Re: Reviewing our existing policies
I have no idea what their existing security policies are, but they certainly need reviewing by someone competent.
In my experience, neither such a review, nor revising the policies to improve them, makes a damn bit of difference.
Our policies were completely overhauled some years ago, and IT still are nowhere near implementing them. We don't even have a usable backup mechanism for employee-controlled machines, or drive encryption for most laptops. Only a few systems use MFA. And so on.