If your IT company has ever walked you through a slide deck full of vendor logos — endpoint protection, SIEM, EDR, dark web monitoring, threat intelligence feeds — and you came away thinking you were safer, you’re in good company. That’s how the industry is selling security right now: buy a stack, point at the stack, call it a defence.
The problem we keep running into when onboarding new clients is that the stack is usually the only thing that’s been done. The basics underneath it haven’t.
We’ve taken over Microsoft 365 tenants where secure defaults were turned off, legacy authentication was still allowed, and multi-factor authentication wasn’t enabled anywhere — including on the accounts that could read every email in the company. We’ve seen Active Directory environments running domain administrator accounts with eight-character passwords that hadn’t changed in years, synchronized straight up to Microsoft 365, which means a breach of one is a breach of both. We’ve seen security features turned off because they made management “easier,” with no apparent awareness of what was being traded away in exchange.
The honest version of what’s going on is this: the tools are there, but the work behind them isn’t.
A Tool You Don’t Configure Is Just Furniture
A security product is only as good as the people configuring and watching it. An endpoint detection tool running on default settings, with no tuning and nobody reviewing the alerts it generates, isn’t protecting anything — it’s sitting on your network charging you a monthly fee. We saw this play out plainly earlier this year when an outgoing IT provider’s endpoint product sat quietly while live malware ran inside the environment it was supposed to be protecting. Their response, paraphrasing only slightly, was that they sell tools that keep customers safe, so why would they need to do anything more.
That’s the trap. The industry has gotten very good at selling security as a product. It is much harder to sell security as a practice — the daily, unglamorous work of tuning alerts, patching, hardening configurations, reviewing logs, and keeping documentation current. But that practice is what actually protects a business. Without it, the tools are theatre.
The Money Goes to Tools. The Work Doesn’t Get Done.
Part of what’s driving this is that tools are easier to budget for than people. A per-user-per-month security suite is a clean line item that fits neatly into a quote. Paying someone to actually use it competently, on the other hand, requires admitting the tool alone isn’t enough — and a lot of providers would rather not have that conversation.
The other piece is training. The threat landscape moves faster than most internal teams or generalist IT shops can keep up with, and if every dollar is going to product licensing, there’s nothing left for the people doing the work to learn how to do it well. There’s no excuse for that. Antisyphon offers genuinely good “pay what you can” courses. SANS publishes free reading lists. Most major security vendors run their own no-cost certification tracks. The information is available. It just has to be a priority.
Your Insurance Company Cares About This More Than You Do
Here’s the part most business owners haven’t thought about. Cyber insurance underwriters are getting much more aggressive about what they’ll cover and what they won’t, and the question they’re asking after an incident is whether the basics were in place at the time. Not whether you had a fancy tool. Whether MFA was enforced. Whether administrative accounts had appropriate password requirements. Whether legacy authentication was disabled. Whether someone was actually watching the alerts.
When the answer is no, claims get denied. The legal frame for what your IT provider is supposed to be doing is called duty of care — taking reasonable steps to protect a client’s systems and data. When that standard isn’t met and a breach happens, the consequences don’t stop at the IT company. They land on the business that hired them. You can have every invoice proving you bought the tools and still find yourself uninsured because nobody actually configured what you paid for.
How to Actually Check
If you’re not sure where your environment stands right now, the starting point isn’t another tool. It’s a configuration review. The questions worth asking, and getting clear answers to, are these:
Is MFA enforced for everyone, including service accounts, executive accounts, and anything with admin rights? Are legacy authentication protocols disabled in Microsoft 365? Do your domain administrator passwords meet modern length requirements, well beyond the old eight-character standard? Is someone reviewing security alerts on a regular cadence, and can your provider show you evidence of that work? Have your security tools been tuned to your environment, or are they running on factory defaults?
If your current IT provider can answer those questions clearly and show you the work, that’s a good sign. If the answer is some version of “we have [vendor] for that,” you’ve found the problem.
It’s worth getting independent eyes on this regardless of who runs your IT. We do this kind of review for businesses that aren’t our clients and aren’t going to be — sometimes a third party is the cleanest way to see what’s actually happening underneath a stack of logos. Whoever you ask, ask someone. Finding out at claim time is the most expensive way to learn that the tools weren’t enough.
None of this means tools don’t matter. They do. But the tool isn’t the security — the work is. And right now, a lot of IT companies are selling the first one and skipping the second.