The single-person IT risk: what happens when your IT person is out?

In many Swiss SMEs the IT runs surprisingly smoothly, as long as one particular person is reachable. An employee who looks after the server on the side, or an external one-man operation who has known everything for years. It works well, until it does not. Because this person is not only your IT support, they are also your single point of failure.

Why one person is not enough

Modern IT has become broad. Firewall, backup, Microsoft 365, network, telephony, cloud, security, plus a constant stream of new vulnerabilities that need patching quickly. A single person can never cover all of that in full depth, no matter how good they are. They can only prioritise, and in day-to-day business exactly what does not hurt acutely gets left undone, until it suddenly does.

The emergency is mundane, not dramatic

It does not take a cyberattack for the risk to surface. A bout of flu, two weeks of holiday, a resignation or a change of external provider is enough. Suddenly no one knows where the backups are, which password opens access to the firewall or how the VPN connection to the branch office is configured. What was convenience before, all the knowledge in one head, becomes a standstill when that person is out.

This is exactly where the real problem shows: when a critical vulnerability becomes known and the update should be applied immediately, but the only person who can do it is not reachable, then your company is left exposed, not through negligence, but through lack of staff.

Knowledge that sits in one head only is not knowledge, it is a risk

The underestimated topic is documentation. A single person rarely documents without gaps, because they know everything anyway. If they are gone, not only the workforce is lost, but the entire memory of your IT. The successor or the new provider then does not start from zero, but from below it, because they first have to reconstruct what no one wrote down before.

What you should do

• Check whether your IT depends on a single person, and what concretely happens if they are out for two weeks.
• Make sure accounts, passwords and configurations are properly documented and do not only exist in one head.
• Secure critical areas such as firewall, backup and security so that at least two parties can look after them.
• Clarify who covers updates and emergencies when the main person in charge is unreachable, at night and on weekends too.

The point

An internal IT person is valuable, but they should not be the single point on which everything hangs. This is not about replacing them, but about relieving and backing them up. The skills shortage does not make it easier: by 2030 Switzerland is expected to be short of around 39,000 IT professionals, and the very person who carries everything today may be hard to replace tomorrow.