Jessica A.,
Too Long; Didn't Read
We have conducted over 50 IT audits in Swiss SMEs. The same 7 issues appear every time—not because the companies are performing poorly, but because IT grows organically. This article shows you what we find, why it's normal, and which quick wins you can implement by tomorrow. Spoiler: You probably don't need the most expensive fixes.
What We Find in Every IT Audit
Let's be honest... IT audits sound like a dentist visit. Necessary, but uncomfortable.
And the discomfort isn't the audit itself. It's the uneasy feeling before it. What will they find? How bad is it? Will they think we are incompetent?
Here's the truth no one mentions: The same problems appear everywhere. In almost every SME we audit. Whether it's 30 or 300 employees. Whether it's an IT department or an external service provider.
This is not criticism. It's a pattern.
We've conducted over 50 IT audits. With manufacturing firms, service providers, trading companies. And we see the same 7 problems. Again and again.
Here they are - and what you can do about them.
The 7 Problems We Always Find
Image: The 7 Problems We Find in Every IT Audit
1. Documentation Doesn't Exist (or Is Outdated)
The network diagram is from 2019. The server room has three more devices than documented. And the password list? The former IT manager took it with him.
No one does this intentionally. IT grows organically. The new router is connected, but no one updates the diagram. The temporary workaround becomes permanent. And then it's forgotten.
What We See:
Network diagrams that don't match reality
Servers that no one knows why they are running
Configurations that only one person understands
Quick Win: One page. A network diagram. Start today. It doesn't have to be perfect - it just has to exist.
2. Access Rights No One Needs Anymore
The marketing intern from 2021 still has admin rights. The former accountant can still log in. And the "temporary" access for the external consultant? It's been running for two years.
According to Microsoft, over 99% of all identity attacks happen through passwords - brute force, phishing, password spraying. Every inactive account is an open door.
What We See:
Former employees with active accounts
Admin rights for people who don't need them
Shared accounts used by multiple people
No regular review of access rights
Quick Win: Go to your M365 Admin Center. List all accounts with admin rights. Ask for each one: Does this person really need it?
3. Backups That Have Never Been Tested
Everyone has backups. Almost no one tests the recovery.
It's like a fire extinguisher that's never been checked. It's there, it looks good - but whether it works, you'll only know when there's a fire.
What We See:
Backups run daily (good!)
Recovery has never been tested (bad!)
No one knows how long a recovery takes
Restore processes only exist in one person's head
The reality: An average of 287 days are needed to recover after a ransomware attack. Because no one has practiced.
Quick Win: Restore a file from the backup. Today. Not the most critical one - any will do. See what happens. How long does it take? Does it even work?
4. Patches That Are Done "Someday"
"We'll do that in the next maintenance window."
The maintenance window never comes. Or it's postponed because something more important is going on. And then the critical security patch sits for three months.
Over 60% of security incidents in 2025 will be due to known, unpatched vulnerabilities. Not zero-days. Not sophisticated hackers. To patches that no one applied.
What We See:
Windows updates that are months behind
Third-party software without updates
"We can't, because then application XY won't work anymore"
No defined patch strategy
Quick Win: Check when the last Windows update was on the servers. If it's been more than 30 days, you have a problem.
5. Shadow IT Everywhere
Dropbox. WeTransfer. Personal Gmail accounts. WhatsApp groups for project work.
It's not malicious. It's practical. The official solution is too complicated, so people use what works.
What We See:
Company data in private cloud storage
Sensitive documents sent via WeTransfer
Customer communication via private phones
The IT department has no overview of the tools used
The problem: 32% of employees click on phishing links. Under stress, it rises to 45%. And if they work in tools you don't know about, you have no chance to protect them.
Quick Win: Ask your team: "What tools do you really use for work?" The answers will surprise you.
6. One IT Person Who Knows Everything
His name is Thomas. Or Marcel. Or Sandra. A person who does everything, knows everything, and whose absence paralyzes the entire IT.
What happens if Thomas gets sick? Or resigns? Or goes on vacation and doesn't answer his phone?
What We See:
Critical knowledge only in one head
No documented processes
Passwords known only to one person
Dependency on an external service provider that "does everything"
(By the way: In many SMEs, "Thomas" is the external IT partner, which is also a risk.)
Quick Win: Identify a critical task that only one person can do. Document it this week. Just one. But the most important one.
7. Licenses That No One Understands
You pay for 150 Microsoft 365 licenses. 90 users are active. The rest? Former employees, test accounts, "reserves."
Even better: Half have E5 licenses, even though E3 would be enough. But no one knows exactly what's included in E5, what's not. And the Microsoft partner doesn't explain it voluntarily.
What We See:
Paid licenses ≠ active users
License types that don't match needs
No regular license review
Contract renewals without review
Quick Win: Open your M365 Admin Center. Compare: How many licenses do you have? How many active users are there? The difference is money.
Why This Happens (and Why It's Not Your Fault)
Image: IT grows organically - no one plans for the current state
These 7 problems don't arise from incompetence. They happen because:
IT grows organically. No one planned ten years ago where you are today. Every workaround, every quick fix, every "we'll do it later" piles up.
Day-to-day business eats strategy. When the server is on fire, you don't document. When the boss has an urgent request, you postpone the patch update. Firefighting always beats prevention.
Vendor advice serves vendors. The Microsoft partner recommends more licenses. The security vendor recommends more tools. No one says, "Actually, what you have is enough."
The external perspective is missing. From the inside, you don't see the problems. You get used to them. "That's how we've always done it."
The Quick Wins (Cost Nothing)
Here's what you can do tomorrow - without a budget, without a project, without a consultant:
Action | Time Investment | Impact |
|---|---|---|
Create Network Diagram (1 Page) | 2 Hours | Gain Overview |
Review Admin Rights | 1 Hour | Reduce Attack Surface |
Restore a File from Backup | 30 Minutes | Test Restore Process |
Check Last Patches | 15 Minutes | Recognize Risk |
Ask Team About Tools Used | 1 Meeting | Make Shadow IT Visible |
Document One Critical Task | 1 Hour | Reduce Key-Person Risk |
Compare Licenses vs. Active Users | 15 Minutes | Identify Savings Potential |
The Expensive Fixes (You Probably Don't Need)
Now comes the part consultants usually don't tell you:
Not every problem needs a project.
What vendors often recommend - and what you usually don't need:
Complete Infrastructure Renewal: Usually overkill. Targeted upgrading is often enough.
Enterprise Security Suite: For a 50-person SME? Probably over-dimensioned.
Complete Documentation Project: Dies in week 3. Better: Start small, stay consistent.
24/7 Security Operations Center: Only makes sense when the basics are right.
The truth is: Most SMEs don't need expensive tools. They need better processes.
If the basics are right - patches, access rights, backups - you cover 80% of the risks. Without buying a single new tool.
