Most business owners believe their cybersecurity is handled. Their IT provider has things in place; antivirus is running, MFA is set up, and that’s usually where the conversation ends. But there’s a question worth asking: which accounts actually have MFA turned on? Email? Remote access? Admin accounts? Line-of-business applications?
For most businesses, that question doesn’t have a clean answer, and it’s rarely because nobody cares. It’s because nobody has ever mapped it out. What’s fully protected, what’s partially protected, and what’s just assumed to be covered are three very different things. And the difference tends to surface at the worst possible time, usually not during a breach, but during a cyber insurance audit.
That is the difference between feeling covered and being covered.
What Most IT Companies Will Not Say Out Loud
There is no one tool that solves cybersecurity. Good security is layered because when one misses, another one catches it. That is how it is supposed to work.
But not every company needs the exact same security stack. A housing authority, an insurance agency, a manufacturer, and a small office do not have the same risk profile. They do not have the same compliance pressure. They should not all be sold the same answer.
The real question is not whether you have enough security. It is whether you have the right security for your business and whether someone can prove it.
Your Cyber Insurance Policy Is Telling You More Than You Think
One of the most practical ways to judge your cybersecurity is to look at your cyber insurance application. Read the questions carefully. They are not asking them for fun. They are asking because they know where businesses are weak.
They want to know whether MFA is actually in place. They want to know how backups are handled. They want to know whether employees are being trained. They want to know if you have endpoint detection, response plans, and documented controls.
Because vague answers cost money. You either pay for it in higher premiums, or you find out during a claim that what you thought was covered was never really covered the way you believed.
That is a bad day for any business owner.
What “Working” Actually Looks Like
This is where the conversation needs to get practical. Cybersecurity is not working because someone says it is. It is working when the protections are in place, documented, reviewed, and aligned with the business. It should be clear what you have, what it is doing, and where the gaps are.
- Backup and Disaster Recovery
Most businesses have some kind of backup in place, but that alone does not mean they are protected. The real question is whether the backup has been tested and whether it can actually be restored when you need it. It also means understanding how long recovery will take and how much data you are willing to lose if something happens between backup points.
If your backups run overnight and you get hit late in the afternoon, what is your exposure? How many hours of work are gone? How much disruption can the business tolerate?
That is not just a technical question. That is a business decision. Most owners have never been asked to think about it that way, and that is exactly why so many backup conversations stay too shallow.
Here is the honest answer. Not every business needs backups running every few minutes. If you only run backups once every 24 hours and that lines up with what the business can realistically afford to lose, that may be perfectly reasonable. But if losing everything from midnight to 5 PM would create a major operational, financial, or customer problem, then a once-a-day backup is probably not enough. However much data loss you can tolerate, that is how often your backups should be running. That is the tradeoff.
- Endpoint and Network Protection
Antivirus alone is not enough anymore. Threats move too fast, and behavior matters more than signatures. Businesses need to know whether they have tools that can identify suspicious activity, not just known bad files that have already been cataloged.
Just as important, someone needs to be reviewing the alerts those tools generate. If a system is flagging suspicious activity but nobody is paying attention, that is not protection. That is noise. A lot of businesses feel good because there is a tool installed, but the bigger question is whether anyone is actively watching, responding, and tying that activity back to real business risk.
Here is the other side of it. Not every business needs the biggest, most expensive security stack on day one. A smaller company with limited exposure and a tight budget may start with more basic protections. That can be a reasonable place to begin. But the more sensitive the data, the more remote access you have, the more users you support, and the less tolerance you have for downtime, the more important it becomes to move beyond basic antivirus and into something that includes real detection and response. The mistake is not starting small. The mistake is staying too small for too long without understanding the risk.
- Multi-Factor Authentication
MFA is one of the best controls a business can put in place, but saying “we have MFA” is not the same as knowing it is fully deployed where it matters. The real question is where it is enabled. Is it protecting email, VPN, remote access tools, Microsoft 365, admin accounts, and your line-of-business applications?
This is where many businesses get surprised. MFA is often turned on in a few important places, but missing in the exact areas that would create the biggest problem if compromised. That is not full protection. That is partial protection. And partial protection has a way of sounding a lot better on paper than it feels during an actual incident.
The honest answer here is that many businesses roll MFA out in phases. That can be reasonable. Not everything has to happen at once. But the highest-risk systems should not be left for later. Email, remote access, admin accounts, and core business platforms are too important to leave exposed. If lower-risk tools get phased in over time, fine. But businesses should not confuse a partial rollout with full coverage. Those are two very different things.
- Security Awareness Training
Phishing is still one of the easiest ways into a business, and that is not changing anytime soon. If your training consists of a yearly video and a checkbox, that is not a real program. It may satisfy a requirement on paper, but it does not do much to improve behavior.
Real awareness training is ongoing. It includes testing. It includes simulated phishing. It includes identifying who is clicking, where the weaknesses are, and how to improve over time. Business owners often assume this is being handled because someone said the company offers training. That may be true. But you should know what that actually means in practice.
