What Your IT Provider Is Probably Not Monitoring
Most small businesses that work with an external IT provider feel reasonably covered. There is someone to call when something breaks, someone who set up the email accounts and installed the antivirus, someone who occasionally sends a reminder about updating passwords. That relationship feels like a safety net, and for day-to-day issues, it often is.
The problem is that the threats most likely to cause serious damage to a small business in 2026 do not announce themselves by breaking something visible. They sit quietly in the background, sometimes for weeks or months, before they surface. And the gaps that allow them to persist are rarely the result of negligence on anyone's part. They are structural: the natural consequence of a reactive support model applied to a threat landscape that has become overwhelmingly proactive.
Here is what typically falls outside the scope of a standard IT support arrangement, and why it matters.
Dark web exposure of your credentials
When a data breach hits a third-party service your employees use, whether that is a project management tool, a travel booking platform, or a professional network, the usernames and passwords involved are frequently packaged and sold on dark web marketplaces within hours. Those credentials often end up being tested against business email accounts, VPNs, and cloud platforms, sometimes months after the original breach.
Most IT providers do not monitor for this. Dark web credential monitoring requires dedicated tooling and a continuous scanning process that sits outside the scope of standard helpdesk or break-fix support. Without it, there is no way to know that an employee's work email and password combination has been circulating among threat actors since March, and that someone has been attempting to use it against your Microsoft 365 tenant every night for the past two weeks.
The fix is not complicated. Dark web monitoring services can be set up relatively quickly and alert you when known credentials associated with your domain appear in breach data. But it only works if someone has set it up and is acting on the alerts.
Misconfigured cloud environments
The shift to cloud services over the past decade has been good for small businesses in many ways: lower hardware costs, better collaboration, easier remote access. It has also introduced a category of risk that most traditional IT support arrangements were never designed to address.
Cloud misconfiguration is now one of the leading causes of data exposure for businesses of all sizes. An S3 bucket set to public by mistake, a SharePoint folder shared with "anyone with the link," a Google Workspace admin account without multi-factor authentication enabled, none of these generate a helpdesk ticket. They sit silently open until someone finds them, and that someone is rarely on your side.
Standard IT support typically covers the setup of cloud services and the resolution of access issues when they arise. Ongoing configuration auditing, checking whether permissions have drifted, whether sensitive data is accessible externally, whether security defaults are still in place, is a different discipline entirely, and one that most reactive support contracts do not include.
Unmonitored endpoints and devices
Every laptop, desktop, tablet, and smartphone that connects to your business network or accesses company data is an endpoint. Each one is a potential entry point for an attacker. Most IT providers will install endpoint protection software on the devices they manage, and that is a meaningful layer of defence.
What often goes unmonitored is what happens on those endpoints between incidents. Endpoint Detection and Response tools, known as EDR, go beyond antivirus to continuously analyse behaviour on devices: processes being executed, files being accessed, outbound connections being made. They are designed to catch the kind of low-and-slow activity that precedes a ransomware deployment or a data exfiltration attempt, often weeks before anything visible occurs.
EDR tools are increasingly affordable and available to small businesses, but they require someone to review alerts, investigate anomalies, and act on findings. In a reactive support model, where the IT provider responds to problems rather than hunting for them, this kind of continuous monitoring rarely happens.
There is also the question of unmanaged devices. In most small businesses, there are phones, personal laptops, or home computers that access company email or cloud services without ever being formally enrolled in any management system. These devices are invisible to most IT monitoring setups, and they represent a meaningful blind spot.
Backup integrity and recoverability
Having backups is not the same as having recoverable backups. It is a distinction that sounds obvious but is overlooked with remarkable regularity, often until the moment it matters most.
A backup that has not been tested is an assumption. Files may be corrupting silently. The backup software may be failing quietly after an update. The retention window may have been shortened without anyone noticing. Ransomware, as covered in a previous article, specifically targets backup systems, and attackers are increasingly sophisticated about identifying and disabling backup processes before deploying their payload.
Most IT providers set up backup systems and address specific issues when reported. What fewer do is run regular restore tests, verify that the backup chain is intact end to end, and confirm that recovery time from a clean backup actually meets the business continuity needs of the company. That kind of proactive verification is the difference between a backup system and a backup system you can actually rely on.
User behaviour and internal risk
The most common entry point for a cyberattack is not a sophisticated zero-day exploit. It is a person: an employee who clicks a phishing link, reuses a password across personal and work accounts, or installs an unauthorised application that introduces a vulnerability.
User behaviour monitoring is a sensitive topic, and it should be approached thoughtfully, with clear policies and employee awareness. But at a basic level, knowing whether unusual login patterns are occurring, whether someone is accessing large volumes of data outside normal hours, or whether applications are being installed on managed devices without authorisation, is meaningful security intelligence. Most standard IT support arrangements have no visibility into this.
Shadow IT is a related problem. When employees find official tools too cumbersome or slow, they find alternatives: personal cloud storage for shared files, consumer messaging apps for work conversations, free online tools for tasks the business has not provided a solution for. Each of these represents data leaving the controlled environment, often without encryption and without any audit trail. It is rarely something a reactive IT provider would know about or flag.
What proactive monitoring actually looks like
The common thread across these gaps is the difference between reactive and proactive IT support. Reactive support is valuable. It keeps things running, resolves issues quickly, and provides a baseline of technical competence. But it is built around responding to problems that have already surfaced, not identifying conditions that have not yet become visible.
Proactive monitoring means having continuous visibility into the things that matter before they become incidents: credential exposure, configuration drift, endpoint anomalies, backup integrity, and unusual behaviour patterns. It means having someone whose job is not just to fix things but to look for things that should not be there.
For small businesses, that level of coverage does not require a large internal IT team. It requires the right tooling and a support arrangement that includes monitoring as a standard component, not an optional add-on. That is exactly the kind of infrastructure Bakbit is built to provide, at a scale and cost that makes sense for businesses that are not, and should not need to be, running an enterprise security operation.
In summary
The gaps described here are not rare edge cases. They are the predictable consequence of a support model that was designed for a different era, when most threats were visible and most attacks required significant manual effort to execute. The threat landscape has changed faster than most IT support arrangements have adapted.
Knowing what is not being monitored is the first step toward closing the gaps. If you are not sure which of these areas applies to your current setup, that uncertainty is itself worth investigating.
The Bakbit team can help you map your current coverage against these blind spots and identify the priority areas to address first.
