No Formal Risk Assessment
What it is
Most SMBs have no structured process for identifying their own vulnerabilities. They don't know what systems hold sensitive data, which ones are exposed to the internet, or what a breach would actually look like for their business. The "we haven't had a problem yet" approach is not a risk assessment — it's optimism.
The impact
Without knowing your gaps, you can't close them. Businesses that skip assessments repeatedly fall victim to the same attack patterns that have been documented for years — misconfigured servers, open ports, unpatched software — because no one's actively looking for them. The 2023 MGM Resorts breach started with a basic social engineering call. No assessment needed — just an opportunist who found a gap.
One fix
Run a structured technology risk assessment annually. Use a framework (NIST CSF is free) to evaluate yourIdentify, Protect, Detect, Respond, Recover capabilities. You don't need a $50k consultant — tools like Stratavise's free assessment give you a baseline in under 10 minutes, covering the 20% of gaps that cause 80% of the damage.
Unpatched and Unmaintained Systems
What it is
Critical software updates get delayed, sometimes indefinitely. The firewall firmware that was supposed to be updated last quarter. The server still running Windows Server 2016 because "it works fine." Legacy systems that can't be updated because the person who configured them left. This is the norm at most SMBs, not the exception.
The impact
The WannaCry ransomware attack in 2017 exploited a Windows vulnerability that Microsoft had already patched two months before. The businesses hit were the ones that hadn't patched. TheEquifax breach exposed 147 million people via an unpatched Apache Struts vulnerability — a patch existed. Modern ransomware groups actively scan for unpatched systems because it's reliable. They automate the scanning; you automate the patching by staying current.
One fix
Implement automated patching for all operating systems, firmware, and third-party applications. Use a tool that can push updates across your entire fleet without manual intervention — and set a policy that critical security patches are applied within 72 hours of release, regardless of other planned changes. The discipline is not "patch everything immediately"; it's "patch critical stuff fast."
No Security Awareness Training
What it is
Employees are the most likely entry point for an attack, and most SMBs have never trained them. No phishing simulations. No onboarding security guidance. No clear instructions on what to do if something looks suspicious. The average employee receives dozens of business emails a day — they're an attractive attack vector precisely because they're untrained.
The impact
Phishing-related breaches account for over 80% of reported incidents in SMBs. The 2023 SolarWinds-class supply chain attacks started with a single employee who clicked a link. Credential stuffing works at scale because people reuse passwords. One employee's untrained click can take down an entire organization — and most of the time, they never reported it because they didn't know it was wrong.
One fix
Run quarterly phishing simulations using a tool like KnowBe4 or the free templates available in Microsoft 365. Pair simulations with micro-training (5-minute modules, not hour-long webinars) on how to spot phishing, report suspicious emails, and handle credential requests. Measure click rates over time — if you go from 35% click rate to under 5%, you've materially reduced your risk.
Weak Access Controls and Credential Management
What it is
Shared passwords. Default admin credentials. No multi-factor authentication (MFA). Former employees still listed in Active Directory. VPN access granted permanently rather than just-in-time. This is endemic at SMBs — not because IT is negligent, but because the friction of good credential hygiene feels like it slows down the business.
The impact
The 2021 Colonial Pipeline attack — which triggered a multi-state fuel supply emergency — started with a single compromised VPN password. No zero-day exploit needed. The Lapsus$ group repeatedly breached companies using purchased or leaked credentials from dark web dumps. If your employees reuse passwords (they do), and a third-party service gets breached (they do), your credentials are already for sale. Without MFA, a password is all an attacker needs.
One fix
Enforce MFA on all external-facing applications (email, VPN, cloud storage, financial platforms) — this single step stops the majority of credential-based attacks. Enforce it via your identity provider (Microsoft Entra, Google Workspace) rather than relying on individual apps. Also: audit your service accounts and rotate any default or shared credentials. Use a password manager to eliminate password reuse across your organization.
No Incident Response Plan
What it is
When something goes wrong — a ransomware note appears, a server starts behaving strangely, an employee reports suspicious activity — most SMBs have no plan. No one knows who to call, what to disconnect, or how to communicate. Time spent figuring out what to do in the moment is time the attacker is also using to move deeper into your network.
The impact
Businesses with a documented incident response plan reduce breach costs by an average of $2.66M compared to those without one (IBM/Ponemon 2023). Beyond cost: during a breach is the worst possible time to discover your backups are also encrypted, your MSP contact is on vacation, and you don't know who your cyber insurance carrier is. The decisions you make in the first 24 hours of a breach determine the scope of the damage.
One fix
Write a one-page incident response plan covering three things: who to call (your MSP, your cyber insurance carrier, a legal team with breach experience), what to disconnect first (backup systems, domain controllers), and how to communicate (use personal phones if your email is compromised — don't use the same channel the attacker compromised). Test it annually in a tabletop exercise. The plan doesn't need to be long; it needs to be clear and known.
Know where you stand in 10 minutes.
Stratavise's free technology risk assessment covers all 5 of these gaps and more. Get a severity-rated score and actionable findings — no account required.
Run Your Free Risk Assessment → Takes under 10 minutes · Instant results · No signup required