There's a specific moment in almost every IT audit I run. The business owner is watching me go through their Google Workspace Admin Console, and I check something simple — like whether two-factor authentication is turned on for all their users. It isn't. It never is. And the look on their face says it all: I knew we should have done something about that.
This isn't a criticism. It's a pattern. I've seen it in agencies, consultancies, recruitment firms, accountancy practices — every type of small business that runs on Google Workspace and doesn't have someone whose job it is to manage IT. The problems are always the same, and they're always fixable.
Here's what I find in almost every audit, and the three things you should fix first.
The pattern: nobody owns IT
Small businesses between about 5 and 30 people sit in a difficult gap. You're too big to run everything on personal Gmail accounts and hope for the best. But you're too small to justify hiring a full-time IT person. So what happens?
Usually, one of two things. Either the business owner ends up managing IT themselves — setting up accounts, resetting passwords, occasionally Googling "how to set up DKIM" at 11pm — or nobody does it at all. A Workspace was set up years ago, it broadly works, and everyone assumes it's fine because nothing has visibly gone wrong.
"The problem with 'nothing has visibly gone wrong' is that most IT security issues are invisible until they aren't."
A compromised account doesn't announce itself. An ex-employee who still has access to your Shared Drive isn't going to send you a polite notification. And the person sending phishing emails from your domain — you won't know about that until a client asks why you just sent them a fake invoice.
What I actually find
I run a 20-point security audit on every new engagement. Four categories: identity and access, email security, data governance, and device management. Scored out of 215. The average first-time score is somewhere around 95 — which sounds passable until you realise the most critical checks are often the ones that fail.
Here's what comes up almost every time:
1. Two-factor authentication isn't enforced
This is the single biggest security risk for most small businesses, and it's the easiest to fix. MFA (multi-factor authentication, also called two-factor or 2FA) means that even if someone gets hold of a password, they can't log in without a second verification — usually a code on a phone.
Most businesses I audit have MFA turned on for the owner but not enforced for the whole team. Some have it "available" but not required, which means in practice nobody's using it. It takes about 15 minutes to enforce across your entire Google Workspace and it eliminates the vast majority of account compromise attacks.
What to do: Go to your Google Admin Console → Security → Authentication → 2-step verification. Turn on enforcement. Give your team a week's notice and a clear guide on how to set it up. If you need a guide, Bulwark's MFA setup guide is free.
2. Email authentication is missing or misconfigured
SPF, DKIM, and DMARC. Three acronyms that most business owners have never heard of, and that determine whether anyone in the world can send emails that look like they come from your company.
Here's what they do in plain English:
- SPF tells email servers which systems are allowed to send email on behalf of your domain.
- DKIM adds a digital signature to your outgoing emails so recipients can verify they haven't been tampered with.
- DMARC tells receiving servers what to do with emails that fail SPF and DKIM checks.
Most businesses I audit are missing at least one of these. Many are missing all three. The result is that anyone can send an email that looks like it comes from your company. This isn't theoretical. It happens constantly.
What to do: Check your records at MXToolbox. Enter your domain and check SPF, DKIM, and DMARC. If any of them come back missing or misconfigured, this needs fixing.
3. People who left still have access
This is the one that makes business owners go quiet. I'll ask: "When was the last time someone left the company?" Then: "What happened to their account?"
Usually the answer is some version of "I think we changed the password" or "I'm not sure, actually." When I check, the account is often still active. Sessions still open on devices they took with them. Shared Drive access never revoked. Sometimes email forwarding rules that quietly send a copy of every incoming email to a personal address.
What to do: Right now, go to your Google Admin Console → Directory → Users. Look for anyone who's left the company but still has an active account. Suspend them immediately — this blocks all access without deleting any data.
Why these three matter most
There are 20 checks in a full audit and they all matter. But these three are the ones where the gap between "not done" and "done" represents the biggest reduction in actual risk. MFA stops account takeovers. Email authentication stops domain impersonation. Offboarding stops data leakage. Together they address the three most common ways small businesses get hurt.
Not sure where you stand?
Bulwark runs a free 20-point security audit. 45 minutes, written PDF report, no obligation. If we're not the right fit, you'll hear that directly.
Book your free auditThe uncomfortable truth about "it's probably fine"
Every business I've audited thought they were probably fine before the audit. Some were. Most weren't. The gap between "we think it's fine" and "we know it's fine because someone checks every month" is the gap that Bulwark exists to close.
But you don't need Bulwark to do the three things above. You can do them yourself, today, for free. If you do, you'll be ahead of the vast majority of small businesses in the UK. And if you want someone to check everything else — the 17 other things in a full audit — the first one is free, and you keep the report regardless.
Your IT doesn't need to be held together with a prayer. It just needs someone to actually look at it.
