The IT Mistakes Every Remote Startup Makes
The 10 most common IT mistakes remote startups make, why they happen, and exactly how to fix each one.
I see the same mistakes at nearly every remote startup I work with. They're not dumb mistakes. They're the natural result of growing fast without anyone owning IT. Each one seems harmless in isolation. Together, they create a fragile, insecure, and expensive mess.
Here are the ten most common, why they happen, and how to fix them.
1. Using personal Gmail accounts for work
Why it happens: The company starts as two people working out of their personal email. They never switch to a company domain because it feels like a low priority.
The risk: You have zero control over those accounts. When someone leaves, they take their email (and all the customer conversations in it) with them. You can't enforce MFA, set password policies, or wipe data remotely. You also look unprofessional in every customer interaction.
How to fix it: Set up Google Workspace or Microsoft 365 on your company domain. It costs $7-14 per user per month. Migrate existing emails if needed. Do this before you hire employee number three.
2. No MFA on anything (or only on some tools)
Why it happens: People know MFA is important but never get around to enforcing it. Maybe the founder has it enabled on their own account. Nobody else does.
The risk: A single compromised password gives an attacker full access to that employee's email, files, and every connected tool. Without MFA, there's no second barrier. Google reports that MFA blocks over 99% of automated account compromises.
How to fix it: Enforce MFA at the identity provider level (Google Workspace or Microsoft 365). Don't make it optional. Don't use SMS verification (vulnerable to SIM swapping). Require authenticator apps or hardware security keys. Detailed setup in our SSO and MFA guide.
3. Sharing passwords in Slack DMs or Google Docs
Why it happens: Someone needs the login for a shared account. The fastest way to get it to them is a Slack message. It works, so it becomes the default.
The risk: Slack messages are searchable. If one account gets compromised, the attacker can search for "password" or "login" and find credentials for other services. Google Docs are even worse because they can be shared externally by accident.
How to fix it: Get a password manager. 1Password ($8/user/month) or Bitwarden ($4/user/month). Create shared vaults for team credentials. Make it a rule: credentials never go in Slack, email, or docs. Delete any existing password messages in Slack.
4. No offboarding process
Why it happens: The first few departures are handled ad hoc. Someone remembers to remove them from Slack. Nobody remembers the Figma account, the shared 1Password vault, or the customer Notion workspace.
The risk: 40% of ex-employees retain access to corporate apps after leaving. That's not a theoretical risk. It's a near-certainty if you don't have a documented process.
How to fix it: Build an offboarding checklist. Three phases: immediate (15 minutes), same day, and within one week. Assign someone to own it. Run it the same way every time. Use SSO as the primary kill switch so disabling one account cascades to everything.
5. Buying tools nobody asked for or uses
Why it happens: A team lead signs up for a new tool. It gets rolled out to their team. Six months later, half the seats are inactive but the subscription auto-renews.
The risk: The average company wastes 25-30% of its SaaS spend on unused licenses. For a 50-person team, that's thousands of dollars per year. Beyond cost, every tool is another attack surface, another set of credentials, and another thing to manage during offboarding.
How to fix it: Maintain a tool registry (even a spreadsheet). Every new tool purchase requires approval from one person. Run a quarterly audit: check active users vs. paid seats. Cancel or downgrade anything under 50% utilization. Consolidate overlapping tools.
6. No MDM
Why it happens: Device management sounds enterprise-y and expensive. The team is small. Everyone takes care of their own laptop. It seems fine.
The risk: If a laptop gets stolen, you have no way to wipe it. You don't know if drives are encrypted. You can't verify that OS updates are installed. You have no inventory of what devices exist, where they are, or what state they're in. One lost laptop with an unencrypted drive can be a reportable data breach.
How to fix it: Set up MDM. Kandji for Mac-first teams, Intune for mixed environments. Start with the basics: enforce encryption, require a passcode, push OS updates, and set up remote wipe capability. You can get this running in a day.
7. Giving everyone admin access to everything
Why it happens: When the company is five people, everyone is admin on everything. It's easier. As the team grows, nobody removes those permissions.
The risk: Principle of least privilege exists for a reason. If everyone is an admin on Google Workspace, any compromised account can change security settings, access all email, or delete data. The same applies to every other tool: Slack, AWS, Notion, your CRM.
How to fix it: Audit admin access on every critical tool. Remove admin permissions from anyone who doesn't actively need them. Most people need user-level access, not admin. Keep admin accounts to two or three people maximum per tool. Document who has admin access and review it quarterly.
8. No documentation
Why it happens: The person who set things up knows how they work. That feels like enough. Until that person goes on vacation, gets sick, or leaves the company.
The risk: All IT knowledge living in one person's head is a single point of failure. If they're unavailable, nobody knows how to reset passwords, provision accounts, manage the MDM, or respond to a security incident. This also makes it nearly impossible to hand off IT to a new hire or contractor.
How to fix it: Document the critical stuff. Start with: how to provision a new employee, how to offboard someone, how to reset passwords, what tools are in use and who admins them, and where credentials are stored. A Notion page or Google Doc is fine. It doesn't need to be fancy. It needs to exist.
9. Ignoring security questionnaires from customers
Why it happens: A customer sends a 200-question security questionnaire. Nobody on the team knows how to fill it out. It gets deprioritized or filled out with aspirational answers that don't reflect reality.
The risk: You either lose the deal or sign up for commitments you can't actually meet. If you claim to have encryption policies and incident response plans but don't, that's a liability issue if something goes wrong.
How to fix it: Take the first questionnaire seriously. Use it as a forcing function to actually implement the basics: MFA enforcement, encryption, access controls, offboarding processes, and an incident response plan. Once you've done the work, future questionnaires are easy because you can reuse your answers. Keep a master document of your security posture that you update quarterly.
10. Waiting too long to get help
Why it happens: Founders think IT is something you figure out when you're "big enough." They keep handling it themselves because hiring feels premature.
The risk: Technical debt compounds. Every month without proper IT makes the eventual cleanup more expensive and more painful. The gap between "we should probably do something about IT" and "we need to do something about IT right now" is usually a security incident, a failed compliance questionnaire, or a new hire who can't work for a week.
How to fix it: Get help earlier than you think you need it. You don't need a full-time hire at 20 people. A fractional IT contractor on a monthly retainer can handle everything from setup to ongoing management at a fraction of the cost. The best time to start was six months ago. The second best time is now.
The pattern
Notice the thread running through all ten mistakes: they're all symptoms of nobody owning IT. Each one is reasonable in isolation. A founder at a 10-person company shouldn't be worrying about MDM enrollment policies.
But these things accumulate. By the time you're at 30 or 50 people, the accumulated technical debt is significant. The longer you wait, the more expensive the cleanup.
If you're reading this list and checking off more than three items, it's time to get someone focused on it. Whether that's a full-time hire, an MSP, or a fractional contractor depends on your situation. But doing nothing isn't free. It's just invisible.