If your entire business technology operation depends on one person, you already have a problem — even if nothing has gone wrong yet. Here's what you need to know.
It usually goes like this. Your IT person heads out for a week in July. You know where they're going, you wish them well, and you figure nothing major will come up. And then, somewhere around Day 3, a server crashes, a user gets locked out of a critical system, or ransomware starts doing its thing.
Now what?
In 30+ years of doing this work, I've seen the vacation scenario play out more times than I can count. Sometimes it ends fine — the problem waits, or someone manages a workaround. But too often it turns into a real crisis, and the only person who could fix it is on a beach somewhere.
Here's what I want small business owners to understand: this isn't really about vacations. A vacation is just the most visible version of a much bigger problem. The problem is that your business has a single point of failure — one human being who carries all the knowledge, all the access, and all the responsibility for your technology. And that is a genuinely fragile way to run a business.
Let's talk about what the actual risks are, and what you can do about them.
A planned vacation is actually the best-case version of this scenario. At least you know they're going to be unavailable. You have time to prepare. You can nudge people to update passwords beforehand, write down a few critical procedures, make sure nothing urgent is pending.
But even with all that prep, businesses still get into trouble. The email server starts sending error messages that nobody knows how to interpret. A Microsoft 365 license goes unpaid and suddenly nobody has Outlook. The VPN stops working and your remote employees are stranded. These aren't exotic failure modes — they're the everyday stuff that only your IT person knows how to handle.
And when they're gone, you find out pretty quickly how much invisible knowledge they were carrying in their head. Things that were never written down because, well, they always just handled it.
Now ask yourself: what happens when the unavailability isn't planned?
Vacation is scheduled. Illness isn't. Neither is a family emergency, a car accident, or a hospitalization. Your IT person is human. They get sick. Life happens to them the same way it happens to everyone else. The question is whether your business is set up to survive a week or two without them — not because you planned for it, but because you had no choice.
I've walked into businesses in exactly this situation. The IT person got sick, was out for three weeks, and nobody could do anything. Employees were calling them at home while they were running a fever. Problems were piling up. Things that should have taken an hour to fix took three days because nobody had the right access or knew the right procedure.
There's also the scenario I call "the call that doesn't come." Your IT person isn't managing your systems actively — they're just available when you need them. So when something starts going wrong silently (a backup that stopped working, a disk that's filling up, a security event that's generating alerts nobody is reading), there's no one monitoring it. The problem compounds quietly until it becomes a catastrophe. And then you find out your IT person wasn't watching things as closely as you assumed.
These situations are uncomfortable to think about. But the discomfort of thinking about them now is a lot cheaper than the discomfort of living through them later.
If sick days are the medium-risk scenario, an unexpected departure is the high-risk one.
Your IT person gets a better offer somewhere else. Or they burn out. Or they retire after fifteen years and figure two weeks' notice is plenty. And suddenly you're looking at a transition that would have taken months to plan properly, and you have two weeks — or less — to make it happen.
Here's what that usually looks like in practice. You scramble to find someone new. The outgoing IT person does their best to hand things off, but "doing their best" means a rushed document with half the important passwords and a verbal walkthrough of systems they've been managing for years. The new person spends months discovering things they didn't know they didn't know. Meanwhile, things break, and you're paying the new provider to spend hours figuring out infrastructure they've never seen before. Which means you're paying more, for worse service, for longer than you expected.
And that's assuming the departure is amicable. What if it isn't?
I've seen situations where a disgruntled IT person left with all the passwords. Or didn't hand them over. Or simply stopped being responsive. In a few cases, businesses ended up locked out of their own systems — their own email, their own servers, their own domain name — because everything was registered under the IT person's accounts and nobody ever thought to change that.
This isn't a hypothetical. It happens. And the legal and operational fallout is ugly.
The simplest thing you can do right now — today — to reduce your exposure is to make sure your IT is documented and that documentation is accessible to you, not just to your IT person.
At a minimum, you should know and have recorded:
If you don't have this information, ask for it. A good IT provider will give it to you without hesitation. They may even already maintain it in a documentation system and can hand you a copy. If your IT person resists giving you access to your own credentials and infrastructure information, that's a serious red flag — we write about this in our post on signs you've outgrown your IT provider.
Documentation won't solve everything. But it means that when your IT person is unavailable, you're not completely blind. Someone — even a new provider you bring in on short notice — can figure out what's going on and start making progress.
Documentation is the floor. The ceiling is a real managed service — one where your business doesn't depend on any single person being available.
Here's what that looks like in practice:
Monitoring that doesn't sleep. Your systems should be monitored around the clock by tools (and people reviewing those tools) that catch problems before they become crises. Not "my IT guy checks in once a week," but continuous monitoring of server health, backup status, security events, and network performance. When something starts going sideways at 11pm on a Wednesday, you want an alert going out — not a discovery three days later when someone can't log in.
A team, not a person. A well-run IT provider has more than one person who can handle your account. When your primary contact is on vacation, someone else picks it up. The knowledge about your systems lives in documented systems and shared platforms, not in one person's memory. Coverage is built into the model, not bolted on as an afterthought.
Credentials your business owns. Every admin account, every software license, every domain registration should be owned by your business — not by the IT provider, not by an individual employee. Your IT partner manages these things on your behalf, but the access belongs to you. This is non-negotiable.
A clear escalation path. If the primary contact isn't available, there's a defined path: who to call, what the response time commitment is, and how urgent issues get escalated. Not "call my cell and if I don't pick up, I'll get to it when I can."
This is what managed IT services are supposed to deliver. Not all providers do it well — it's worth asking specifically how they handle coverage when the primary person on your account is unavailable. Their answer will tell you a lot. You can also read our IT Buyer's Guide for more questions worth asking before you sign anything.
Here's a quick way to gauge where you stand. Answer these honestly:
If your IT person was unreachable for two weeks starting tomorrow, could your business keep operating? Not just limping along — actually operating? Email, remote access, phones, file access, point-of-sale, whatever your business runs on?
Do you know every admin password and where it's stored? Not "my IT person knows." Do you know, or does someone at your company know?
Is your domain name registered to your business or to your IT person? Log in to your registrar and check. Seriously, go check right now if you're not sure.
If your IT person left today, could someone else step in and understand your setup within a week? Is there enough documentation for a new provider to get oriented without spending months discovering surprises?
Is anyone watching your backups? Not just running them — actually checking that they're completing successfully, testing restores periodically, and verifying the data is usable?
If you answered "I'm not sure" or "no" to any of those, you have work to do. The good news is that none of this is especially complicated to fix. It mostly takes time, intention, and a provider who's willing to do it right. If you're concerned about your current security posture more broadly, our free cybersecurity guide is a good place to start getting a handle on the full picture.
The bad news is that "we'll get to it eventually" has a way of turning into "we found out the hard way." I've watched it happen too many times to count. The businesses that weather IT crises well aren't the ones that got lucky — they're the ones that did the boring work of building redundancy before they needed it.
Don't wait for the vacation, the sick day, or the resignation letter to find out how exposed you are.