Why small businesses are paying for security they don’t have

The Silo District in Cape Town was buzzing this week. Sitting at the Virgin Active co-working space, surrounded by the energy of the precinct, it is impossible not to think about the “silos” we build in business. Specifically the dangerous silos of information that exist between small firms and the people they pay to protect them.

I recently sat down with a client in the renewable energy sector. A company on the verge of an explosive new chapter. They are pushing boundaries with AI and building out their own models, with a goal of achieving ISO certification in the next 24 months. But as we looked under the hood of their current infrastructure, the “buzz” hit a wall of reality.

The “Basics” Aren’t Basic. They’re Foundational
The CEO’s immediate pain was a wave of internal spoofing and impersonation. It’s a classic symptom of a “managed” environment that is not actually being hardened. A quick audit revealed the “Big Three” of email security SPF, DKIM, and DMARC were entirely missing.

But it didn’t stop there. In a firm building high-value AI IP, we found:

• Zero Multi-Factor Authentication (MFA): The front door is essentially unlocked.
• No Device Management (MDM): Corporate data is living on unmanaged personal devices.
• No Password Management: A recipe for credential stuffing and lateral movement.

The Absentee MSP

The shocking part is that this company has been paying a Managed Service Provider (MSP) for years to “look after” them. This is where the mid-market gets burnt. You pay a monthly fee for maintenance, but you are not getting security. You are getting a service that keeps the lights on but forgets to lock the windows.

Consulting often falls flat because it’s “too much talk, not enough doing.” The typical agency model is to sell you a senior partner’s vision and then send a junior out of varsity to do the grunt work. The cycle repeats, the technical debt grows, and the ISO certification goal stays a pipe dream.

The “Ugly Workflow” Test: Why AI needs Identity to fly

Everyone is trying hard to “do AI” right now, but most are missing the mark. Henry Schuck, CEO of ZoomInfo, recently shared a masterclass in actual AI utility. They built an AI agent to replace their “Deal Desk” and the manual bottleneck where contracts used to sit for hours. By automating the “ugly, manual” work of validating signed PDFs and cross-checking data, they cut contract turnaround from 5 hours to 7 minutes, saving over $1,000,000 a year.

But here is the detail that most people overlook: Their AI agent runs under their existing Okta-based access controls.

This is where my work with the renewable energy firm becomes critical. They are pushing boundaries, building their own AI models, and chasing ISO certification. But as I discovered, they are doing it without MFA, without device management, and without basic email authentication (SPF/DKIM/DMARC).

The Identity Bottleneck

If you want to implement a ZoomInfo-style AI agent to transform your business, that agent needs to access your data. If your Identity and Access Management (IAM) is a mess and managed by a complacent MSP that has not even locked the front door, you cannot really safely deploy AI. You would essentially be giving a high-speed engine to a car with no brakes and no steering wheel.

You can’t automate the “ugly workflows” if your underlying security infrastructure is the ugliest part of the business.

Beyond the Hype

Henry Schuck’s advice is clear: Start with the most painful, manual workflows and define a “happy path.” But as a forensic advisor, our advice is the prerequisite: Secure the Identity layer first. The value is not just in spotting the missing configurations; it is in ensuring that when you do decide to deploy an AI task force, your infrastructure is robust enough to handle the speed.

Next week

I will be at the Microsoft AI Tour next week to see how these “Agentic” workflows are being adapted for the African market. If you are going to be there, let’s talk about how to harden your foundation so your AI ambitions don’t become a security liability.