4 IT Gaps Small Businesses Overlook (and How to Close Them)

Most Perth businesses aren't undone by one huge disaster — it's the small IT gaps that stack up: missing MFA, delayed patching, old access nobody removed, and untested backups. Here's how teams under 50 users can close them. From Computer Mechanics, Perth IT specialists since 1997.

AmirAmir · Cloud System Engineer
16 July 2026
5 min read
Cybersecurity
Small Business
Microsoft 365
MFA
Perth Business

Most small businesses don't get caught out by one huge IT disaster. It's the little gaps that stack up first — the ones that seem too minor to worry about until the day they line up and something breaks. In our experience across a quarter-century of Perth clients, four gaps show up again and again: multi-factor authentication that isn't actually on everywhere, patching that's fallen behind, old access that never got removed, and backups nobody has properly tested.

The good news is that for a team under 50 users, closing these gaps isn't expensive or complicated. The biggest wins almost always come from locking down the basics and making sure someone actually owns each system. Here are the four gaps — and exactly how to close them.

Gap 1: MFA that isn't really on everywhere

Nearly everyone we speak to says they "have MFA". When we look closely, it's usually on for email — and off for the VPN, the accounting software, the remote-access tool, or the handful of admin accounts that matter most. That's the pattern attackers count on: they don't need to beat your strongest door, just find the one you left unlocked.

Multi-factor authentication blocks the overwhelming majority of account-takeover attacks, because a stolen password on its own hits a second locked door. But it only works if it's on every account that can reach your data — especially administrator logins.

How to close it: map every system that holds business data or logs people in, and confirm MFA is enforced on all of them, not just Microsoft 365. Use number-matching MFA (so nobody can approve a prompt by reflex) and, for your most sensitive accounts, move to phishing-resistant passkeys. Then write down which systems are covered, so the answer to "are we fully protected?" is a list, not a guess.

Gap 2: Patching that's quietly fallen behind

Software updates are boring, which is exactly why they slip. A workstation that misses a couple of update cycles, a server that's "too busy to reboot", an app that's two versions behind — each feels harmless on its own. But unpatched software is one of the most common ways attackers get in, because the vulnerabilities are public and the exploits are automated. They're not targeting you; they're scanning for anyone who's behind.

How to close it: stop relying on people to click "update later". Patching should be automated and monitored, with operating systems and the applications on top of them (browsers, PDF readers, line-of-business software) kept current on a schedule. This is one of the ASD Essential Eight controls for good reason — and it's the kind of thing a managed IT service handles in the background so it never depends on someone remembering.

Gap 3: Old access that never got removed

Every business accumulates access it's forgotten about: the employee who left six months ago whose Microsoft 365 login still works, the contractor who was given admin rights "just for the project", the shared password three former staff still know, the app connected to your data that nobody uses anymore. Each one is a door left open to someone who no longer needs to walk through it.

Departed-staff accounts are a particular risk — they're valid credentials, often with no one watching them, and they're a favourite route for both external attackers and disgruntled leavers.

How to close it: run a proper leavers process every single time, not just for the big departures. When someone leaves, disable the account promptly, revoke their sessions and tokens, and hand their data over cleanly — we walk through the full checklist in our guide on safely offboarding an employee. Then, twice a year, review who has access to what and strip back anything that's no longer needed. Access should follow the job, and end with it.

Gap 4: Backups nobody has tested

This is the gap that hurts the most when it fails. Plenty of businesses have backups running — and assume that means they're safe. But a backup you've never restored from is a hope, not a plan. We regularly find backups that stopped running months ago, that don't include the one system that actually matters, or that sit in a location ransomware could encrypt right alongside the live data.

How to close it: make sure your backup and disaster recovery covers everything critical — servers, Microsoft 365 email and files, line-of-business data — and that at least one copy is immutable and offsite, where an attacker can't reach it. Then, crucially, test a restore. Prove you can get a file, a mailbox, and ideally a whole system back, and time how long it takes. If you can't answer "how fast could we be running again?", you don't yet have a backup you can trust. (Here's how we approach it.)

