The most common security gaps we see in growing UK businesses

1. User access that hasn’t been reviewed

Growth usually means more staff, more roles and more permissions.

What we often find is:

• Former employees still having active accounts
• Staff with access they no longer need
• Shared logins still being used “temporarily”

This creates unnecessary exposure. If an account is compromised, the impact is far greater than it needs to be.

Why it matters
The UK Government’s Cyber Security Breaches Survey consistently shows that stolen credentials are one of the most common ways attackers gain access to systems.

What good looks like

• Regular user access reviews
• Clear ownership of who approves access
• Removal of accounts immediately when someone leaves

2. Multi-factor authentication not fully enforced

Many businesses believe MFA is “done” because it’s enabled somewhere.

In reality, we often see:

• MFA applied to email but not cloud apps
• Admin accounts without additional protection
• Legacy systems excluded “for convenience”

Attackers actively target accounts without MFA because they are far easier to compromise.

What good looks like

• MFA enforced across all core systems
• Extra controls on admin and privileged accounts
• Regular testing to make sure it’s actually working

3. Backups that exist but aren’t tested

Backups are a perfect example of false reassurance.

We regularly see:

• Backups running but never tested
• No clear understanding of what’s included
• Restore times that don’t match business needs

When ransomware or system failure hits, this is when the cracks appear.

What good looks like

• Regular backup testing and reporting
• Clear recovery time objectives
• Offline or immutable backups for critical systems

4. Outdated devices and unsupported software

As teams grow, hardware refresh cycles often get pushed back.

Common issues include:

• Laptops running out-of-date operating systems
• Software no longer receiving security updates
• Personal devices accessing business data without controls

These systems become easy entry points for attackers.

What good looks like

• Standardised device policies
• Supported operating systems only
• Clear rules around personal device access

5. Security responsibility spread too thinly

In many growing businesses, security becomes “everyone’s job”, which often means no one truly owns it.

We see:

• No single person accountable for security decisions
• Important updates delayed due to competing priorities
• Risk accepted by default rather than by design

What good looks like

• Clear ownership, even if security isn’t a full-time role
• Regular risk reviews aligned to the business
• Decisions documented and revisited as the business grows

6. Limited visibility of what’s actually in place

Many leaders assume their business is secure but haven’t seen the full picture.

Typical gaps include:

• No central view of devices, users and licences
• Security tools overlapping or missing key areas
• Decisions based on assumptions rather than evidence

This makes it hard to manage risk confidently.

What good looks like

• A clear, up-to-date view of the IT estate
• Regular reporting that makes sense to non-technical leaders
• Security aligned to business priorities, not just tools