April 2026 rang in the 10 Year Anniversary for Ironshare. Ironshare started as a focused cybersecurity consulting business with a simple goal: help organisations improve their security posture with practical, real-world advice and services.

Over the last decade, that journey has evolved significantly. What began with consultancy expanded into managed security services, security assessments, penetration testing, compliance support, and broader cybersecurity advisory services. Early on, we made a conscious effort to bring enterprise-grade cybersecurity thinking and support to SMBs at a time when many smaller organisations were underserved or overlooked by the industry.

We are also proud to have become an IASME Certification Body, helping organisations achieve and maintain certifications such as Cyber Essentials and IASME Cyber Assurance, while supporting businesses in building stronger security foundations.

Cybersecurity itself has changed dramatically over the last 10 years. We have seen the rise of ransomware-as-a-service, cloud-first infrastructure, remote and hybrid working, supply chain attacks, AI-driven threats, an increase in IoT / OT systems being targeted, and an ever-growing regulatory landscape. The attack surface for organisations today is vastly different from what it was a decade ago.

Yet despite all of this change, one thing has remained remarkably consistent: poor cyber fundamentals continue to be the biggest security challenge for organisations. We have performed hundreds of cyber assessments and security tests, and today we are still discovering the same risks.

• ‍Weak identity controls - Poor password practices, lack of MFA, excessive administrative privileges and shared accounts continue to be some of the most common routes to compromise. As identity is key to cloud-first environments, protecting user and privileged access is now critical to reducing organisational risk. Use passkeys where available to replace traditional passwords and introduce security keys for your most privileged accounts. This doesnt just apply to your common cloud services like Microsoft 365 and Google Cloud, any cloud services, such as Finance, HR, Cloud storage, Code repositories and even social media should be protected.
• ‍Out of support operating systems and devices - Legacy operating systems, unsupported infrastructure, and ageing network-connected devices often remain embedded within business environments long after vendor support has ended. These systems no longer receive security updates, leaving organisations exposed to known vulnerabilities that are actively targeted by attackers.
• ‍Lack of patching - Delayed or inconsistent patch management continues to be a major contributor to security incidents. Many successful attacks exploit vulnerabilities that already have available fixes, highlighting the importance of maintaining robust vulnerability and update management processes across servers, endpoints, applications, and network infrastructure. Most organisations only focus on Windows based devices and forget about other types of devices connected to the network. Remember that patching for all devices, including the network, firewalls, printers, IoT/OT etc. should be part of your patch management lifecycle.  
• ‍Backup and restore testing - Having backups alone is no longer enough. Organisations must ensure backups are protected, monitored, and regularly tested for recovery. In many cases, businesses have discovered too late that backups are incomplete, inaccessible, or unable to meet recovery expectations during a real-world incident.
• ‍Poor configuration management - Misconfigured systems, overly permissive access, unnecessary exposed services, insecure defaults, and inconsistent hardening standards create avoidable attack paths for threat actors. Effective configuration management and baseline security standards remain fundamental to maintaining a secure and resilient environment. Although we have seen improvement in the default security provided by software vendors and manufacturers, never trust that your new shiny product or cloud service is secure, always verify and apply best practice standards before a live deployment.
• ‍No or limited asset inventory – Organisations cannot effectively secure what they do not know exists. Many businesses still lack accurate visibility of their devices, systems, applications, cloud services, and internet-facing assets. Those organisations that do beleive they have asset inventories often relied on Remote Monitoring and Management or Mobile Device Managemt systems which often means they are unable to capture all assets. This creates blind spots where unmanaged, forgotten, or shadow IT systems can remain vulnerable and unmonitored, increasing the likelihood of compromise and slowing incident response when security events occur. Supplement your tooling with an asset inventory spreadsheet where required, and ensure they are regularly reveiwed.

This is by no means exhaustive, but these fundamentals are still among the primary reasons businesses are compromised today. Technology continues to evolve rapidly, but strong security foundations remain the cornerstone of effective cyber resilience.

Reaching 10 years is an important milestone for us, and it would not have been possible without the support of our customers, partners, and the wider community we have worked alongside throughout this journey. Thank you to everyone who has trusted, supported, collaborated, and grown with us over the last decade.

We are incredibly proud of what has been achieved so far, and we look forward to continuing to help organisations strengthen their security posture for many years to come.

‍

‍