Free Resource

Is your IT provider actually protecting you?

10 questions every business owner should ask - plus 5 red flags that mean you are not getting what you are paying for.

Get a Free Technology Review All Resources

The Questions

10 questions to ask your IT provider

Ask these at your next vendor review meeting. A good provider will answer every one confidently and with documentation.

“When was the last time you performed a full restore test of our backups - and can you show me the results?”

Why it matters

A backup that has never been tested is not a backup. It is a hope. Many businesses discover their backups were silently failing, incomplete, or unusable only after a disaster. Your provider should be testing restores quarterly at minimum and sharing documented results proactively.

“Can you show me a report of every security patch applied to our systems in the last 90 days?”

Why it matters

Unpatched systems are the number one entry point for ransomware and malware. Your provider should have an automated patching process with documented compliance rates. If they cannot produce this report within 24 hours, they are not tracking it.

“What happens if you get hit by a cyberattack? What is your incident response plan for your own organization?”

Why it matters

Your IT provider has administrative access to your systems. If they get compromised, you get compromised. A mature provider has their own security controls, incident response plan, and cyber insurance.

“Who at your company is personally responsible for our account, and how do I reach them directly?”

Why it matters

If every issue goes into a generic ticket queue and you never speak to the same person twice, nobody truly understands your environment. A dedicated account contact who knows your business is a sign of a provider that treats you as a client, not a ticket number.

“What is our current cybersecurity risk score, and what are you doing to improve it?”

Why it matters

If your provider cannot articulate your risk posture in concrete terms, they are not measuring it. A competent MSP monitors your security posture continuously and can show you a risk score, trend data, and the specific actions being taken to reduce your exposure.

“When was the last time you proactively recommended a change or improvement to our environment - without us asking?”

Why it matters

An IT provider that only reacts when something breaks is a help desk, not a managed service provider. Proactive providers identify aging hardware, security gaps, licensing waste, and performance issues before they cause problems.

“Can you provide a current network diagram and asset inventory for our environment?”

Why it matters

Documentation is the foundation of reliable IT management. If your provider cannot produce a current network diagram and a complete list of your hardware and software assets, they are managing your environment from memory.

“What would happen to our operations if our server failed right now? How long until we are back up?”

Why it matters

This tests whether your provider has a real disaster recovery plan. They should give you a specific Recovery Time Objective in hours, describe the recovery process step by step, and confirm it has been tested.

“Are we meeting the security requirements our cyber insurance carrier mandates - and can you document it?”

Why it matters

Carriers are increasingly denying claims when policyholders cannot prove they had specific controls in place - MFA, EDR, backup isolation, and access management. Your IT provider should map your controls directly to your carrier's requirements.

“How do you keep up with new threats, and when was the last time you updated our security in response to an emerging risk?”

Why it matters

The threat landscape changes weekly. New ransomware variants, zero-day vulnerabilities, and AI-powered phishing attacks require an IT provider that actively monitors threat intelligence and adjusts your defenses accordingly.

Warning Signs

5 red flags your IT provider is not doing their job

If more than two of these sound familiar, it is time for a second opinion.

You find out about problems before they do

If you are the one discovering that the internet is down, a server is full, or backups stopped running, your provider is not monitoring your environment. You are paying for managed services and getting break-fix.

They have never scheduled a business review or technology planning meeting

A provider that never sits down with you to review performance, discuss your business goals, and plan ahead is a vendor, not a partner.

Every project requires a separate quote and feels like a surprise

If your IT spend is a constant stream of unpredictable invoices for things that "came up," your provider is not doing lifecycle planning. A well-managed environment has a technology roadmap and a predictable budget.

They cannot explain your security posture in plain language

If your provider responds to security questions with jargon, deflection, or "you're fine," they either do not understand your risk or are not willing to be transparent about it.

Staff turnover at the provider means starting over repeatedly

If the technician who knows your environment leaves and the replacement has no documentation, no context, and no continuity plan, the provider's internal operations are unstable.

If more than two of these made you uneasy, get a second opinion.

TM Tech offers a free Technology Business Review for businesses across Middle Tennessee. We assess your environment, document what is working, identify what is not, and give you a clear written report - whether you work with us or not.

Schedule Your Free Review

Loading…