Rob Swain

Most IT environments have Multi-Factor Authentication enabled. Fewer have it enforced. The gap between those two states is where the breach happens. A policy set to report-only, a conditional access rule with an exception that became permanent, a shared account that predates the rollout and never got cleaned up. The control looks right in the dashboard but it is not doing what the dashboard implies.

Small business IT tends to run on reactive support. Something breaks, someone fixes it, the ticket closes. What that model quietly skips is posture. Nobody owns the question of whether the environment is getting more or less secure over time, because that question does not generate a ticket. The people responsible for keeping the lights on are rarely the same people thinking about what happens when the lights go out, and in small organisations they are usually the same person with not enough hours to do both.

Compliance reports and security posture are not the same thing. A report can show green across every control and still describe an environment that an attacker would find straightforward. The report reflects what was true on the day the data was collected, under the assumptions built into the framework. It does not reflect what your IT provider actually checked last Tuesday, whether your backup has been tested since the server was replaced, or whether the admin account your previous MSP used still exists. Those gaps do not appear in reports. They appear in incidents.

If you want to know the background, the About page has it, including how I work and the independence commitment that applies to all engagements through this site. If you want to engage me for a piece of work, Services outlines what that looks like, including a fixed-price posture review and other engagements I take on. If you want to read more of my thinking, Writing is where that lives.