
Most owners do not notice their IT is fragile until something snaps at the worst possible moment. A Friday at five. A client call that will not load. A payroll export that hangs while everyone is trying to get out the door.
That moment is rarely the real problem. It is the bill that finally arrives after months of small charges nobody was tracking.
Fragile IT works most of the time. Email opens. The CRM loads. Files sync, more or less. Nothing flashes red. From the outside the setup looks fine, which is exactly why it sits untouched for years.
The fragility lives in the gaps. One person knows the printer trick. Backups happen, but no one has tested a restore in eighteen months. Two staff still have admin rights from a project in 2022. Half the team has multi-factor authentication switched on, the other half has been meaning to. The whole setup is held together by habit and goodwill, and it stands up perfectly until the day a habit changes or the goodwill is on annual leave.
The pattern compounds. Every quiet workaround the team builds around a frustration becomes a load-bearing piece of how the business runs. The shared spreadsheet that someone keeps because the CRM does not quite do that one report. The personal email used for a client thread because the company one was being slow on Tuesday. None of it looks like a problem. All of it is a problem the day a person leaves or a laptop dies.
Nobody on the morning of an incident thought their IT was broken. It just turned out not to be ready.
When fragile IT does fail loudly, the bill is easy to see. There is an invoice, an outage report, a difficult conversation. Numbers like that get attention.
The bigger leak is the one nobody itemises. Slow logins. Apps that need restarting twice. The corner of the office where the Wi-Fi disappears. Password resets that take a working morning to chase down. Files saved to a desktop instead of the right folder because the folder is two more clicks than feels worth it on a busy day.
Multiply that across a 25-person recruitment business and the friction tax is bigger than the emergency call-out fee, every single year. The frustrations your team stopped reporting are the ones costing you most, because nobody is logging them anymore.
There is a moment, somewhere around year three of a setup that has not been re-set, where the team stops complaining. Not because the problems went away. Because the team gave up. That silence is the most expensive sound in the office, and it does not appear on any invoice.
A lot of fragile setups look protected on paper. There is antivirus on every laptop. There may even be a tick-box on an insurance form somewhere confirming it.
Antivirus matters. So do seatbelts. Neither is a complete safety system on its own.
A modern attacker is not trying to drop a virus on your laptop. They are trying to log in as you. That is a different problem, and it needs different protection.
What stops it is a layered setup. Multi-factor authentication on every account, no exceptions. Rules that ask harder questions when something looks off, like a sign-in from a country no one visited. Email filtering that catches the impersonation attempts antivirus was never designed to see. A backup you have actually tested, not just one that runs.
The honest test for any ‘we are protected’ claim is one question. If we lost a laptop tonight, what would we know by morning? If the answer requires a phone call to a third party who is not on call, the protection is on paper. If the answer is ‘we would already have wiped it’, the protection is real.
One person, internal or external, is the only one who knows how something works.
Your last tested backup restore was longer ago than your last new hire.
Some staff have admin rights for reasons no one can remember.
MFA is on for ‘most’ accounts, not all of them.
The day-to-day frustrations have stopped being raised because the team gave up.
If three of those land, the setup is one nudge away from a bad week. If four land, it has already cost you more than you think. The reason the list is short is that, in the audits we run, those five signs cover almost every fragile setup we walk into. The specifics differ. The shape does not.
The pattern we see most often when we audit recruitment businesses is not negligence. It is dilution. The setup was sensible when the company was eight people. The company is now thirty, doing twice the GP per head, with a different stack, a different threat picture, and the IT was never re-set to match. Nobody made a bad decision. The decisions just stopped being made.
Resilient IT is unglamorous. It looks like patching that happens on a schedule. Backups that get tested every quarter. Identities that get reviewed every time someone joins, moves or leaves. Monitoring that pages somebody at four in the morning so you do not have to. The whole point is that nobody on your team should have to be the hero. If the printer goes down on a Friday at five, the worst that should happen is a printer is down on a Friday at five.
Hero culture in IT is a flag, not a feature. It means a person is making up for a process that does not exist. That works until the person is on holiday, off sick, or the next stage of life calls. The setup walks out of the door with them.
If you had to evacuate your business from its current IT setup tomorrow morning, how much of what works today would actually survive the move?
