Choosing an IT provider is a business decision with long-term consequences. Your provider holds the keys to your email, your files, your client data, and your ability to operate. Yet most businesses select a provider based on price or proximity without asking the questions that reveal capability and professionalism.
Are You Insured?
This is the question almost nobody asks, and it is the single fastest way to separate a professional operation from someone running a side business. A legitimate IT provider carries professional errors and omissions (E&O) insurance and commercial general liability coverage at minimum. Many also carry a separate cyber liability policy. These policies exist because IT work carries real risk. A misconfigured backup that fails during a disaster, a security gap that leads to a breach, a migration that loses data: these events have financial consequences, and insurance ensures the provider can stand behind their work.
Many IT operators, particularly smaller break-fix shops, carry no insurance at all. Some cannot get insured because underwriters evaluate the provider's own security practices before writing a policy. If the provider lacks basic controls internally, insurers either deny coverage or price it beyond reach. When an uninsured provider makes a mistake that costs your business money, you have no recourse beyond a lawsuit against someone who likely cannot pay. Ask for proof of coverage. A professional provider will produce it without hesitation.
What Security Framework Do You Follow?
"We take security seriously" is not an answer. A credible provider can name a specific framework and explain how they implement it. The CIS Controls framework is the most common for small and medium businesses, with 56 foundational safeguards in Implementation Group 1 that cover the essentials: device inventory, access control, vulnerability management, data protection, and incident response. If your provider cannot name their framework or explain which controls they implement, their security approach is ad hoc. Ad hoc security fails under pressure.
What Happens When Something Goes Wrong at 2 AM?
Cyberattacks do not respect business hours. Neither do server failures, ransomware, or account compromises. Ask your provider what happens when a critical alert fires overnight. Do they have 24/7 monitoring? Who responds? What is the escalation path? If the answer involves checking voicemail in the morning, your business is unprotected for the majority of every day. A managed cybersecurity provider runs continuous monitoring with human analysts reviewing alerts around the clock.
Can You Document Your Own Security Controls?
A provider who manages your security should be able to demonstrate their own. Ask whether they use multi-factor authentication internally, whether their own devices are managed and encrypted, whether they conduct vulnerability assessments on their own infrastructure, and whether they have a documented incident response plan. If your IT provider cannot pass the same security standards they recommend to you, that is a fundamental credibility problem.
What to Do with the Answers
These questions are not adversarial. They surface the difference between a provider who has invested in building a mature, accountable operation and one who has not. Insurance, frameworks, after-hours response, and internal security practices all cost money. Providers who invest in them charge accordingly, but they deliver reliability and accountability that cheaper alternatives cannot match. If your current provider struggles with any of these questions, it may be time to start a conversation about what professional IT management looks like.