Three Questions to Ask Your IT Staff About Cybersecurity

Three Questions to Ask Your IT Staff About Cybersecurity

Joe Malott

In many organizations and companies, the president, CEO, or CFO has the difficult responsibility of overseeing the IT department, if the company has one at all. We understand that it can be challenging. Your role is focused on business strategy, so we don’t blame our clients when they share the disconnect they feel they have with their internal IT departments. Often you are put in a position to just take the word of your IT manager, and that can be unsettling.

As a responsible party, it boils down to a simple question – when it comes to cybersecurity, how do you know that your organization is secure? Of course, we want to place the utmost trust in our IT department, but when someone comes to you asking questions, we want to prepare you with the knowledge you need. Below are three questions, and a little background about each topic, so you can be confident when reporting to your board or company executive about the security of your company’s data, and your role in managing the IT department.

1. When was our last software update and patch?

It is critical to keep all of your computers’ software and patches as current as possible. I know what you are thinking – that is great, but what is a patch!? Software companies, such as Microsoft, constantly release software security updates and “patches” that need to be applied to the computers on your network to keep them as secure as possible. When your patches and software are not up to date, you are significantly more vulnerable to viruses and malware.

 PRO TIP: Request regular patch reports that you can keep on file should you ever be in a situation that you need to prove your software is up-to-date. I strongly recommend this because it is a simple way for you to be sure your team is updating all computers on the network rather than only taking their word for it. These reports may come in handy when negotiating cybersecurity insurance.

2. How susceptible are our employees to a phishing attack?

A phishing attack is a form of social engineering that cybercriminals use to deceive users and exploits weaknesses in your network security. These attacks often come in the form of an email or instant messaging and look very real, but they lead to websites that could destroy your security, or hold your data for ransom.

Bonus Question: What is our plan to reduce our vulnerability?

Of the organizations and companies we have worked with to determine their vulnerabilities, we have found that while their initial vulnerability tests are high, there are proven, quick and efficient ways to train and educate employees to spot cybersecurity threats. The bottom line is, your company can purchase the most advanced firewalls and security software, but one wrong click could result in all the data on your network being hijacked by a ransomware virus.

Find out what percentage of your employees are phish-prone by requesting our phishing cybersecurity assessment. Contact us today to facilitate your phish-prone assessment and see how your organization compares to others in your industry. 

3. What is our password policy?

It doesn’t take an IT whiz to figure out that the more complex your passwords are, the more difficult they are to crack. While a password policy is great, a complex password policy is preferred. We recommend your complex policy includes, but is not limited to:

  1. Change passwords on a regular basis – every 90 days.
  2. Set a minimum password length – for example, 14 characters.
  3. Require special characters and capital letters.

PRO TIP: Consider implementing a policy that recommends that employees use “passphrases” rather than passwords as they can be more complicated to crack, but easier for the employee to remember.

Don’t be afraid to ask these questions to get a better understanding of how your company is currently handling the cybersecurity threat. Even if you are not directly responsible, if there is ever a cybersecurity attack on your company, someone will pay for it – figuratively, and literally. We want you to be prepared, so you can take comfort knowing that if (or grimly, when) the day comes, at least you can say you and your employees did everything you could.

You may not be an IT expert, but having a good understanding of what your company policies are regarding cybersecurity doesn’t take years of IT experience, it just takes asking the right questions and ensuring the work is being done.

Are you interested in decreasing your vulnerability to a cyber attack? Learn how Security Awareness Training can help prevent attacks and protect your data by building up your human firewall.

Joe Malott

Joe Malott

Joe Malott is an IT Consultant with Yeo & Yeo Computer Consulting, an affiliate of Yeo & Yeo CPAs & Business Consultants. He has more than 10 years of experience in the IT industry, with an emphasis on financial and government entities. He is a member of the firm’s Manufacturing Services Group. Contact Joe via email at or call 800.607.1446. Visit online at

Connect with Joe Malott