Nobody Is Coming to Fix Your Website
In June 2026 the same 150 Australian small-business sites medianed A+ on technical SEO and F on security. The difference is what was on the launch checklist.
Somewhere in your filing system is an invoice from the people who built your website. Have a look at the date on it. Now ask yourself when anyone last touched the machinery behind that site — not the photos, not the prices, the machinery. For most of the small-business owners I talk to, both answers are the same year. And it isn’t this year.
Somewhere in your filing system is an invoice from the people who built your website. Have a look at the date on it. Now ask yourself when anyone last touched the machinery behind that site — not the photos, not the prices, the machinery.
For most of the small-business owners I talk to, both answers are the same year. And it isn't this year.
The A+ and the F
Our June 2026 Posture Research scanned 150 Australian small-business domains, and one comparison from that edition has been rattling around my head since. The same cohort of sites medianed A+ on visibility — titles, mobile viewports, sitemaps, all the technical SEO basics — and F on web security (Red Bridge Cyber SMB Posture Baseline, June 2026).
Same sites. Same builders. Near-perfect on one category, failing the other. That gap is not a skill problem. The people who built these sites clearly knew what they were doing — 99% got the page titles right, 94% set up sitemaps. The gap is a checklist problem. Search visibility was on the launch checklist, because the client can see it and ask about it. Security headers weren't, because no client has ever rung their web agency to ask where the Content-Security-Policy is.
What gets you paid gets done. What's invisible gets skipped. I don't say that as a criticism of web developers; it's just incentives doing what incentives do.
The half-finished fingerprint
There's a second number in the June 2026 edition that tells you something more specific: 83% of small businesses publish a DMARC record, but only 43% enforce one (Red Bridge Cyber Posture Research, June 2026).
Think about what that gap is. Publishing a DMARC record in monitoring mode is step one of a two-step job. Someone — a developer, an IT contractor, a Microsoft 365 setup wizard — started the work, set it to "watch and report", and intended to come back and switch it on properly once the reports looked clean.
Forty percent of Australian small-business domains are sitting in the gap between step one and step two. That's not negligence. That's the archaeological record of projects that ended — contractors who rolled off, engagements that closed, setup wizards that never followed up. Each of those records is a fossil of the moment somebody stopped being paid to care.
Who you think is handling it
When I ask an owner who looks after their website security, I get one of four answers: my web guy, my hosting company, my IT person, or a slightly long pause.
Here's the uncomfortable audit of those answers. The web agency's engagement ended at launch; their maintenance plan, if you have one, covers "the site is up and the plugins are updated" — read it and see.
The hosting company sells uptime; their security obligation largely ends at their own infrastructure. The IT person manages your laptops and your email accounts, and in all my years working alongside outsourced IT providers I've rarely met one who considered the marketing website their territory. It sits in the gap between everyone's job description.
I watched this exact gap on large infrastructure projects for three decades — airports, stadiums, data centres. The hand-over phase is where security posture goes to die, because the builders leave, the operators assume the builders handled it, and the documentation says whatever it needed to say to close out the contract. A five-person business has the same gap; it's just nobody writes a lessons-learned report about it afterwards.
And the pause — the fourth answer — is at least honest. The pause is where improvement starts.
What ownership actually costs
Faced with all this, the reflex is to buy something: a maintenance plan, a monitoring tool, a consultant. Sometimes that's right. But ownership comes before procurement, and ownership is cheaper than you think.
You don't need to become technical. You need to know which questions have good answers. Is HTTPS enforced? Is DMARC enforcing, or still in monitoring mode after three years? Are the basic response headers set? Every one of those can be checked from a normal browser with free third-party tools like securityheaders.com — we keep a plain-English explainer on the free scanners and a rundown of what actually matters first. An hour with those, and you'll know more about your own public surface than most of the businesses we scanned in June 2026.
Then, when you do pay someone to fix what you found, you're buying labour you can verify instead of assurance you can't. Run the same check after the invoice. Watch the F become a C. That feedback loop — check, fix, re-check — is the entire trick, and it's available to a bakery the same as it is to a bank.
The people who built your website have moved on. They were always going to; that's what projects do. The site, though, is still yours — same as the lease, same as the till. When the invoice from five years ago is the last evidence anyone touched the machinery, whose signature is on the risk?
Sources
- Red Bridge Cyber, SMB Posture Baseline, June 2026
- Red Bridge Cyber Posture Research, June 2026
- Security Headers (Probely), free response-header checker — retrieved 12 June 2026