If you’re a small business that hasn’t hired your own IT staff, you probably have an MSP; a managed service provider that handles your tech. Most of them are great at what they specialize in: laptops, email, file shares, the printer that nobody can ever get working. Some of them also claim to “handle security.” That phrase is doing an enormous amount of work, and it’s worth pulling apart.
I’m not anti-MSP. Some of the best security I see at SMBs is delivered by good MSPs. But the gap between an MSP that genuinely handles security and one that just says they do is enormous, and you, the customer, often have no way to tell the difference until the morning your files are encrypted.
So: five questions you should ask. The answers tell you most of what you need to know.
1. “Show me last month’s vulnerability scan results.”
Real answer: A PDF or a portal screenshot showing systems scanned, vulnerabilities found, and what’s being done about them. There should be a number. The number should be more than zero (vulnerabilities are constant), and there should be a process for working it down.
Red flag answer: “We don’t really do that,” “Our tools handle that automatically,” or any version of “I’ll have to ask.” Vulnerability management is not optional in 2026. If your MSP isn’t doing it, no one is.
2. “What did our environment look like in your security review last quarter?”
Real answer: A document, even a single page, summarizing what’s changed, what risks have been identified, what’s recommended. This proves that someone is actively thinking about your specific environment, not just running everyone through the same template.
Red flag answer: A blank stare, or “we do that annually.” Annual reviews are not enough. The threat landscape doesn’t move on annual cycles.
3. “If I got phished tomorrow and my email password was stolen, what would happen?”
Real answer: A walk-through. They’d tell you that MFA would block the login from a new device, that you’d get an alert, that they’d see the alert and respond, that they have a documented playbook for credential compromise, and that they’d reset the password and review any actions taken under the compromised account. Specific. Step by step.
Red flag answer: “We’d reset your password.” That’s not a security response. That’s IT support.
4. “Who looks at the security alerts coming from our environment, and how often?”
Real answer: A specific person or team, a specific cadence (daily, weekly, or 24/7 via a SOC), and ideally an SLA on response time. If they outsource to an MDR provider, they should be able to tell you who and how to escalate.
Red flag answer: “We have alerting set up.” That tells you the technology exists. It doesn’t tell you anyone is listening.
5. “Can you walk me through what’s in our backups, when they were last tested, and how long restoration would take?”
Real answer: Specifics. What systems are backed up, where the backups live (ideally offsite and immutable), the last successful test date, and a realistic time estimate for a full restore. The honest ones will admit the time estimate is longer than you’d like and recommend recovery-time planning.
Red flag answer: “Yes, we have backups.” Or just a product name. The existence of backups is one of the most common false comforts in the SMB world. Untested backups are roughly a coin flip in a real incident.
Why this conversation isn’t adversarial
The temptation, when you’re not sure your MSP is delivering, is to either pretend everything’s fine or to have a confrontation. Neither is the right move.
The right move is to treat this like any other vendor management conversation: clear questions, professional tone, honest answers. A good MSP will welcome these questions because they want you to know what they’re doing for you. They’ll often have better answers than you expect, and you’ll come away more confident.
A bad MSP will get defensive. That’s its own answer.
One more question, off-script
Once you’ve asked the five, ask one more: “If something happens after hours, who do I call?”
If the answer is a generic support email, you have a problem. If it’s a specific human’s cell phone, you’ve got someone who knows the difference between IT support and incident response.
That’s the entire gap between “handles security” as marketing and “handles security” as a real promise.
Further reading
- From Resolute Security: The Backup You’ve Never Tested Is Not a Backup
- From Resolute Security: Your Weakest Link Is a Vendor You Forgot About
- From Resolute Security: We’re Too Small to Be a Target
- NIST Small Business Cybersecurity Corner
- CISA StopRansomware
- Not sure where you stand? Take the free 10-minute cyber readiness assessment.