Rob Swain

Most of the environments I look at have similar issues. Controls that exist on paper and are not enforced in practice, ownership that nobody has formally claimed, and configuration problems that were predictable years before they happened.

Most IT environments have Multi-Factor Authentication enabled. Fewer have it enforced. The gap between those two states is where the breach happens. A policy set to report-only, a conditional access rule with an exception that became permanent, a shared account that predates the rollout and never got cleaned up.

The control looks right in the dashboard but it is not doing what the dashboard implies.

Small business IT tends to run on reactive support. Something breaks, someone fixes it, the ticket closes. What that model quietly skips is posture. Nobody owns the question of whether the environment is getting more or less secure over time, because that question does not generate a ticket. The people responsible for keeping the lights on are rarely the same people thinking about what happens when the lights go out, and in small organisations they are usually the same person with not enough hours to do both.

Compliance reports and security posture are not the same thing. A report can show green across every control and still describe an environment that an attacker would find straightforward. The report reflects what was true on the day the data was collected, under the assumptions built into the framework. It does not reflect what your IT provider actually checked last Tuesday, whether your backup has been tested since the server was replaced, or whether the admin account your previous MSP used still exists. Those gaps do not appear in reports. They appear in incidents.