Does your always work when it matters?
Most of the businesses we meet during a Technology Review aren’t unprotected. They’ve got a Cyber Essentials certificate on the wall, antivirus on every machine, and a backup routine that’s been running for years. On paper, they look exactly like a business that’s taken security seriously.
But “compliant” and “protected” aren’t the same thing, and it’s the security gap between them that tends to catch businesses out. A certificate proves you had the right controls in place on the day it was issued. It doesn’t prove those controls are still working, still configured correctly, or that anyone would notice if they quietly stopped.
Here are five patterns we see repeatedly, all common, all easy to miss, and all worth checking against your own security setup.
1. A backup that’s never been restored
Backup software reporting “successful” every night tells you the job ran. It doesn’t tell you the data is actually recoverable. We regularly find backups that have been “working” for months while quietly failing to capture a folder, a database, or a whole server, because nobody has tried restoring from them since the day they were set up. A backup you haven’t tested is a hope, not a security plan. The NCSC’s guide on backing up your data is a good benchmark to check your own routine against.
2. Antivirus with no one behind it
Antivirus blocks known threats automatically, which is exactly why it feels like a “set and forget” tool. The problem is that a growing share of attacks don’t use recognisable malware at all. Instead, they use stolen credentials, or legitimate tools used maliciously, which antivirus was never designed to catch. Without additional security monitoring watching for unusual behaviour, an intruder can operate for days looking like a normal user.
3. A Cyber Essentials certificate that’s a year old and untouched
Cyber Essentials is a snapshot, not a subscription. It confirms your basic security controls (firewalls, access control, patching, malware protection) met the standard on assessment day. If nothing’s been reviewed since, new starters may have more access than they need, software may have gone unpatched for months, and the assessment no longer reflects how the business actually runs today.
4. Alerts that go to an inbox nobody reads
Plenty of security tools are correctly installed and correctly configured, and still useless, because their alerts land in a shared mailbox or a dashboard that only gets opened once a quarter. A security tool that detects a problem is only valuable if a person acts on what it finds, ideally within hours, not weeks.
5. Permissions that have quietly grown over time
Access rights tend to accumulate rather than shrink. Someone gets temporary access to a system for a project and keeps it. A leaver’s account gets disabled but not removed. Over a few years, most businesses end up with far more people able to reach far more data than the business actually intended, all without a single control being technically “broken.”
The common thread
None of these are about missing tools. Every business above had the right things installed. What they lacked was attention: someone regularly checking that the tools were still doing what they were bought to do. A monitored, slightly imperfect security setup will consistently outperform an unmonitored, perfectly documented one, because the monitored one gets fixed before it becomes a headline.
Why this keeps happening
It’s tempting to read all this as a discipline problem, as if the businesses above were careless. In practice, they weren’t. They were busy. Running a business means the person responsible for IT is usually also responsible for half a dozen other things, and security has an awkward habit of only demanding attention on the one day a year something goes wrong. There’s no natural moment where “check the backup actually restores” fights its way onto a to-do list ahead of payroll, a client deadline, or a broken printer.
That’s not a criticism, it’s just how priorities work inside a business that isn’t in the business of IT. And it’s the actual reason most companies end up working with a managed service provider. Not because they can’t understand the tools, but because nobody inside the business has the time, or the reason, to sit and watch them every single week.
A good MSP’s job isn’t to sell you more software. It’s to be the person whose actual role is to remember the things that are easy for everyone else to forget: to test the backup before you need it, to read the alert before it becomes an incident, to notice the leaver’s account that’s still active eight months later. It’s security attention as a service, not just security tools as a service. The value isn’t in the antivirus licence or the backup software itself. You could buy those yourself. It’s in having someone whose job depends on those things actually working, checking on them when you’re rightly focused on running your business.
Where to start
You don’t need to overhaul everything at once. A good starting point is simple: pick one item from the list above and check it this week. Try restoring a file from backup. Ask who actually reviews your security alerts. Pull a list of everyone with admin access and see if it still makes sense.
If that exercise reveals gaps, or simply confirms you don’t have time to keep doing it every month, that’s the point at which most businesses start looking at managed support. Not as an admission of failure, but as a recognition that this kind of ongoing vigilance is genuinely a full-time job, and it’s rarely anyone’s full-time job internally.
If you’d rather have a second pair of eyes look at the whole picture first, that’s exactly what our free Technology Review is for: a no-obligation assessment of your current security setup, with a clear view of what’s working, what’s just quietly assumed to be working, and what to prioritise first.
Book your free Technology Review: www.global4.co.uk/tech-review