The 5 security mistakes every growing SME makes

Most SMEs don't get breached by zero-day exploits or nation-state actors. They get breached because the person who built the website three years ago never set up DMARC, and a Nigerian fraudster just sent a phishing email to their 4,000 customers.

Here are the five mistakes we see in virtually every SME we scan.

1. Nothing blocks someone from impersonating your email

Without a proper DMARC record, anyone on the internet can send an email that looks like it came from you. This is not theoretical — it is happening to your domain right now. Attackers send customers invoices with their own bank details, employees fake reset-password requests, suppliers send wire-transfer instructions.

The fix: publish an SPF record, set up DKIM with your email provider, and publish a DMARC record with at least p=quarantine. 30 minutes of DNS work, forever of protection.

2. Your SSL certificate is going to expire on a Sunday

It always does. Traffic drops to zero, your team panics, you rush an email to your hosting provider at 2 AM. By the time the cert is renewed, you've lost 6 hours of revenue and a lifetime of customer trust.

The fix: monitor SSL expiry with at least 30-day and 7-day alerts. Auto-renew where the registrar supports it. Keep two redundant notification channels — one email account can silently fill.

3. `/wp-admin` is publicly accessible from the open internet

If you run WordPress, attackers are hitting your login page thousands of times per day with stolen credentials. Eventually one works.

The fix: restrict /wp-admin by IP, add two-factor authentication to all admin users, rate-limit the login endpoint, and never use the username admin.

4. Your backup strategy is "we have a hosting provider"

Hosting providers back up servers for their own operational resilience — not to give you a restore point when your database gets encrypted. When ransomware hits, the last working backup you control is the one that saves you.

The fix: nightly offsite backups you can restore from without involving your hosting provider. Test the restore at least quarterly. If you have never actually restored from your backup, you do not have a backup — you have hope.

5. You have no idea how your score compares to your peers

Even if you know your own domains are in good shape, you don't know how your posture compares to similar-sized businesses in your industry. This matters because cyber insurance, enterprise procurement questionnaires, and M&A due diligence all benchmark you against peers.