Cybersecurity & Risk

A calm workspace scene with two people reviewing a grid of web‑related panels, some showing gaps that represent cybersecurity mistakes SMBs make.

The Top 10 Cybersecurity Mistakes SMBs Make — and How to Fix Them the Right Way

Most SMB leaders don’t ignore cybersecurity — they delegate it.

And that delegation often turns security into a collection of tools, tasks, and reminders rather than a system with clear priorities and ownership. The result isn’t negligence, but misalignment: effort without structure, protection without consistency.

That disconnect is why many cybersecurity failures feel surprising in hindsight, even though the warning signs were there all along.

For small and mid-sized businesses, cybersecurity risk usually builds through everyday decisions that seem reasonable at the time — especially with limited staff, tight budgets, and competing priorities.

Meanwhile, attackers have become faster and more automated. According to the Verizon Data Breach Investigations Report, credential theft, phishing, and exploited vulnerabilities now dominate how breaches begin — and SMBs are frequently targeted because defenses are inconsistent, not nonexistent.

Below are the 10 most common cybersecurity mistakes SMBs make, why they happen, and what fixing them the right way looks like from a business-first perspective.

1. Treating Cybersecurity as an IT Task Instead of a Business Risk

Many businesses leave cybersecurity entirely to IT, which often means leadership isn’t actively involved in risk decisions. Without clear ownership, priorities shift, decisions slow down, and security efforts become inconsistent.

The National Institute of Standards and Technology (NIST) emphasizes that cybersecurity is an enterprise risk — similar to financial or operational risk — and should be reviewed regularly by leadership. When leaders set expectations and direction, security decisions become clearer and more aligned with business goals.

2. Underestimating Identity Risk and Delaying Multi-Factor Protection

Stolen login credentials remain one of the most common ways attackers gain access, yet many SMBs still rely on passwords alone. This puts email, remote access, and cloud tools at unnecessary risk.

Animated illustration showing stolen login credentials, highlighting one of the common cybersecurity mistakes SMBs make.

The Cybersecurity and Infrastructure Security Agency (CISA) lists multi-factor authentication as one of the most effective and accessible protections for small businesses. Adding a second verification step dramatically reduces unauthorized access without major disruption.

3. Letting Software and Systems Go Unpatched

Outdated software continues to be a leading cause of cyber incidents because attackers quickly exploit known weaknesses. Many businesses delay updates due to fear of downtime or unclear responsibility.

It’s crucial to prioritize updates for the most exposed systems and maintain a predictable update schedule. Staying reasonably current matters far more than being perfect.

4. Treating Security Awareness as a Once-a-Year Activity

Annual training sessions don’t prepare employees for the constant stream of phishing emails and scam messages they face. The Federal Trade Commission (FTC) stresses that ongoing awareness and simple reporting habits are far more effective than one-time instruction.

When employees know what to watch for and how to report concerns quickly, incidents are caught sooner and cause less damage.

5. Assuming Backups Are Reliable Without Testing Them

Many businesses believe they’re protected because backups exist — but they’ve never tested whether those backups can actually be restored. In ransomware incidents, backups that are connected to live systems are often targeted first.

Isolating backups and routinely testing recovery are highly encouraged, so downtime is predictable instead of chaotic. A backup that hasn’t been tested is a risk, not a safeguard.

6. Lacking a Clear Incident Response Plan

When a cyber incident occurs, confusion costs time and money. Without a documented plan, teams struggle to decide who should act, what steps to take, and how to communicate.

Illustration of a professional at a desk facing a computer warning, with connected symbols showing a question mark, clock, and dollar sign—highlighting cybersecurity mistakes SMBs make when confusion during a cyber incident leads to lost time and increased costs.

Even small businesses have to maintain a simple, practiced response plan so actions are coordinated instead of reactive. Preparation turns high-stress moments into manageable situations.

7. Losing Visibility Over Apps and Tools in Use

Employees often adopt new software to stay productive, but unmanaged tools can create blind spots for data access and security. Over time, information spreads across systems no one fully tracks.

Businesses should maintain visibility into approved tools and control access through centralized accounts. Knowing what’s in use is the foundation of protecting it.

8. Assuming Security Tools Work Without Oversight

Installing security software is important, but tools alone don’t stop threats. Alerts need to be monitored, investigated, and acted on in real time. CISA highlights the importance of pairing technology with clear responsibility, so warnings lead to action, not silence. Security improves when there’s consistent attention, not just installed software.

Animated visual of a person holding a shield with a lock, symbolizing reliance on security tools alone—one of the common cybersecurity mistakes SMBs make when protections are not actively monitored or managed.

9. Overlooking Risks Introduced by Vendors and Partners

Many SMBs share data or system access with vendors yet rarely verify how those partners protect information. If a third party is compromised, your business may still suffer the consequences. Hence, identifying which vendors are critical and setting minimum security expectations are essential. Trust matters — but visibility and accountability matter more.

Cyber incidents often come with legal and reporting obligations, especially when customer or employee data is involved. Many businesses only consider these requirements after an incident occurs. The FTC outlines clear expectations for protecting data and responding appropriately to breaches. Preparing in advance helps businesses act responsibly and avoid unnecessary penalties or reputational damage.

What This Means for SMB Leaders

Most cybersecurity mistakes SMBs make aren’t caused by neglect.

They’re caused by lack of structure.

Cybersecurity works best when it’s treated as an ongoing business system — one with ownership, priorities, testing, and visibility. The strongest security programs don’t rely on fear or complexity. They rely on clarity, consistency, and intentional decisions that reflect how the business actually operates.

A good next step isn’t buying another tool.
It’s understanding where risk truly lives in your environment — and whether your current approach matches that reality.

