If your business runs on the institutional knowledge of one person who learned IT in a different era and works for free, you do not have an IT strategy. You have a dependency. And like any single point of failure, it holds together right up until it does not.
This is not a knock on your uncle. He probably knows more about networking than most people in your building, and his help has likely saved you real money over the years. The problem is structural, not personal. When one person holds all the context about your environment, and that person is not available around the clock, not accountable to a service agreement, and not actively tracking the current threat landscape, your business is exposed in ways you probably cannot see.
What “Informal IT” Actually Looks Like in Practice
Informal IT arrangements tend to share a few common characteristics:
- No documentation. The network topology, firewall rules, admin credentials, and licensing details live in one person’s head. If that person is unavailable, so is that knowledge.
- Reactive, not proactive. Things get fixed when they break. Patches get applied when someone notices a problem. Security reviews do not happen on a schedule because there is no schedule.
- Outdated tooling. A setup that was solid in 2015 is not necessarily solid now. Threat actors have moved on. Ransomware operators, credential-stuffing kits, and living-off-the-land attack techniques did not exist at the same scale or sophistication when many informal IT arrangements were first established.
- No visibility. Without centralized logging, endpoint detection, and alerting, nobody knows what is happening on the network until something obvious goes wrong.
The Security Stack Question You Should Be Asking
Here is a direct question worth sitting with: can you actually verify that your security tools are configured correctly and up to date right now?
Not “I think so” or “my uncle set it up.” Can you pull a report? Can you show a current patch status across endpoints? Can you demonstrate that your endpoint protection is actively monitored and that alerts are being reviewed by someone?
If the answer is no, you are not running a security stack. You are running software that may or may not be doing anything useful, and you would not know the difference until after an incident.
Specific things that quietly break in unmanaged environments:
- Antivirus and EDR tools that go unmonitored. Alerts fire and nobody sees them. Definitions fall out of date. Licenses lapse.
- Firewalls with stale rule sets. Rules added years ago for a vendor or employee who no longer exists, never cleaned up.
- MFA that was never fully rolled out. One or two accounts still authenticating with just a password because “we never got around to it.”
- Unpatched systems. A single unpatched internet-facing system is a reliable entry point for attackers who scan for exactly that.
- No offboarding process. Former employees whose credentials still work because there was no formal process to revoke them.
None of these require a sophisticated attacker to exploit. They are the basics, and they slip in environments where nobody owns them.
What Happens When He Is Not Available
Consider the realistic scenarios. Your uncle goes on a two-week trip. He has a health event. He simply decides he is done. Or, more gradually, he becomes less available as other priorities take over.
In any of those cases, who handles a ransomware incident at 11 PM on a Friday? Who resets a locked account for an employee who cannot get into a system they need for a customer deadline? Who knows where the backups are, whether they have been tested, and how to actually restore from them?
If the answer is “nobody” or “we would figure it out,” that is the gap. And it is not a small one.
What a Managed IT Relationship Actually Provides
A managed IT provider does not just fix things when they break. The value is in what gets prevented and what gets documented.
A proper managed IT engagement includes:
- A defined service scope with accountability. You know exactly what is covered, who responds, and how fast.
- Continuous monitoring. Endpoints, network, and identity are watched. Alerts go to people whose job it is to act on them.
- Patch management on a schedule. Not when someone gets around to it. On a cadence, with reporting.
- Documentation that lives outside any one person’s head. Network diagrams, asset inventories, credential vaults, runbooks.
- A tested backup and recovery process. Not just backups that exist, but backups that have been restored from, so you know they work.
- Security stack validation. Someone who can tell you, with evidence, whether your tools are configured correctly and doing what they are supposed to do.
For organizations in the defense industrial base or any regulated industry, this is not optional. CMMC Level 2 and NIST SP 800-171 both require documented processes, access controls, audit logging, and incident response capabilities that an informal arrangement simply cannot satisfy.
How to Start Fixing This
You do not have to do everything at once, but you do need to start with an honest assessment.
First, document what you have. Get your asset inventory, your software list, your admin credentials, and your network layout out of one person’s memory and into a system that survives their absence.
Second, get an independent review of your current security posture. Not from the person who set it up. From someone who can look at it objectively and tell you what is actually configured, what is not, and what the gaps are.
Third, define who owns IT going forward. That might be a managed service provider, an internal hire, or a hybrid. But it needs to be someone with a defined scope, a service agreement, and accountability.
Your uncle’s help got you here. That is worth something. But a business that cannot answer basic questions about its own security posture is not in a stable position, and the time to address that is before something breaks, not after.