbooks for phishing, endpoint isolation, account lock, and comms.

Where to start

• Make a one-page security controls register: control, owner, tool, coverage %, last test date.
• Turn on the basics everywhere: MFA, device encryption, auto-patching for OS/apps, email filtering, and DNS protection.
• Do a restore test this week — file-level and full system. Write down the steps and timings.
• Remove shared mailboxes and shared admin accounts; move to named accounts with just-in-time elevation.
• Schedule a 30-minute monthly security review — owners report coverage and exceptions.

The takeaway

Security by assumption is just insecurity you haven’t spotted yet. Make ownership explicit, make status visible, and make testing routine. It doesn’t need to be complex — it needs to be intentional.

Want a quick, pragmatic security baseline you can actually run with? Let’s talk.

← Back to Blog Thread