When security debt catches up with IT

This article is part of Spiceworks’ Recalibrating Risk Tolerance series investigating the contemporary landscape of cybersecurity risk. You can follow along on our landing page, where we’ll be adding new stories all week.

Small IT departments make security trade-offs that larger organizations don’t have to consider. Far too often, these IT teams find themselves gritting their teeth, accepting a much higher exposure level than they want to because the alternative means making a budget request that’s sure to get shot down, grinding operations to a halt, or both.

While you and your IT peers have been making tricky calls about what to tackle and what to let go, though, the threat landscape has significantly changed. According to Verizon’s 2025 Data Breach Investigations Report (DBIR), small and medium businesses are now targeted nearly four times more oftenOpens a new window than enterprises.

IT might have been able to get by with security shortcuts a few years ago, but that’s a much riskier proposition than it used to be. If you’ve been lagging on addressing your security debt, now is the time to take a careful look at what it might cost you.

Security debt: Not the same as tech debt

We all know the dangers of technical debt. It leads to bloat, it’s expensive, it can contribute to performance issues, and it can ultimately block business growth. Security debt shares some of these telltale signs, but it’s a different animal at the end of the day. When left unaddressed for too long, even seemingly minor security mistakes can seriously harm or even end a business.

Malicious actors know small and medium businesses and their IT teams have limited resources, so they’re going after what they see as low hanging fruit. They’re having an easier time of it, too. Attacks that would have taken serious chops just three years ago can be easily launched using ransomware-as-a-service (RaaS) tools found on dark web forums.

IT shops working with skeleton crews are especially at risk of a damaging breach in this environment. IBM’s 2024 Cost of a Data Breach Report found organizations with severe staffing shortages face breach costs $1.76 million higherOpens a new window than adequately staffed teams.

As if all this wasn’t bad enough, supply chain vulnerabilities are amplifying the problem. That vendor portal you rarely think about could be running on credentials that haven’t been rotated since implementation. Every third-party connection multiplies your attack surface.

Getting a handle on your security debt

So how can you start tackling your security debt before a ransomware attack darkens your digital doorstep? Begin with a few core improvements that give you the most bang for your buck.

Authentication is your biggest win. Shared service accounts and local admin sprawl represent your highest risk and your best opportunity for improvement. Getting this right provides more security value per hour invested than any fancy enterprise tool. If you haven’t deployed a password manager yet, start there—it’s the foundation that makes implementing MFA across your environment manageable.

Know what’s really exposed. Run an external vulnerability scan, and you’ll quickly get a much clearer picture of what you’re dealing with. Most IT teams discover at least three forgotten services that are exposed to the internet and shouldn’t be. Each one you close removes an attack vector. While you’re at it, don’t forget about your cloud resources. Misconfigured AWS S3 buckets and Azure storage accounts are still compromising organizations every day.

Test your backups like your coverage depends on it—because it does. Cyber insurers now expectOpens a new window you to know exactly where your backups are, test them regularly, and ensure your backup credentials aren’t stored where attackers can access them. Schedule regular restoration tests and document your recovery procedures.

Automate key processes. Look for automation that solves specific problems: automated patching for non-critical systems, scripts that check for stale accounts, or alerts when someone creates a new admin. Even implementing one or two of these can free up significant time for more critical work.

Recalibrating your risk tolerance for today’s realities

The security shortcuts you might have grudgingly made just a few short years ago probably assumed certain things about threat actors, attack methods, and recovery options. Take some time to update those assumptions so they’re in line with the threats you face today.

Document every security trade-off. You’ll want to document these decisions not just for compliance (though it helps), but for your own sanity. When you accept a risk, write down why, what compensating controls exist, and under what conditions you’d revisit the issue. This documentation becomes critical during insurance renewals and budget discussions.

Build detection capabilities. When bad actors inevitably come calling, you need to know about it. Free CloudTrail logs, Windows Event Forwarding, and syslog data from your network devices can reveal compromises that even some paid tools might miss. The key isn’t having every possible log but knowing what abnormal activity looks like in the logs you do have.

If you don’t have time to regularly monitor these logs, though, consider managed detection and response (MDR) services. For a fraction of what a security analyst would cost, MDR providers can monitor your environment 24/7. Not all of them are created equal, but even basic MDR beats hoping you’ll notice an attack during business hours.

Create response procedures before you need them. A basic incident response plan beats no plan every time. Who do you call? What do you preserve? How do you communicate with leadership? Write it down while you’re calm, not during an actual incident.

Having the budget conversation

Although most business leaders understand that they have to invest in security, that doesn’t mean you’re going to have an easy time getting them to approve your budget request. You’ve still got to make a strong business case for addressing your security debt.

As you know, security is really about business continuity at the end of the day, so frame it that way when you make your budget pitch. When you connect security improvements to existing business goals such as reducing downtime, maintaining cyber insurance coverage, or meeting customer compliance requirements, their value becomes clearer.

Transparency about trade-offs is essential, too. If current staffing levels mean choosing between security enhancements and keeping systems running, the C-suite needs that context. They can’t solve problems they don’t know exist, and they may have resources or alternatives you haven’t considered.

Specific numbers make the conversation more productive. Saying something like “implementing MFA and network segmentation will cost $35,000 and reduce our breach probability by 70%” gives leadership something concrete to evaluate.

Consider presenting the executive team with multiple options at different investment levels. What can you accomplish at $10,000 as opposed to $50,000, for example? When they see the side-by-side comparison, they’ll be in a better position to make an informed decision.

The security recalibration that’s overdue

IT has had to make difficult security trade-offs for a long time. But while this has been going on, cybercriminals have begun weaponizing AI, cyber insurance has become more selective, and compliance requirements have expanded.

When it’s hard to get the resources you need, bridging the gap may seem impossible. This isn’t about achieving perfection, though. It’s about finding sustainable ways to reduce risk within the constraints you have.

Progress doesn’t have to be dramatic to be meaningful. By addressing one vulnerability at a time, you can create momentum and begin tackling your security debt. Your company’s security doesn’t need to be flawless (there’s no such thing). It just needs to be better than it was yesterday.