Most small and mid-sized businesses don’t think they have a control problem. On paper, things usually look fine. Security tools are in place, policies exist, and requirements are technically met, but that’s rarely where things break. The real issues tend to sit in the background, in the workarounds and temporary decisions that were made to keep the business moving and then never revisited.
The workaround that made sense at the time
Take a simple example. A 200-person manufacturing company rolls out multi-factor authentication for remote access. It’s the right move, and in many cases it’s expected by insurers. But one older system doesn’t support it, especially for finance users who rely on it daily. Instead of disrupting operations, the team puts in a temporary fix. They restrict access to certain locations, require stronger passwords, and enable logging. It works well enough, and the plan is to address it properly during a future upgrade.
How temporary becomes permanent
That upgrade keeps getting pushed. Priorities shift, budgets move, and over time the exception stops feeling temporary. A couple of years later, MFA is enforced almost everywhere except for the one system that matters most. Access restrictions have expanded to accommodate remote work, password discipline isn’t as tight as it once was, and while logs are still being collected, no one is consistently reviewing them. Nothing about this feels urgent. It just becomes part of how the business operates.
When nothing looks wrong…
Then something goes wrong. An attacker gets ahold of a valid username and password, often through something as simple as a phishing email. Without MFA in place, there’s nothing to slow them down. Their access looks legitimate, so it doesn’t raise alarms. From there, they move into financial workflows, change payment details, and money starts leaving the business before anyone realizes what’s happening.
Why insurers look at this differently
This is where the insurance conversation changes. When the company applied for coverage, they stated that MFA was in place. From a high level, that was true. But after an incident, insurers don’t look at controls in general terms. They look at how they actually functioned at the point of failure. What they often find in cases like this is a known exception that was never resolved and a compensating control that no longer provided meaningful protection.
The quiet buildup of risk
At that point, the issue is no longer just about the breach. It becomes a question of how risk was being managed and whether it was accurately represented. Even if the claim is ultimately paid, the impact shows up in the next renewal cycle. Premiums increase, coverage becomes more restrictive, and the business faces more scrutiny going forward.
When controls stop being controls
The underlying problem isn’t the use of a compensating control. Those are sometimes necessary. The issue is that they are rarely treated as temporary in practice. They are meant to buy time, but without clear ownership and an end date, they quietly become permanent. Over time, they shape the risk of the business in ways that aren’t always visible until something fails.
The one question that usually exposes it
What is the oldest workaround still in place, and why does it still exist? The answer usually points to where risk has been allowed to drift, not because of a single bad decision, but because no one came back to close the gap.
What to do next
If you’re heading into a renewal or even thinking about cyber insurance, this is worth a closer look now, not later. Start by identifying your exceptions and compensating controls. Then ask a harder question. Are they still doing the job they were meant to do, or have they quietly become part of the risk?
If you’re not sure, that’s usually the signal. That’s where we start.