Security Gaps Deep Dive #3: If Device and Access Controls are Inconsistent

One of the most common security weaknesses in SMEs isn’t the complete absence of protection. It’s inconsistency. Most businesses have done some of the right things over time. They have antivirus, password policies, firewalls, backups, managed laptops for some users, and a rough idea of who should and should not have access to certain systems. The issue is that cyber incidents often happen in the gaps between those measures. A control exists, but not for everyone. A device is managed, but not all devices are. Multi-factor authentication (MFA) is in place for some accounts, but not consistently across the business. Admin rights have been restricted in principle, but a few exceptions have been left behind because they were useful at the time. That’s exactly the kind of quiet weakness that can have a big impact.

It matters because attackers don’t need every defence to fail. They need one opening. One unpatched laptop; one over-permissioned account; one shared login still in use; one employee using a personal device without the same controls as everyone else. In practice, inconsistent standards create a much more realistic route into a business than the dramatic scenarios people often imagine. Security risk in SMEs is rarely caused by doing nothing at all. More often, it grows because the basics are being applied unevenly.

The latest UK Government’s Cyber Security Breaches Survey 2025 found that 68% of businesses restrict IT admin and access rights to specific users, which sounds positive at first glance. But only 40% require any form of two-factor authentication for networks or applications, and only 32% have a policy to apply software security updates within 14 days. Just 21% of businesses reported having technical controls across all five Cyber Essentials areas. In other words, many organisations have parts of the security picture in place, but far fewer have a truly joined-up baseline.

That’s usually not because people are being careless. It’s often a by-product of growth. A business hires quickly, introduces remote working, add contractors, opens another office, adapts more cloud platforms, and gives people access as new needs emerge. Over time, different decisions get made by different people for sensible reasons in the moment. A sales director needs access from a new device. A senior user is given extra permissions to keep things moving. A field-based employee is handled differently from an office-based one. An old account is left active because nobody is quite sure whether it’s still needed. None of this feels dramatic while it’s happening. That’s why it’s dangerous. It creates risk quietly.

This is also why device management and access control should be treated as operational disciplines, not one-off technical tasks. A secure business isn’t simply one that bought the right tools two years ago. It’s one that keeps applying the right standards consistently as the organisation changes. That means being clear about which devices are allowed to access business systems, how they’re configured, how quickly updates are applied, who gets admin rights, how access is approved, and what happens when people change roles or leave. The more clearly those rules are defined and followed, the smaller the attack surface becomes.

There is a resilience benefit here as well. Consistency doesn’t just reduce the chances of compromise. It also makes the business easier to support and recover. When devices are built to a known standard, identities are managed properly and access is controlled cleanly, it’s far easier to isolate a problem, understand what is affected and restore systems with confidence. If the environment is full of exceptions, workarounds and one-offs, even a relatively small incident becomes harder to contain because nobody has a fully reliable picture of what “normal” looks like.

For SMEs, this is one of the most practical gaps to address because the improvements are usually straightforward. Tightening admin rights, enforcing MFA more consistently, reviewing dormant accounts, standardising laptops and mobile devices, and improving patching discipline are not headline-grabbing projects, but they remove a huge amount of avoidable risk. They also tend to improve the day-to-day experience for the business because support becomes more predictable and less dependent on individual memory or historic decisions.

Here’s an example of how that looks in action.

Security maturity isn’t really about how many tools you own. It’s about how consistently the fundamentals are being applied across the whole organisation. If one department is well controlled and another still works around the rules, the risk remains. If some users have strong access protections and others don’t, the risk remains. If patching is good most of the time but not visible enough to catch the exceptions, the risk remains. Quiet risk thrives on inconsistency.

If you’re not completely sure that your users, devices and permissions are being managed to the same standard across the business, it’s worth taking a closer look now rather than after something goes wrong. Apex Computing can help you review where controls have drifted, where avoidable exceptions have crept in and what practical steps would tighten the environment without making life harder for your team. That’s often the most useful next step: not a dramatic overhaul, but a clearer, more consistent security baseline that removes the quiet gaps attackers tend to exploit.