Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Compliance

What Questions Should I Ask My IT Support Provider?

Quick Answer

Ask about security inclusion, response times, what happens out-of-hours, their own certifications, and how they'll evidence compliance for your customers. The answers reveal whether they're a modern security-focused MSP or a reactive break-fix shop.

Security Questions

"What security is included in your base price?"

Good answer: "MFA enforcement, EDR on all endpoints, email security, backup, and regular patching."

Red flag: "Basic antivirus. Security is an optional add-on."

Why it matters: In 2026, security bolted on as an extra is negligent. It should be built in.

"What happens if we get ransomware at 2am on Saturday?"

Good answer: "Our MDR provider monitors 24/7. We'd be alerted immediately and begin response within [timeframe]. Here's our incident response process..."

Red flag: "We'd pick it up Monday morning when we check alerts."

Why it matters: Ransomware doesn't wait for business hours.

"What certifications do you hold?"

Good answer: "We're ISO 27001 certified and Cyber Essentials Plus accredited."

Red flag: "We don't really do certifications" or vague claims.

Why it matters: If they can't demonstrate their own security, how will they manage yours?

"How will you help us answer customer security questionnaires?"

Good answer: "We provide documentation of controls, help complete questionnaires, and our certifications support your responses."

Red flag: "That's your responsibility."

Why it matters: Your customers will ask about your security. Your IT provider should help.

Service Questions

"What's included vs extra?"

Good answer: Clear list of what's in the base price. Transparent about what costs more.

Red flag: Vague answers. "It depends." Discovering extras later.

Why it matters: The £30/user provider charging extras for everything costs more than the £60/user all-inclusive.

"What are your response time SLAs?"

Good answer: Specific commitments. "Critical issues: 1 hour response. Standard: 4 hours. Low priority: next business day."

Red flag: "We aim to respond as quickly as possible."

Why it matters: Without SLAs, you have no recourse when response is slow.

"How do you handle after-hours emergencies?"

Good answer: "We have out-of-hours support for critical issues at [number]. Here's what's covered..."

Red flag: "Leave a message and we'll call you Monday."

Why it matters: Problems don't only happen 9-5.

"What's your contract term?"

Good answer: "Monthly or annual. Your choice."

Red flag: "36-month minimum."

Why it matters: Long lock-ins benefit the provider. Confident providers don't need them.

Technical Questions

"How do you handle patching?"

Good answer: "Automated patching with compliance reporting. Critical patches within 14 days. We track and evidence it."

Red flag: "We update things when we're onsite."

Why it matters: Patching discipline prevents most attacks.

"What backup solution do you use? Is it immutable?"

Good answer: Names a reputable solution. Confirms immutable/air-gapped options. Can explain recovery process.

Red flag: "We use the built-in Microsoft backup" or doesn't know what immutable means.

Why it matters: Backup is your ransomware insurance. Weak backup = no recovery.

"How do you monitor our systems?"

Good answer: "Continuous monitoring with [tool]. We review alerts daily. Here's what we're watching for..."

Red flag: "We check in periodically."

Why it matters: Reactive IT waits for you to report problems. Proactive IT finds them first.

Relationship Questions

"Who will we actually work with?"

Good answer: "Your main contact is [name]. Here's the team. You'll get to know us."

Red flag: "Whoever's available picks up tickets."

Why it matters: Consistent contacts understand your business.

"Can we speak to reference clients?"

Good answer: "Of course. Here are some contacts in similar industries."

Red flag: Reluctance or excuses.

Why it matters: Happy clients are shareable. Unhappy clients aren't.

"What reporting will we receive?"

Good answer: "Monthly reports covering [specifics]. Quarterly reviews to discuss your environment."

Red flag: "You can log into the portal if you want to see tickets."

Why it matters: You should know what's happening without asking.

The Questions That Reveal Everything

"What would you do differently from our current provider?" Listen for understanding of your situation vs generic sales pitch.

"What's the biggest security mistake you see clients make?" Listen for genuine insight vs "not choosing us."

"Tell me about a time you handled a serious incident." Listen for experience and process vs vague reassurances.

Our Answers

We welcome these questions. Here's what we'd tell you:

  • Security included: EDR, email security, backup, MFA, awareness training—standard
  • Out-of-hours: MDR monitoring 24/7, emergency support line
  • Certifications: ISO 27001, Cyber Essentials Plus
  • Contracts: Monthly terms
  • Transparency: Happy to provide references
We'd rather answer hard questions upfront than disappoint later.

Related Questions