The fifth gap behind the other four: nobody owns each system

Notice the thread running through all four? They don't fail because someone made a big mistake. They fail because no single person was clearly responsible for keeping them right. MFA drifts out of coverage, patches slip, access lingers, and backups quietly stop — precisely because everyone assumed someone else was watching.

The fix that closes all four at once is ownership. Every system in your business should have a name next to it — someone whose job it is to make sure MFA is on, patches are current, access is correct, and backups are tested. In a small business, that rarely means hiring; it usually means either assigning it clearly internally or handing it to a provider whose whole job is to watch these things so you don't have to. (If you're wondering whether you've reached that point, we wrote up the five signs a Perth business has outgrown its "IT guy".)

And yes — Perth small businesses really do get targeted. Attackers automate their way through exactly these four gaps, and "we're too small to bother with" has stopped being true. The reassuring part is that the businesses which close these basics well are dramatically harder to hit than the ones next door who didn't.

Where to start this week

If you do nothing else, pick the one gap that worries you most and close it properly:

  • Check MFA is enforced on every system, not just email.

  • Confirm patching is automated across machines and apps.

  • Review access and remove anyone who's left or no longer needs it.

  • Test a restore from your backups — actually get something back.

None of these require a big budget; they require someone to own them and follow through.

If you'd like a hand working through the list — or you just want an honest second opinion on where your gaps are — book a free chat with the Computer Mechanics team or call (08) 9325 1196. Prefer to tackle a single job without a contract? Our pay-as-you-go IT support can knock over any one of these in an afternoon. We've been keeping Perth businesses secure since 1997, and we're happy to tell you which gaps to close first.

Amir
Written by
Amir
Cloud System Engineer · 10+ years in IT

Amir is a Cloud System Engineer with over a decade of experience across server management, networking, cloud solutions and virtualisation. He designs and secures the Microsoft 365, Azure and network environments that Perth businesses rely on, turning complex infrastructure into scalable, efficient solutions.

Meet the IT Support Perth team →
Amir
16 July 2026
5 min read
Cybersecurity
Small Business
Microsoft 365
MFA
Perth Business

Stay Updated with IT Insights

Get the latest cybersecurity tips and technology insights delivered to your inbox

Related Articles

How to Safely Offboard an Employee (and Protect Your Company Data)

When a staff member leaves, their access is a security risk until it's properly closed off. A practical Perth-business checklist for offboarding an employee without losing data or leaving a door open. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

5 Signs Your Business Has Outgrown Your Current IT Guy

One trusted 'IT guy' works — until it doesn't. Here are five clear signs a Perth business has outgrown break-fix IT and needs a proper managed IT team. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

Passkeys vs Passwords: A Plain-English Guide for Perth Businesses

Passwords are behind most account breaches. Here's how passkeys work, why they're safer, and how your Perth business can start using them. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

Need Expert IT Support?

Get personalized advice from our Perth IT experts. Free consultation available.

Related Content

Continue Reading

Explore more insights and expert advice on IT support, cybersecurity, and digital transformation

Your Messages Are "Encrypted" — But the FBI Just Read Them Anyway. Here's What Every Perth Business Needs to Know.
CyberSecurity
ITSupportPerth

Your Messages Are "Encrypted" — But the FBI Just Read Them Anyway. Here's What Every Perth Business Needs to Know.

Most small business owners believe end-to-end encryption means their messages are completely private. A recent FBI case proves that assumption is dangerously incomplete.

5 min read
4/15/2026
What’s new in SMB1001:2026?
SMB1001
SMB10012026

What’s new in SMB1001:2026?

SMB1001:2026 updates for Perth SMBs: Mandatory DMARC from Silver tier, 5 maturity levels, Essential Eight alignment. Get certified, cut insurance costs, win tenders—start your roadmap today!

5 min read
2/25/2026
How to Safely Offboard an Employee (and Protect Your Company Data)
Cybersecurity
Microsoft 365

How to Safely Offboard an Employee (and Protect Your Company Data)

When a staff member leaves, their access is a security risk until it's properly closed off. A practical Perth-business checklist for offboarding an employee without losing data or leaving a door open. From Computer Mechanics, Perth IT specialists since 1997.

5 min read
7/15/2026