Start the year strong: 10 essential questions every IT team should address

Critical security priorities and strategic actions for IT leaders in 2026

Takeaways

• Regularly review and strengthen your security posture at the start of each year to stay ahead of evolving threats.
• Identify the attack vectors most likely to succeed against your organization by considering industry trends, personnel, and user behavior.
• Evaluate changes in your IT environment over the past year, especially technology adoptions like AI, which can introduce new risks.
• Be aware of emerging threats such as prompt injection and vibe coding vulnerabilities in AI-powered applications.
• Implement automated code review tools for AI-generated code to mitigate security risks.
• Pursue strategies to detect compromised credentials early and minimize the impact of account breaches.

It’s a new year (and also a day ending in Y), which means it’s an excellent time for you to review your security posture. Use your renewed energy to seriously analyze your vulnerabilities, detection methods and organizational procedures. Answer these 10 questions to put yourself on the best possible footing for what’s likely to be another year of record-breaking cyberattacks.

Question 1: Which attack vectors are most likely to succeed against us right now?

Answering this question means taking a good look at your industry, your personnel and your users. Vulnerability exploitation attacks dominated in 2025, but that’s not the same for all companies. If you have an extremely well-developed patch program, then another attack vector may be more likely. For example, try looking out for insider threats.

Question 2: What changed in our environment to increase risk in the last 12 months?

Maybe you got a new CISO — or your department got downsized. Maybe you modernized a legacy application or moved your server room to the cloud. If your organization is anything like the 88% of companies who adopted this technology in 2025, your biggest new risk-generator is probably related to AI. Here are some concerns:

• Prompt injection attacks use the AI equivalent of social engineering to convince chatbots to give up information such as passwords.
• Vibe coding is when AI agents generate code automatically — and up to 50% of vibe coding examples contain security vulnerabilities.

Are you vibe coding any of your apps, or are you using any apps that may have AI-generated code? If so, you need to deploy appropriate technologies, such as automated code review.

Question 3: How confident are we that we can detect compromised credentials early?

Once you have your attack surface defined, it’s time to ask what happens if bad actors weaponize your vulnerabilities. This will often take the form of a compromised account, which will allow attackers to:

1. Impersonate personnel, applications and infrastructure
2. Escalate their permissions
3. Spread malware throughout your network
4. Encrypt or exfiltrate critical data

Ideally, you’ll be able to detect account compromise at the impersonation or escalation phase. This relies on behavioral detection that spans both people and software. Are you able to detect previously trusted apps communicating with C2 servers over high-numbered ports? Can you tell when one of your employees is logging in from a new device in a different location outside of work hours?

Question 4: Which users, systems or identities would cause the most damage if compromised?

This is the corollary to question 3, and what it’s really asking is, “Are you currently enforcing least privilege?” Now’s your chance to audit your accounts and understand whether anyone has admin-level access that they don’t need. Ideally, not even your C-level accounts will have administrative permissions. Instead, one best practice is to only assign administrator permissions on a temporary basis that automatically expires when it is no longer needed.

Question 5: Do we know who does what in the first 24 hours of a major incident?

Security incidents — even major incidents — are almost inevitable. What’s not inevitable is the effect of a major incident. A well-planned response can considerably blunt the effect of a large data breach. For example, a good response will:

• Notify regulators, law enforcement agencies and affected customers
• Attempt to reverse the encryption of any data affected by ransomware
• Document losses and potentially track the sale of stolen information
• Collect forensic data from affected applications, endpoints and infrastructure
• Quarantine the affected systems to reduce the further spread of malware
• Work with security researchers to identify novel exploits

All this depends on people knowing their roles following the aftermath of a data security breach. If all goes as planned, you may be able to recover your data, reverse encryption and provide information leading to the arrest of your attackers. Without a plan, you’ll find yourselves in danger with regulators, in hot water with your customers and at risk of another attack.

Question 6: How are you backing up your most sensitive information?

You’re keeping backups, right? While most companies back up their data, backups on their own aren’t enough to protect against ransomware, natural disasters or equipment failure. That’s because many companies aren’t backing up their data to remote sites or offline locations.

Because of this, it’s advisable to make sure you’re using some variant of the 3-2-1 rule, which states:

• Three: Keep three backup copies of your data
• Two: Keep them on two different media, e.g. one in the cloud and one on tape
• One: One offsite backup

It may be that you’re doing this already, but it never hurts to validate that the schema you’re using in theory matches the one that you’re using in reality. This helps prevent backup failures and increases the chance that you’ll recover most of your data in the event of an incident.

Question 7: In the event of a ransomware attack, what will you lose first?

Concordant with the question above, it’s worth asking which parts of your work is most vulnerable to encryption. Many companies take backups daily, weekly and monthly in a scheme referred to as “grandfather, father, son.” Because of the frequency of the “son” backup (daily), it’s usually stored on-site or in the cloud for fastest retrieval. But these backups are vulnerable to ransomware.

Losing a daily backup — or a week’s worth of daily backups — might not seem like a great deal. But there are definitely some periods where losing a week of work could be extremely detrimental. Are there systems in place to take more secure backups during crunch time?

Question 8: How are you fighting “alert fatigue?”

Here’s a hypothetical: Let’s say you have a SIEM tool in your SOC. The SIEM throws a high-priority alert once a day, requiring your team to trace it to the source. This is a false alarm 90% of the time. How long until your team starts ignoring its alerts?

Information security teams have to deal with a frightening number of false positives — as many as 20% of all alerts. This often means that genuinely severe alerts get ignored amidst the noise. It’s worth asking yourself whether a tool generates enough true positives to make the false negatives worth the risk of burnout. Or are there automated or managed solutions that can help identify the alerts that matter?

Question 9: Where are we relying on processes that won’t scale under pressure?

The speed of information security is not designed with manual processes in mind. Think of updating access permissions, for example. If you’re a 10-person company, it might be okay to update access controls manually. In an enterprise where you’re on- and off-boarding thousands of people, this process won’t scale. Best to implement role-based access control (RBAC).

If you look at your organization, you can probably find dozens of examples where you’re still working out of spreadsheets and email chains. Ask yourself whether there’s software that can automate tasks so that you can focus on more important priorities.

Question 10: Can you work with Barracuda to make meaningful improvements fast?

Answer: yes.

Sometimes, it takes an outside perspective to help see blind spots in organizational security. Working with Barracuda puts you directly in touch with experts who can suggest meaningful improvements that take effect quickly. Schedule a demo of our Managed XDR offering and learn how we can help you have a more secure organization in 2026.