
Most small businesses don't get caught out by one huge IT disaster. It's the little gaps that stack up first — the ones that seem too minor to worry about until the day they line up and something breaks. In our experience across a quarter-century of Perth clients, four gaps show up again and again: multi-factor authentication that isn't actually on everywhere, patching that's fallen behind, old access that never got removed, and backups nobody has properly tested.
The good news is that for a team under 50 users, closing these gaps isn't expensive or complicated. The biggest wins almost always come from locking down the basics and making sure someone actually owns each system. Here are the four gaps — and exactly how to close them.
Gap 1: MFA that isn't really on everywhere
Nearly everyone we speak to says they "have MFA". When we look closely, it's usually on for email — and off for the VPN, the accounting software, the remote-access tool, or the handful of admin accounts that matter most. That's the pattern attackers count on: they don't need to beat your strongest door, just find the one you left unlocked.
Multi-factor authentication blocks the overwhelming majority of account-takeover attacks, because a stolen password on its own hits a second locked door. But it only works if it's on every account that can reach your data — especially administrator logins.
How to close it: map every system that holds business data or logs people in, and confirm MFA is enforced on all of them, not just Microsoft 365. Use number-matching MFA (so nobody can approve a prompt by reflex) and, for your most sensitive accounts, move to phishing-resistant passkeys. Then write down which systems are covered, so the answer to "are we fully protected?" is a list, not a guess.
Gap 2: Patching that's quietly fallen behind
Software updates are boring, which is exactly why they slip. A workstation that misses a couple of update cycles, a server that's "too busy to reboot", an app that's two versions behind — each feels harmless on its own. But unpatched software is one of the most common ways attackers get in, because the vulnerabilities are public and the exploits are automated. They're not targeting you; they're scanning for anyone who's behind.
How to close it: stop relying on people to click "update later". Patching should be automated and monitored, with operating systems and the applications on top of them (browsers, PDF readers, line-of-business software) kept current on a schedule. This is one of the ASD Essential Eight controls for good reason — and it's the kind of thing a managed IT service handles in the background so it never depends on someone remembering.
Gap 3: Old access that never got removed
Every business accumulates access it's forgotten about: the employee who left six months ago whose Microsoft 365 login still works, the contractor who was given admin rights "just for the project", the shared password three former staff still know, the app connected to your data that nobody uses anymore. Each one is a door left open to someone who no longer needs to walk through it.
Departed-staff accounts are a particular risk — they're valid credentials, often with no one watching them, and they're a favourite route for both external attackers and disgruntled leavers.
How to close it: run a proper leavers process every single time, not just for the big departures. When someone leaves, disable the account promptly, revoke their sessions and tokens, and hand their data over cleanly — we walk through the full checklist in our guide on safely offboarding an employee. Then, twice a year, review who has access to what and strip back anything that's no longer needed. Access should follow the job, and end with it.
Gap 4: Backups nobody has tested
This is the gap that hurts the most when it fails. Plenty of businesses have backups running — and assume that means they're safe. But a backup you've never restored from is a hope, not a plan. We regularly find backups that stopped running months ago, that don't include the one system that actually matters, or that sit in a location ransomware could encrypt right alongside the live data.
How to close it: make sure your backup and disaster recovery covers everything critical — servers, Microsoft 365 email and files, line-of-business data — and that at least one copy is immutable and offsite, where an attacker can't reach it. Then, crucially, test a restore. Prove you can get a file, a mailbox, and ideally a whole system back, and time how long it takes. If you can't answer "how fast could we be running again?", you don't yet have a backup you can trust. (Here's how we approach it.)
The fifth gap behind the other four: nobody owns each system
Notice the thread running through all four? They don't fail because someone made a big mistake. They fail because no single person was clearly responsible for keeping them right. MFA drifts out of coverage, patches slip, access lingers, and backups quietly stop — precisely because everyone assumed someone else was watching.
The fix that closes all four at once is ownership. Every system in your business should have a name next to it — someone whose job it is to make sure MFA is on, patches are current, access is correct, and backups are tested. In a small business, that rarely means hiring; it usually means either assigning it clearly internally or handing it to a provider whose whole job is to watch these things so you don't have to. (If you're wondering whether you've reached that point, we wrote up the five signs a Perth business has outgrown its "IT guy".)
And yes — Perth small businesses really do get targeted. Attackers automate their way through exactly these four gaps, and "we're too small to bother with" has stopped being true. The reassuring part is that the businesses which close these basics well are dramatically harder to hit than the ones next door who didn't.
Where to start this week
If you do nothing else, pick the one gap that worries you most and close it properly:
Check MFA is enforced on every system, not just email.
Confirm patching is automated across machines and apps.
Review access and remove anyone who's left or no longer needs it.
Test a restore from your backups — actually get something back.
None of these require a big budget; they require someone to own them and follow through.
If you'd like a hand working through the list — or you just want an honest second opinion on where your gaps are — book a free chat with the Computer Mechanics team or call (08) 9325 1196. Prefer to tackle a single job without a contract? Our pay-as-you-go IT support can knock over any one of these in an afternoon. We've been keeping Perth businesses secure since 1997, and we're happy to tell you which gaps to close first.



