Most small business owners think of cybersecurity in terms of antivirus and strong passwords. Those matter, but they're table stakes. The risks that actually lead to breaches are the ones nobody checked for because nobody knew to look.
Here are five that show up in nearly every small business assessment we run.
1. Exposed Admin Panels
Your router has a management interface. So does your firewall, your NAS, your security cameras, your printers, and every cloud service you use. Many of these are accessible from the public internet with nothing between an attacker and the login page.
This matters because admin interfaces are high-value targets. They often have known default credentials, limited brute-force protection, and vulnerabilities that get patched slowly (if the device is even still receiving updates).
How to check: Search for your company's IP addresses on Shodan (shodan.io) or Censys (search.censys.io). These are the same tools attackers use to find exposed services. If you see management interfaces for devices you recognize, those need to be locked down — either placed behind a VPN, restricted by IP whitelist, or taken off the public internet entirely.
The fix: No admin interface should be directly accessible from the internet. If remote access is necessary, put it behind a VPN or zero-trust network access solution. Change every default password. Disable management interfaces on devices that don't need remote administration.
2. Credential Reuse from Previous Breaches
Your employees use email addresses for dozens of online services — both work-related and personal. When those services get breached (and they do, regularly), the email/password combinations end up in databases that are freely available to attackers.
If any employee is using the same password for a breached service and their work email, their account is already compromised. The attacker just hasn't tried it yet.
How to check: Have I Been Pwned (haveibeenpwned.com) shows whether email addresses appear in known breach databases. For an organization-wide view, their domain search feature shows all breached addresses at your domain. The free tier is useful; the paid API enables automated monitoring.
The fix: Enforce unique passwords through a company password manager (1Password Business, Bitwarden, Keeper). Enable MFA everywhere — even if an attacker has a valid password, MFA stops them from using it. Consider monitoring services that alert you when employee credentials appear in new breaches.
3. Missing Security Headers
When your website sends a page to a visitor's browser, it can include HTTP headers that tell the browser how to handle security. Most small business websites ship none of them.
Missing security headers enable attacks like clickjacking (embedding your site in a frame on a malicious page), MIME type confusion (tricking the browser into executing uploaded files), and cross-site scripting amplification.
How to check: Use securityheaders.com and enter your website URL. You'll get a grade and a breakdown of which headers are present or missing. The important ones:
- Content-Security-Policy (CSP): Defines what resources the browser is allowed to load. Prevents XSS and data injection.
- Strict-Transport-Security (HSTS): Forces HTTPS connections. Prevents downgrade attacks.
- X-Frame-Options: Prevents your site from being embedded in iframes on other sites.
- X-Content-Type-Options: Prevents MIME type sniffing.
- Referrer-Policy: Controls what information is sent in the Referer header.
- Permissions-Policy: Restricts browser features (camera, microphone, geolocation) that your site can use.
4. Unpatched Software Running in Production
Everyone knows they should keep software updated. In practice, small businesses accumulate a graveyard of outdated software: the WordPress plugin nobody remembers installing, the PHP version from 2019, the SSL VPN appliance that hasn't been updated since deployment, the printer firmware from three generations ago.
Each of these is a door with a published key. Vulnerability databases (like NIST's NVD) contain detailed descriptions of exploits for known software versions. Attackers don't need to be sophisticated — they just need to match your version numbers against the database.
How to check: Run a vulnerability scanner against your infrastructure. OpenVAS is free and open-source. Commercial options (Nessus, Qualys) provide more polished reporting. For web applications specifically, tools like Wappalyzer can identify the technologies and versions your site is running.
The fix: Create an inventory of every piece of software running in your environment with its version number. Cross-reference against known vulnerabilities. Patch or replace anything end-of-life (no longer receiving security updates). Establish a regular patch cycle — monthly at minimum, weekly for critical systems.
5. Shadow IT and Forgotten Subdomains
Employees sign up for SaaS tools with their work email. Developers spin up staging environments and forget about them. Marketing creates landing pages on subdomains. Over time, you accumulate digital infrastructure that nobody is monitoring, updating, or securing.
These forgotten assets are prime targets because they're often running outdated software, using weak or default credentials, and containing copies of production data for testing purposes.
How to check: Certificate Transparency logs (crt.sh) show every SSL certificate ever issued for your domain, revealing subdomains you may have forgotten about. DNS enumeration tools can find additional subdomains. Check cloud provider consoles for resources that shouldn't still exist. Audit SaaS subscriptions by checking email for service notification patterns.
The fix: Conduct a quarterly review of your domain's subdomains, cloud resources, and SaaS subscriptions. Decommission anything that isn't actively used and maintained. For active services, ensure they're included in your security monitoring and update procedures.
The Pattern
These five risks share a common thread: they're not failures of sophisticated security systems. They're gaps in basic visibility. You can't secure what you don't know exists, and you can't fix what you don't know is broken.
An attack surface scan reveals most of these issues in minutes. It shows you what an attacker sees when they look at your business from the outside — the exposed services, the outdated software, the forgotten infrastructure.
Get a free attack surface scan to see what's visible. It takes 15 minutes and requires nothing from you except a domain name.