That said, not every business needs an elaborate training program with constant campaigns and layers of reporting. For some organizations, a simpler approach with regular reminders, periodic testing, and practical follow-up may be enough. For others, especially those with compliance requirements, financial data, tenant data, healthcare data, or high employee exposure to email threats, a more structured and ongoing program makes a lot more sense. The right answer depends on the risk, but once-a-year training by itself is usually more about checking a box than actually changing behavior.
- Patch Management
A lot of breaches come from known vulnerabilities that were never patched. This is one of the most preventable problems in IT, which is also why it is so frustrating when businesses get caught by it. The question is not whether somebody says they handle patching. The question is whether it is documented, monitored, scheduled, and actually happening across the environment.
You should be able to get a clear answer on what is being patched, what is excluded, how exceptions are handled, and who is accountable for following through. If nobody can explain that in plain English, then there is a gap. It may be small, or it may be a serious one, but either way it should not be left sitting in the dark.
Here is the honest nuance. Good patching does not always mean every update gets pushed immediately. Some updates need to be reviewed and tested, especially when line-of-business applications, specialty hardware, or firmware are involved. That is normal. But delaying patches without a process is where trouble starts. A business may decide to be more cautious in certain parts of the environment, and that can be the right call. It just needs to be intentional, documented, and monitored. “We did not get to it” is not a strategy.
- Documentation
Documentation is one of the least exciting parts of IT, and one of the most important. If there is an issue and the person who normally handles your systems is unavailable, what happens next? Does anyone know how the environment is configured? Do they know where the backups are? Do they know what vendors are involved, how the network is laid out, and how critical systems get restored?
Undocumented environments are harder to support, slower to recover, and more expensive when something goes wrong. A lot of businesses never think about documentation until there is a problem. By then, it is too late to wish it existed.
The honest answer is that not every company needs a giant library of documentation. A smaller business with a simpler environment may not need pages and pages of diagrams and procedures. But every business needs enough documentation that another qualified person could step in and get their bearings without starting from zero. The right amount depends on complexity, but “it is all in one person’s head” is never a good plan.
- Incident Response
Every business should be able to answer a simple question: what happens the day something actually goes sideways? Who gets called first? Who decides whether a system gets shut down? Who communicates internally? Who deals with the insurance company, legal counsel, or customers if needed?
The plan does not need to be fancy. It does need to exist. If these decisions are being made in the middle of a real incident, you are already behind. This is one of those areas where a little planning up front can make a huge difference in how much damage gets done later.
And here is the honest part. A 15-person business does not need the same incident response playbook as a large regulated organization. That is fine. The plan can scale to the size and risk of the business. But even smaller companies should know the first moves, the key contacts, and who is responsible for making decisions. The document does not need to impress anybody. It just needs to work when the pressure is on.
- Cyber Insurance
Cyber insurance is not security. It is the thing you hope helps when security was not enough. But insurers have gotten much stricter, and for good reason. If you cannot show that controls are in place, the policy may not respond the way you expect it to.
That is why the documentation matters. That is why the evidence matters. That is why “I think we have that” is not a good answer. When the pressure is on, assumptions do not help much.
The other side of that is this: not every business needs the same level of cyber insurance coverage. A smaller company with limited exposure may need something very different from a business handling sensitive records, financial data, regulated information, or large volumes of customer data. The goal is not to buy the most expensive policy. The goal is to make sure the coverage actually matches the business and that the information used to get that policy is accurate. A cheaper policy is not a bargain if it falls apart when you need it.
The Real Risk Is Assumption
The businesses that get caught off guard are not always the ones doing nothing. In many cases, they are doing something. They have tools. They have a provider. They have support. What they do not have is clarity.
They assume their provider has it handled. They assume protections are complete. They assume backups are recoverable. They assume alerts are being monitored. They assume their insurance answers are accurate. That is a dangerous way to run something this important.
Trust is fine. Blind trust is not.
You should not have to take your IT company’s word for it. You should be able to see a documented baseline of what is in place today, what is missing, and what matters most based on your business, your risk, and your budget. You should be able to answer your insurance company with confidence, not with a guess.
That is the standard business owners should expect.
Where to Start
The first step is not buying more tools. The first step is getting honest about where you stand. That means a real assessment. Not a song and dance. Not a scare tactic. Not a sales pitch disguised as a review. Just a straight look at what is in place, what is missing, what is partially done, and what decisions need to be made next.
That is how we approach it at Datasmith. We do not assume every business needs everything. We do not throw a stack of products at the problem. We look at the environment, establish the baseline, identify the gaps, and help the client decide what makes sense for their business.
Because before you spend more money on security, you should know what is actually working.
And before something goes wrong, you should know where you stand.
If you are not sure whether your cybersecurity is actually doing what you think it is doing, start with a straightforward assessment. We will show you what is in place, what is missing, and where the real risks are so you can make smart decisions before something forces the issue.