Flat-style digital illustration of an IT professional using a tablet in a calm, modern office. In the background, multiple workstations display structured system dashboards. Text reads: “Get in touch with our team.” InfiNet logo shown.

Frequently Asked Questions

1. What is the biggest cybersecurity risk for SMBs today?
Credential theft combined with weak identity controls remains the most common entry point.

2. How often should SMBs test backups?
At least quarterly for critical systems, with documented RTO/RPO.

3. Is MFA really necessary for small businesses?
Yes — especially for email, remote access, and admin accounts. It’s now baseline, not advanced.

4. Do SMBs need a formal incident response plan?
Yes. Even a one-page plan dramatically improves response speed and outcomes.

5. How does managed IT help with cybersecurity?
By providing structure: governance, monitoring, prioritization, and accountability — not just tools.

The Top 10 Cybersecurity Mistakes SMBs Make — and How to Fix Them the Right Way Read More »

Microsoft Entra Phishing Attacks When Legitimate Login Pages Are Abused

Microsoft Entra Phishing Attacks: When Legitimate Login Pages Are Abused

Traditional phishing gets caught because the domain looks wrong. The certificate is odd, or email scanners flag the URL. These new tricks sidestep a lot of those controls by working through Microsoft’s own endpoints or by using legitimate tenant branding and redirects.

The result: email gateways and users who check the URL can be fooled more easily, and the phishing page can behave like a normal login flow — even asking for additional “info” (custom attributes) or re-prompting for MFA — and still be on a Microsoft domain. That’s why defenders and detection engineers are now treating OAuth and Entra sign-in telemetry as first-class hunting signals.

What attackers can actually do

  • Trick users into signing into a malicious tenant or redirect chain that still uses login.microsoftonline.com.
  • Capture passwords, session cookies, or OAuth tokens and then exchange them for access.
  • Use custom branding or fonts to visually spoof email addresses or buttons, making the experience look legitimate.
  • Abuse self-service signup flows and custom attributes to capture credentials without redirecting off Microsoft pages.
  • Even intercept on-prem password validation (PTA) flows to grab clear-text passwords and OTPs in some cases.

So — how worried should you be?

If you’re using Microsoft 365/Entra with standard settings, there’s risk, especially for high-value targets (execs, finance, IT) and users who receive external links often. The bad news: these attacks are stealthier than classic phishing. The good news: they leave telemetry.

If you know where to look (OAuth grants, weird client IDs, suspicious device registration activity, token exchanges), you can detect and respond. Security hygiene still matters and it still helps — it’s just a little more technical now.

9 Concrete, practical steps we recommend (we’ll do these for you)

1. Enforce phishing-resistant MFA (FIDO2 / Windows Hello / certificate-based)

Move high-risk and admin accounts away from SMS/OTP and toward hardware or platform-bound MFA. Attackers capturing an OTP or password may still be stopped by phishing-resistant methods.

2. Tighten Conditional Access & block risky flows

  • Deny legacy and less secure auth flows unless explicitly required.
  • Require device compliance and limit token lifetimes where practical.
  • Block sign-ins that request unusual OAuth scopes or originate from unknown client IDs.
    These controls increase the attacker effort and create signal for detection.
  • Limit who can register applications and consent to permissions.
  • Disable or tightly control self-service app signup and external user self-service where not needed.
  • Implement admin-approved app consent policies to stop rogue apps from getting persistent access.

4. Lock down custom branding & review tenant configuration

Custom branding can be abused to spoof UI elements or fonts. Audit branding changes, remove unnecessary tenant templates, and treat brand files like code — only trusted admins can change them.

5. Hunt for OAuth/Entra anomalies

We’ll set up detection rules to look for: unexplained token exchanges, refresh token usage by unusual client IDs, device registration spikes, concurrent sign-ins from geographically disparate IPs, and authorization flows that finish but then promptly register devices. These are high-value signals Elastic, Volexity and others flag as red flags.

6. Monitor PTA & on-prem auth paths

If a tenant uses Pass-Through Authentication (PTA) or has on-prem agents, monitor and limit who can install agents. Treat PTA endpoints like critical servers and protect them accordingly — they can leak plaintext passwords if compromised.

7. Tighter app-and-redirect hygiene

Only allow trusted redirect URIs; remove old app registrations; and require admin approval for apps that request high-impact scopes (mail.read, files.read.all, Directory.Read.All).

Think of app registrations like service accounts: audit them monthly.

8. User education — but realistic

Train users to expect unusual MFA prompts and to verify consent dialogs, but don’t rely on humans alone. Teach execs to verify unexpected “re-sign in” requests with a quick call. We also recommend regular, realistic phishing simulations that include OAuth-style flows so users and controls are tested together.

9. Incident plan: tokens ≠ passwords

If we detect compromise, assume tokens are abused. Revoke refresh tokens, remove app consents, force device re-enrollment, and rotate credentials. This is faster and more effective than password resets alone in many token-based attacks.

What’s next?

This class of attacks shows attackers leveling up: they’re weaponizing trust — not just tricking users into typing passwords, but using Microsoft’s trust signals against us. That means prevention and detection must work together: harden the platform and hunt the telemetry.

The good news: these techniques leave footprints if you know what to look for. We do. You don’t have to learn every obscure attack; you just need an MSP who does.

Flat-style illustration of a seated male professional using a digital tablet in an IT operations center. The background shows multiple system monitors and other staff at work. Branding includes the message “Get in touch with our team” and the InfiNet logo.

Microsoft Entra Phishing Attacks: When Legitimate Login Pages Are Abused Read More »

Call Now Button