A hard question has been surfacing: Are IT companies still focused on the fundamentals of security, or is the conversation now dominated by who has the flashiest stack of tools to brag about at a vendor conference?
Over the past year, during the onboarding of new clients, a troubling pattern has emerged — a steady decline in the care applied to both cloud and on-premises security configurations. Common findings include:
- Microsoft 365 tenants with secure defaults disabled, legacy authentication still allowed, and multi-factor authentication nowhere in sight.
- Active Directory setups dating back decades, still running with 8-character domain admin passwords — synchronized to Microsoft 365.
- Security downgraded in the name of “easier management,” sacrificing protection for convenience.
One outgoing IT provider even stated, “We sell and install tools that keep our customers safe — why would we need to do anything else?” This was after their untuned endpoint security tool failed to detect active malware in their environment.
Tools Don’t Replace Fundamentals
This is the trap: assuming that a bigger, shinier stack equals better security. The reality? Tools are only as effective as the strategy, configuration, and monitoring behind them. Without disciplined management, they are expensive shelf ornaments. Security is a practice, not a product. Right now, too many in the industry are leaning heavily on products while neglecting the practice.
Training is the Missing Piece
Security done right is challenging — and the threat landscape moves faster than most teams can keep pace with. If the budget is spent entirely on tools, at least some of the investment should be redirected to training. Low-cost, high-quality training exists — Antisyphon, for example, offers “pay what you can” courses that deliver real value.
The Business Risk
Neglecting security basics is more than a client risk — it’s a business risk for the IT company as well. Insurance companies are increasingly looking for someone to hold accountable when industry best practices aren’t followed. The question they ask is simple: “Should you have known?” In many cases, the answer is yes. This is where duty of care comes in — the professional responsibility to take reasonable steps to protect a client’s systems and data. Failing to meet that standard can lead to denied claims, legal exposure, and lasting damage to both reputation and client trust.
At Lumitiv, security is not optional. Standardization, clear communication of business impact, and a willingness to disengage from relationships that resist basic protections are part of our operating principles. Protecting clients and protecting our own business are the same objective.
What Businesses Should Do Next
If there’s uncertainty about the strength of current security measures, now is the time to act. Start with a clear review of the basics — confirm that secure configurations, password policies, multi-factor authentication, and monitoring are in place. Don’t stop at internal checks; sometimes a fresh set of eyes can uncover vulnerabilities that go unnoticed day to day.
Consider engaging a qualified third party to assess your environment, provide actionable recommendations, and work alongside your existing IT provider to implement them. This approach brings independent insight, reduces blind spots, and helps ensure that security decisions are based on best practices rather than convenience.
Security is not about who has the biggest stack. It’s about whether the environment — tools, processes, and people — can stand up to real-world threats.