Assumptions Business Owners Make About Their IT (That Turn Out to Be Wrong)
Assumptions Business Owners Make About Their IT (That Turn Out to Be Wrong)
"Everything is fine. My IT person handles it."
This is what most business owners say about their IT setup. And they believe it, until something goes wrong.
Then they discover: what they assumed was handled was not. What they thought was configured was not. What they believed was backed up was not.
Here are the seven most common assumptions business owners make about their IT, and what the reality usually turns out to be.
Assumption 1: "My IT person handles everything"
What owners believe: My IT person or contractor has everything under control. They are the expert. Everything is handled.
What is often true instead: The IT person is handling some things but not others. They know what they are doing but have not documented any of it. If they left tomorrow, nobody would know how anything works or where anything is.
A common version of this: an owner assumes their IT contractor is managing backups. An insurance renewal asks for proof. The contractor says backups exist. The owner asks to see a recent backup file. The contractor admits backups failed three months ago and nobody noticed.
How to verify: Ask your IT person to show you evidence that specific things are configured. Not "it is handled" — show me. A good IT person will have no problem doing this. If they cannot or will not, that tells you something.
Assumption 2: "Email security is configured"
What owners believe: We use Google Workspace or Microsoft 365. Big platforms. Email security is included and working.
What is often true instead: SPF is configured. DKIM is sometimes configured. DMARC is missing in roughly 80 percent of small business setups.
This matters because without full email security, someone can impersonate your domain. Your legitimate emails may be landing in spam without you knowing it.
How to verify: Go to mxtoolbox.com and check SPF, DKIM, and DMARC for your domain. All three should show as configured. If DMARC is missing, ask your IT person or email provider to add it. It takes about 30 minutes.
Assumption 3: "The SSL certificate auto-renews"
What owners believe: SSL was set up with Let's Encrypt or through the hosting provider. It renews automatically every 90 days. Nothing to think about.
What is often true instead: Auto-renewal works until it does not. A hosting migration, a DNS change, a configuration error, or an expired payment method can all break the auto-renewal process silently. The certificate lapses and visitors see a "not secure" warning before the owner knows anything is wrong.
How to verify: Visit your website, click the padlock icon in the browser address bar, and check the certificate expiration date. Set a calendar reminder 30 days before it expires as a manual backup to auto-renew.
Assumption 4: "We have backups"
What owners believe: Backups are configured. The host backs up the website. Files are in the cloud.
What is often true instead: The host offers backups but the customer never enabled them. Or backups were configured two years ago and stopped working without anyone noticing. Or backups exist but restoration has never been tested and the files turn out to be corrupted or incomplete.
One version of this that comes up repeatedly: an owner is confident backups exist because "the host includes them." Website gets hacked. Owner asks for a backup. Host confirms that backups are an add-on service that was never purchased.
How to verify: Ask where backups are stored and ask to see a recent backup file. Then ask when restoration was last tested. If the answer to any of these is uncertain, treat backups as unverified until you have checked.
There is a longer version of this conversation in Backups: Why "We Have Them" Isn't Good Enough.
Assumption 5: "The domain is on auto-renew"
What owners believe: The domain is set to auto-renew. Credit card is on file. It will renew every year automatically.
What is often true instead: Auto-renew was set up years ago and has not been checked since. The credit card on file expired. Renewal emails went to a former employee's address. The renewal failed silently and the domain expired without anyone noticing until the website and email stopped working.
How to verify: Log into your domain registrar right now, not "last time I checked." Confirm auto-renew is on, confirm the payment method is current, and note the expiration date. Set a calendar reminder for 60 days before expiration as a manual backup.
Assumption 6: "We are secure because nothing has gone wrong"
What owners believe: We have not been hacked. The website seems fine. Email works. We must be reasonably secure.
What is often true instead: WordPress, plugins, or themes are two to four years out of date with known vulnerabilities. There is no active security monitoring. Admin passwords are weak or reused. The only reason nothing has gone wrong yet is that no one has tried.
Automated attacks do not target companies based on size. They scan for known vulnerabilities across every site they can reach. "We are too small to be worth targeting" is not how it works.
How to verify: Check your website software versions. Are they current? Is two-factor authentication enabled on admin accounts? When was the last security scan? These are questions your IT person should be able to answer immediately.
Assumption 7: "I would know if something was wrong"
What owners believe: If there was a real problem, customers would complain. Email would stop working. Something would obviously break. I would notice.
What is often true instead: Email deliverability declines silently. A third of outgoing emails land in spam and nobody tells the sender. The website gets slower over weeks and customers bounce without saying anything. A domain expiration date creeps up without a warning. Backups fail for months with no alert.
Most IT problems do not announce themselves. They degrade quietly until they reach a threshold where something visible breaks. By then the damage has already been accumulating.
How to verify: Test your website speed at Google PageSpeed Insights. Send test emails to Gmail and Outlook accounts and check whether they land in the inbox. Log into your domain registrar and check the expiration date. These are checks you can do yourself in under 30 minutes and they replace assumption with fact.
The Pattern
Across all seven of these assumptions the pattern is the same:
Something was set up and then assumed to be running. Nobody verified it was still working. Nobody asked for proof. Then an insurance renewal, a vendor change, a customer complaint, or an actual incident surfaced the gap.
The businesses that avoid these situations are not more technical. They just ask "can you show me?" more often than they say "I assume it is handled."
Questions to Ask Your IT Person
These are reasonable questions that any IT person managing your systems should be able to answer without hesitation:
- Can you show me our most recent backup and when it was last tested?
- Is email security fully configured including DMARC?
- When does our domain expire and can you confirm auto-renew is working?
- Are our website software and plugins current?
- When did you last run a security scan?
A good IT person welcomes these questions. If the response is defensive or vague, that is information worth having.
FAQ
Is it reasonable to trust my IT provider without verifying everything? Yes, within reason. You should not need to micromanage every technical decision. But for a small number of high-stakes things, such as backups, domain control, and SSL status, asking for periodic proof is not distrust. It is good business practice.
How often should I do these checks? Quarterly is enough for most things. Domain expiration and SSL status are worth checking monthly because the consequences of missing them are immediate.
What if my IT person gets offended when I ask for proof? A professional will not. Asking to see backup files or confirm a certificate expiration date is a normal part of being a responsible business owner. If the reaction is "don't you trust me," that response itself is worth paying attention to.
What if I find a gap — something that was assumed to be handled but is not? Address it calmly and directly. Most of these gaps are not the result of negligence, they are the result of nobody ever explicitly assigning responsibility or checking the outcome. A conversation about who owns what and how you will verify it going forward is more useful than blame.
The external snapshot ExplainMyIT generates every month covers several of these assumptions directly. SSL certificate status, domain expiration, email security configuration, and DNS records are all checked automatically and kept as a dated record. You will see changes between months, and you will have something to point to if anyone ever asks what your setup looked like before something went wrong.
See what your setup looks like right now or read more about how it works.
Related reading: