Tag Archive for: Phishing Prevention

How Much Should You Spend on Cybersecurity in 2026?

For most businesses, the honest answer is: more than you are right now.

In an era where cyberattacks are increasing in both sophistication and frequency, allocating a strong IT and cybersecurity budget isn’t a luxury — it’s a necessity.

If 2026 is the year you plan to get serious about securing your business, this is the time to set aside budget, define priorities, and create clear goals for IT investments.

Why Many Businesses Underfund Cybersecurity

Studies show that very few businesses are spending enough on cybersecurity to protect themselves against modern threats. While general IT maintenance often gets budgeted, proactive security measures — like advanced threat detection, phishing prevention, and policy enforcement — are frequently overlooked.

The result? Many organizations remain vulnerable to attacks that could have been prevented with better planning and investment.

Setting Priorities for Your 2026 IT Budget

When mapping out your IT spending for next year, focus on initiatives that deliver measurable improvements to your security posture. Some top priorities to consider include:

1. Endpoint Detection and Response (EDR)

Modern EDR tools continuously monitor devices for suspicious activity and respond in real time to contain threats — a must-have for defending against ransomware and zero-day attacks.

2. Hardening Your DMARC Policy

A strong DMARC policy helps prevent email spoofing, a common gateway for phishing attacks. Tightening these controls protects your brand’s reputation and reduces inbound threats.

3. Phishing Awareness and Training

Employees remain your most targeted attack vector. Simulated phishing campaigns and ongoing awareness training can dramatically reduce risky clicks and improve reporting rates.

4. Strong Password and Access Policies

Standalone passwords aren’t enough anymore. Adopting modern guidelines—like those outlined in our recent post on [New NIST Password Rules for Businesses]—can ensure you’re following best practices for usability and security. These include favoring long passphrases over complex combinations, limiting password reuse, and avoiding frequent forced resets 

5. Framework Alignment with a Trusted Provider

If you’re unsure where to start, consider working with a managed IT and cybersecurity provider to align with established frameworks like CIS Controls. This gives your business a clear roadmap for improving security across all systems.

Making IT Budgeting an Ongoing Process

Budgeting for IT security shouldn’t be a once-a-year scramble — it should be an ongoing strategic conversation.

Set quarterly check-ins to track progress toward your goals, reallocate funds if needed, and adapt to emerging threats.

Want to learn more about how to prioritize your IT investments? Explore our Managed Services Page for details on how we help businesses secure their operations.

FAQs: Budgeting for IT in 2026

How much should a small business spend on IT and cybersecurity?

While needs vary, many experts recommend dedicating 5–10% of your total revenue to IT, with a significant portion focused on security.

What’s the difference between IT budgeting and cybersecurity budgeting?

IT budgeting covers all technology expenses — hardware, software, cloud services, and support. Cybersecurity budgeting focuses specifically on tools, training, and processes that protect against threats.

Why is endpoint detection so important?

Endpoints (laptops, desktops, mobile devices) are the most common entry points for attackers. EDR tools detect suspicious behavior and respond quickly to stop breaches before they spread.

Is phishing training really worth the investment?

Yes — phishing is still the #1 cause of breaches. Training employees to recognize and report suspicious emails is one of the highest ROI cybersecurity investments.

What is CIS framework alignment?

The CIS Controls are a set of best practices for securing IT systems and data. Aligning with them ensures you’re following proven steps to protect against the most common threats.

Avoiding a Cybersecurity Upset: How One Business Lost Big During Tax Season

March Madness isn’t just for basketball—it’s also the perfect metaphor for cybersecurity. In the world of college hoops, you can’t rely on last year’s strategies to win this year’s championship. Your competitors are constantly improving, analyzing past plays, and adjusting their tactics. The same applies to cybersecurity—especially for businesses handling sensitive financial data.

Unfortunately, one accounting firm learned this lesson the hard way last tax season. Before working with us, they believed their existing security measures were enough to protect them, but cybercriminals were playing a much more advanced game. Their lack of email security and data hygiene left them vulnerable, and when tax season rolled around, they suffered a devastating loss.

The Play-by-Play: A Costly Mistake

Everything seemed normal in early March. The firm’s accountants were busy filing returns and managing financial documents for their clients. Then, it happened—one of their employees received an urgent email that appeared to be from a longtime client requesting a tax return update. The email was well-crafted, used the client’s real name, and contained no obvious red flags. Without second-guessing, the employee responded, attaching sensitive financial documents.

A few days later, the real client called, confused. They hadn’t sent that email. It was a business email compromise (BEC) attack, and now, the cybercriminal had access to highly confidential tax documents, Social Security numbers, and financial records. By the time the firm realized what had happened, thousands of dollars were stolen in fraudulent tax refunds, and their reputation was on the line.

What Went Wrong?

Just like trying to rely on the same roster year after year in basketball, the firm was relying on outdated security strategies. Here’s where they fell short:

  • No DMARC Policy – Their email domain lacked proper authentication protections, allowing cybercriminals to spoof their email addresses and trick employees.
  • No Multi-Factor Authentication (MFA) – A hacker had previously compromised an employee’s email account, and without MFA, it was easy to use that access to gather more intelligence.
  • No Secure File Transfer Policy – Employees were sharing sensitive tax documents over email instead of using encrypted portals.
  • Lack of Employee Awareness – The firm had no regular cybersecurity training, so employees weren’t trained to spot sophisticated phishing scams.

Adjusting the Game Plan: How They Recovered

After the breach, they reached out to Go West IT for help, and we immediately stepped in to strengthen their cybersecurity, ensuring they never faced an upset like this again. We implemented:

DMARC, DKIM, and SPF Policies – To prevent email spoofing and ensure only legitimate emails were sent from their domain.

Multi-Factor Authentication (MFA) – Adding an extra layer of security for email logins and financial platforms.

Encrypted File Sharing – Transitioning the firm to a secure document-sharing platform rather than using email attachments.

Phishing Awareness Training – Conducting simulated phishing campaigns to test and train employees to recognize scams.

24/7 Email Monitoring – Installing advanced email security solutions to detect and block suspicious activity before it reaches employees.

Tax Season & Cybersecurity: Don’t Leave Your Business Vulnerable

Tax season is already stressful enough—don’t make it harder by leaving your business exposed to cyber threats. Cybercriminals are constantly evolving, just like the competition in March Madness. If your security strategy hasn’t been updated recently, you’re taking a gamble on your business.

Instead of guessing who might attack next, fortify your defenses. Let Go West IT help you develop a winning cybersecurity game plan that protects your business from tax fraud, email compromise, and financial theft.

Are your cybersecurity defenses ready for the next big game? Contact Go West IT today to ensure you’re prepared for whatever threats come your way.

Why Businesses Need to Act on DMARC Reject Policies Now

Email security is undergoing a major shift, and if your business relies on email communication (as most do), it’s time to pay attention. You may start hearing more about DMARC (Domain-based Message Authentication, Reporting, and Conformance) and its impact on email deliverability. Large email providers like Google and Yahoo are now enforcing stricter DMARC policies, requiring organizations to adopt better authentication measures—or risk having their emails rejected outright.

Ignoring these changes could mean disrupted communication with clients, vendors, and partners, increased susceptibility to email fraud, and damage to your business’s reputation. Here’s what you need to know and how to ensure your organization stays protected.

What is DMARC and Why Does It Matter?

DMARC is an email authentication protocol designed to prevent email spoofing and phishing attacks. It works in conjunction with SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to verify that the sender of an email is authorized to use a given domain.

With stricter DMARC enforcement policies now in place, emails that fail authentication may be rejected entirely or flagged as spam—significantly impacting your email communication and business operations.

How to Tell if an Email is DMARC Approved or Rejected

Understanding how DMARC policies impact email security is crucial. When an email is sent, email servers verify whether it passes authentication checks before allowing it into an inbox. If these checks fail, the email is either marked as spam or rejected altogether.

Here’s a quick comparison of what a DMARC-approved email looks like versus one that fails authentication:

DMARC Approved (Passes SPF, DKIM, and DMARC Checks)DMARC Failed (Rejected or Marked as Spam)
✅ From: support@yourcompany.com❌ From: support@yourc0mpany.com
✅ Sent via: yourcompany.com❌ Sent via: unknownserver.com
✅ SPF Alignment: Verified❌ SPF Alignment: Failed
✅ DKIM Signature: Valid❌ DKIM Signature: Missing or Mismatched
✅ DMARC Policy: Pass❌ DMARC Policy: None or Reject
✅ Lands in Inbox❌ Marked as Spam or Rejected

If your legitimate business emails are being marked as spam or failing to reach recipients, it may be time to review and implement a strong DMARC policy. Without it, your business could face email spoofing risks, phishing attacks impersonating your domain, and a loss of trust from customers.

The Business Risks of Ignoring DMARC Reject Policies

If your company’s domain lacks proper DMARC configurations, you could face:

  • Email Deliverability Issues: Emails sent from your domain may not reach clients, partners, or employees if they fail authentication checks.
  • Increased Cybersecurity Risks: Attackers frequently use domain spoofing to impersonate businesses in phishing scams. Without DMARC, your domain is vulnerable to misuse.
  • Regulatory and Compliance Challenges: Many industries, especially finance and legal sectors, are tightening email security requirements. Non-compliance could lead to fines or reputational damage.
  • Customer Trust Erosion: If fraudulent emails appear to come from your domain, your brand’s credibility takes a hit—leading to lost business and damaged relationships.

How Businesses Can Adapt and Secure Their Email Communication

The good news is that Go West IT has a solution. As a Managed IT and cybersecurity provider, we specialize in configuring and enforcing DMARC, SPF, and DKIM policies to secure business email communications. Here’s how we can help:

  • DMARC Policy Implementation: We assess your domain and establish an appropriate DMARC policy (Monitor, Quarantine, or Reject) to enhance security without disrupting legitimate emails.
  • Email Authentication Configuration: We properly configure SPF and DKIM records to align with your email-sending sources, ensuring all authorized emails pass authentication.
  • Ongoing Monitoring & Reporting: DMARC reports provide insights into who is sending emails on your behalf. We analyze these reports to detect unauthorized use and prevent future threats.
  • Strategic Rollout to Avoid Business Disruption: Enforcing DMARC too aggressively without monitoring can lead to unintended email rejections. We implement a phased approach, allowing you to monitor and adjust policies before moving to a full reject mode.

Stay Ahead of Email Security Threats

Email remains a primary attack vector for cybercriminals, and with the latest enforcement of DMARC policies by major providers, businesses must take action to protect their domains. Go West IT ensures your email security is up to modern standards—reducing your risk, maintaining email deliverability, and keeping your business communications secure.

Don’t wait until email failures or phishing attacks disrupt your business. Contact Go West IT today to ensure your email domain is secure and compliant with the latest DMARC policies.

Hidden Costs of Unused Cybersecurity Software

In the evolving landscape of cybersecurity, phishing remains one of the most persistent and damaging threats businesses face. To combat this, many organizations invest in software solutions to enhance their security posture. However, all too often, these tools are purchased as a “check-the-box” measure and left underutilized—or worse, completely unused. The result? Vulnerabilities persist, resources are wasted, and businesses remain exposed to the very risks they sought to mitigate.

The Problem with “Shelfware”

A common scenario: a company identifies phishing as a top concern and purchases an email filtering or endpoint detection and response (EDR) solution. Yet, the software is never fully set up, integrated into their systems, or managed effectively. It sits idle for years, offering no protection while silently draining budgets.

For example:

   • Phishing Prevention Tools: Businesses often invest in robust tools like email filtering solutions but fail to implement and monitor them correctly or run phishing campaigns to train employees.

   • Endpoint Detection and Response (EDR): Some companies run EDR software for years without proper configuration and more importantly monitoring, leaving systems vulnerable despite the illusion of security.

   • Incomplete IT Transitions: Organizations that start transitioning to new antivirus or other security platforms may abandon projects mid-way, leaving gaps in their defenses.

Why Managed Services Are the Solution

A managed service provider (MSP) like Go West IT solves this common issue by offering software, expertise, and execution in a single, comprehensive package. Here’s how partnering with an MSP delivers better outcomes:

  1. Cost Savings

MSPs often have access to enterprise-level pricing for software, meaning businesses can secure top-tier tools like Microsoft Defender, Azure Information Protection, CrowdStrike, Ironscales, and SaaSAlerts at lower costs. Consolidating software and services under one vendor eliminates the hidden costs of unused tools and duplicate solutions.

     2.    Full Integration

An MSP ensures that every tool—whether it’s an EDR platform or phishing prevention software—is fully set up, integrated with existing systems, and tailored to meet the organization’s unique security needs.  More importantly, it is aggressively monitored so important security events are dealt with in real time.

     3.    Ongoing Management

Cybersecurity is not a “set it and forget it” endeavor. MSPs provide continuous monitoring, updates, and management to ensure tools remain effective against evolving threats.

     4.    Improved Security Outcomes

With managed services, businesses benefit from expertly managed phishing campaigns, employee training, and proactive threat detection, ensuring comprehensive protection.

     5.    Streamlined Operations

Instead of juggling multiple vendors and tools, businesses work with one trusted partner who oversees every aspect of their security infrastructure.

Case Study: The Cost of Inaction

In one instance, a company purchased an EDR solution and ran it on their systems for five years without proper implementation. Not only were they paying for software that wasn’t protecting them, but their systems remained exposed to cyber threats during that entire period. A similar story is common with email filtering solutions like Mimecast—purchased but never leveraged to their full potential.

Had these businesses partnered with an MSP, they could have avoided wasted spend, mitigated risks, and achieved better results through a fully managed and optimized security solution.

Why Microsoft Solutions Matter

Microsoft offers a suite of security tools designed to address modern threats, particularly in email security. Solutions like Microsoft Defender for Office 365 provide advanced phishing protection, link detonation, and real-time monitoring, making them ideal for safeguarding against phishing attacks. When paired with MSP services, these tools can be fully leveraged to maximize both protection and value.

Make the Switch to Managed Services

Stop paying for unused or ineffective software. Partner with Go West IT to consolidate your cybersecurity tools, reduce costs, and ensure your defenses are always optimized. From phishing prevention to endpoint security, we bring the platform, expertise, and execution you need to stay ahead of threats.

Contact us today to learn more about managed services for your business!