Choosing an IT provider is a business decision with long-term consequences. Your provider holds the keys to your email, your files, your client data, and your ability to operate. Yet most businesses select a provider based on price or proximity without asking the questions that reveal capability and professionalism.
Are You Insured?
This is the question almost nobody asks, and it is one of the fastest ways to gauge how seriously a provider takes professional accountability. An IT provider should carry professional errors and omissions (E&O) insurance and commercial general liability coverage at minimum. Many also carry a separate cyber liability policy. These policies exist because IT work carries real risk. A misconfigured backup that fails during a disaster, a security gap that leads to a breach, a migration that loses data: these events have financial consequences, and insurance ensures the provider can stand behind their work.
Not every provider carries this coverage, and some cannot obtain it, because underwriters evaluate a provider's own security practices before writing a policy. Without insurance, a client has limited recourse if a provider's mistake causes a financial loss. Ask any provider for proof of coverage. A professional operation will produce it without hesitation.
What Security Framework Do You Follow?
"We take security seriously" is not an answer. Look for a provider who can name a specific framework and explain how they implement it. The CIS Controls framework is the most common for small and medium businesses, with 56 foundational safeguards in Implementation Group 1 that cover the essentials: device inventory, access control, vulnerability management, data protection, and incident response. If your provider cannot name their framework or explain which controls they implement, their security is likely inconsistent and harder to verify. A named framework gives you both a shared way to measure and improve it over time.
What Happens When Something Goes Wrong at 2 AM?
Cyberattacks do not respect business hours. Neither do server failures, ransomware, or account compromises. Ask your provider what happens when a critical alert fires overnight. Do they have 24/7 monitoring? Who responds? What is the escalation path? If the answer involves checking voicemail in the morning, your business is unprotected for the majority of every day. A managed cybersecurity provider runs continuous monitoring with human analysts reviewing alerts around the clock.
Can You Document Your Own Security Controls?
A provider who manages your security should be able to demonstrate their own. Ask whether they use multi-factor authentication internally, whether their own devices are managed and encrypted, whether they conduct vulnerability assessments on their own infrastructure, and whether they have a documented incident response plan. If your IT provider cannot meet the same security standards they recommend to you, that is a gap worth raising with them.
What to Do with the Answers
These questions are not adversarial. They surface the difference between a provider who has invested in building a mature, accountable operation and one who has not. Insurance, frameworks, after-hours response, and internal security practices all cost money. Providers who invest in them charge accordingly, and that investment shows up as the reliability and accountability of a mature, well-resourced operation. If these questions surface gaps in your current arrangement, it may be worth starting a conversation about what a more structured, accountable approach could look like for your business.