What Counts as “Good Enough” IT Security Depends on Your Business Risk
Are you doing enough when it comes to IT and security? When we speak to businesses across Western Canada, these are some of the areas we review first. Each one is tied to business risk, not just part of a technical checklist.
1. Are You Defending Your Reputation and Revenue?
For some businesses, a compromised email account is an inconvenience. For others, it’s a direct hit to credibility and client trust. If your operations rely on confidentiality, contractual integrity, or fast response times, then even small breaches can result in reputational and financial damage. MFA and patching aren’t just technical hygiene – they’re the front line of protecting how your business is perceived and how reliably it can operate. For example, we know breaches can lead to delayed services and lost contracts – all because MFA wasn’t turned on.
In regulated industries, failing to enforce MFA or apply updates can also result in non-compliance with industry standards or contractual obligations.
What to ask your IT provider:
• Confirm MFA is enforced everywhere – email, file storage, remote access, and admin tools.
• Review your update and patching policies and ensure devices aren’t running outdated software.
• Talk with your IT partner about what business systems would be most impacted by a breach.
2. Do You Know What You’re Protecting – and Who Has Access?
Every business holds sensitive data, but the type and volume varies. For a professional services firm, it might be client records and contracts. For a manufacturer, it could be intellectual property and supplier pricing. Without a clear understanding of what data you hold and who can access it, you’re relying on trust rather than controls. Businesses with higher staff turnover or external partners need more structured access reviews and tighter controls on file sharing.
For businesses subject to privacy or data residency laws, having uncontrolled access to sensitive information can lead to compliance issues – especially if client data crosses borders or is left accessible to former staff.
What to ask your IT provider:
• Identify where core data lives (ERP, CRM, finance, cloud drives) and document who can access it.
• Review permissions quarterly – especially when roles or projects change.
• Make deprovisioning part of your offboarding checklist.
3. Can You Recover Quickly from an Attack or Outage?
The ability to recover isn’t just about IT – it’s about how fast your business can return to operations. A small firm might need to recover a few core apps. A larger team with client-facing systems or high transaction volume will have much more at stake. If you’re not sure how long recovery would take – or whether it would even work – then the risk is likely higher than you think. Backups are only useful if they’re accessible, tested, and prioritized based on what the business needs first.
Some compliance frameworks require proof of tested backups and documented recovery plans. If you’re in finance, healthcare, or insurance, this isn’t optional.
What to ask your IT provider:
• Set up automated backups, test the backup and restoration regularly, and provide reporting to demonstrate it works.
• Document which systems need to be restored first and how long it would take.
• Include ransomware and server outages in recovery drills.
4. Are You Watching for Trouble – Or Just Hoping for the Best?
Real-time visibility makes a difference in how quickly you can respond to issues. If you’re a 20-person team with stable systems, basic monitoring might be enough. If you have remote workers, shared admin roles, or sensitive financial data, the need for alerts and log reviews is much higher. Too often, businesses assume someone is watching – when in reality, logs aren’t even turned on. A well-configured alert could be the only thing standing between an attempted login and a successful breach.
What to ask your IT provider:
• Make sure alerting is active for admin sign-ins, account lockouts, or unusual behavior.
• Set regular reviews for audit logs in Microsoft 365 or other cloud tools.
• Ask your provider to walk you through your current monitoring setup.
5. Are Your People Cyber-Smart?
People remain one of the most unpredictable parts of any security strategy. A business with five staff might rely on informal conversations and reminders. A growing team with new hires, departments, and changing roles needs a formal plan. The risk also increases if you handle payments, sensitive client data, or confidential business information. Awareness training and reporting tools can significantly reduce risk – but only if they’re current and actually used.
In many industries, basic security awareness training is no longer a nice-to-have – it’s a compliance requirement.
What to ask your IT provider:
• Offer short, recurring training – especially around phishing, MFA, and business email compromise.
• Make reporting suspicious emails simple (e.g., a Report button in Outlook).
• Share real examples of scams targeting your industry or region.
6. Are You Treating Cybersecurity Like a Business Imperative?
The more essential IT is to your business model, the more integrated security planning needs to be. If you rely on cloud apps, client portals, or remote access to deliver your services, then cybersecurity isn’t just an IT issue – it’s a business continuity issue. A leadership team that sees security as an operational risk will make different decisions than one that sees it as a checklist. That includes who owns the responsibility and how it’s reviewed.
What to ask your IT provider:
• Include cybersecurity in board or leadership updates.
• Assign a named executive responsible for staying aligned with your IT provider.
• Make recovery and communication plans part of broader business risk management.
Most businesses don’t need every security tool available – but they do need a strategy that fits the risks they actually face. Start by making sure you’re asking the right questions, and that your IT provider is giving answers that connect security to business continuity, compliance, and growth.
Ready for a more complete approach to security and managed IT?
Horizon works with small and mid-sized businesses across Saskatoon, Regina, Winnipeg, Edmonton, and Calgary to align IT support, security, and strategy with the needs of your business. Whether you need a second opinion or ongoing support, our managed IT services are designed to help you plan ahead, reduce downtime, and stay secure.
