Mauritius
United KingdomTHE HIDDEN IT RISK THAT COULD SHUT DOWN YOUR BUSINESS
INTRODUCTION
Many small and medium-sized businesses depend heavily on a single IT person or provider, sometimes without realising the risk until it’s too late. If that individual becomes unavailable during a security incident or system failure, it could halt operations entirely.
We have seen businesses unable to access their cloud services, manage financial platforms, or even respond to clients – all because the one person who held the keys wasn’t reachable. And it’s not just about operational disruption. Without the right access controls, backup plans, or security checks, a single point of failure can lead to data loss, compliance violations, and reputational damage.
This article outlines the practical, low-cost actions SMEs can take today to reduce their IT dependency risk, especially if you already use Microsoft 365. From admin account control to break-glass strategies, these are simple steps to protect your business without the need for a large IT budget.
THE RISKS OF A SINGLE IT PROVIDER MODEL
-
- OPERATIONAL DISRUPTION
Relying on a single individual for IT operations or security leaves businesses vulnerable when that person becomes unavailable, whether due to illness, resignation, or simply being unreachable during a critical moment.
In telecom and financial services environments, we have observed cases where the sudden departure of a key IT administrator caused major operational delays, especially where access to cloud platforms, documentation, or credentials was not shared or recoverable. In these scenarios, internal teams were forced to scramble and absorb unfamiliar technical tasks under pressure, leading to productivity loss and customer impact.
- BUSINESS CONTINUITY
Even when backups exist, recovery becomes a bottleneck if only one person knows how to access or restore them.
In many SME and lean corporate environments, backup strategies are rarely tested and often reside in the head of a single provider. This means that in the event of a ransomware incident or major outage, the business may have infrastructure in place but no one who knows how to activate it, leaving them exposed to prolonged downtime and reputational damage.
- SECURITY AND COMPLIANCE
Without proper segregation of duties or privileged access, businesses risk exposing critical systems through day-to-day operations.
In a recent assessment for a consulting group, we found that the organisation’s only global administrator account was also the personal work account of the Group Executive – a high-profile individual regularly targeted by phishing attempts. Because this single account was used both for administrative tasks and day-to-day business activity (email, calendar, file access), it created a serious exposure point.
A successful phishing attack or credential compromise would have given attackers full access to the Microsoft 365 environment and not just emails and documents, but user management, mail routing, retention policies, and more. The lack of role separation and proper privileged access hygiene significantly increased the risk of a breach and posed a clear POPIA compliance concern.
- ACCESS AND CONTROL
IT providers often retain control over core systems, but businesses rarely have full visibility into how access is managed or what privileges exist.
In many cases, organisations don’t hold ownership of their Microsoft 365 tenant or cloud subscriptions – billing, admin access, and DNS control sit with the provider. This creates long-term dependency, especially when no internal resource has the knowledge or rights to make critical changes.
Even routine tasks like disabling user accounts, updating mail routing, or applying conditional access policies can become delayed or entirely blocked if the provider is unavailable or unresponsive. Over time, this erodes internal control and increases operational and reputational risk.
SOLUTION
- OPERATIONAL DISRUPTION
Relying on a single individual for IT operations or security leaves businesses vulnerable when that person becomes unavailable, whether due to illness, resignation, or simply being unreachable during a critical moment.
In telecom and financial services environments, we have observed cases where the sudden departure of a key IT administrator caused major operational delays, especially where access to cloud platforms, documentation, or credentials was not shared or recoverable. In these scenarios, internal teams were forced to scramble and absorb unfamiliar technical tasks under pressure, leading to productivity loss and customer impact.
- BUSINESS CONTINUITY
Even when backups exist, recovery becomes a bottleneck if only one person knows how to access or restore them.
In many SME and lean corporate environments, backup strategies are rarely tested and often reside in the head of a single provider. This means that in the event of a ransomware incident or major outage, the business may have infrastructure in place but no one who knows how to activate it, leaving them exposed to prolonged downtime and reputational damage.
- SECURITY AND COMPLIANCE
Without proper segregation of duties or privileged access, businesses risk exposing critical systems through day-to-day operations.
- ACCESS AND CONTROL
IT providers often retain control over core systems, but businesses rarely have full visibility into how access is managed or what privileges exist.
In many cases, organisations don’t hold ownership of their Microsoft 365 tenant or cloud subscriptions – billing, admin access, and DNS control sit with the provider. This creates long-term dependency, especially when no internal resource has the knowledge or rights to make critical changes.
Across the SME space – and even in leaner corporate environments we consistently see the same issue: too much reliance on one person or provider to manage IT. Whether due to limited budgets or stretched internal teams, this setup introduces unnecessary risk.
Based on hands-on work with clients in banking, telecoms, financial services, and oil and gas, we have put together a list of practical actions that SMEs can use as a starting point. These steps are not theoretical – they are grounded in real scenarios and built for environments where time, budget, and capacity are limited.
Many of these recommendations can be implemented with existing tools – particularly within Microsoft 365 and they are designed to improve resilience without adding overhead.
- DON’T RELY ON A SINGLE PROVIDER
Where possible, partner with an IT provider that gives you access to more than one resource. If sticking with your current provider, agree on backup coverage and upskilling. One person should never be the only gatekeeper.
- OWN YOUR ADMIN ACCESS
Your business should control at least one privileged admin account internally – even if day-to-day IT is outsourced. This protects your ability to act if your provider is unavailable or your relationship ends.
- IMPLEMENT BASIC SECURITY HYGIENE
Use built-in Microsoft 365 tools like Entra ID (formerly Azure AD), Single Sign-On, and Multi-Factor Authentication to control access and protect credentials. Keep admin and user roles separate to limit risk and improve accountability.<
- HAVE A BREAK-GLASS ACCOUNT READY
Create an emergency admin account with a strong password (20+ characters) and store it securely – ideally in a password vault or offline method. Log any usage and reset the password after each use.
- SECURE FINANCIAL & SARS ACCESS
Use SARS Shared Access to avoid sharing full credentials with tax practitioners. Store all financial system passwords in a secure, MFA-protected vault.
WHAT SHOULD SMES DO NEXT?
Even if your business hasn’t experienced a serious IT incident yet, taking action now is far easier – and cheaper – than reacting in crisis mode. Here are four practical steps SMEs can take today to reduce dependency risk and build IT resilience:
- Review your current setup.
Who has access to what, and is there a backup plan? - Apply basic IT governance.
Focus on admin rights, password storage, and break-glass access. - Secure a backup IT resource.
Whether external or internal, make sure there’s a second set of hands. - Get an independent check.
We offer practical, fast-turnaround risk assessments designed for SMEs. If you’re unsure where you stand, we can help you map it out – no jargon, no heavy lift.
A 1-page guideline is available to help you structure and secure privileged admin access – one of the highest-risk areas in SME IT environments.
Download it here: “5 Things Every SME Must Do to Reduce IT Dependency Risk”
• How to separate daily use and high-privilege IT accounts
• Secure password storage and emergency access controls
• Based on real scenarios across banking, telecoms, and financial services.
CONCLUSION
Reducing IT dependency risk isn’t about overhauling your entire setup – it is about making smart, proactive decisions before something goes wrong. The steps we’ve outlined are grounded in real work with SMEs and corporates alike, and they are designed to be practical, affordable, and immediately actionable.
Whether you need a quick review, a second opinion, or a full IT risk assessment, we are here to help.
Key contributors:
Candice Jamieson
Jonty Adams
Handre van der Merwe
Cheron Randall