What Cybersecurity Questions Should I Ask My IT Provider?

If you own a small business, your IT provider is probably the person you trust most with your technology. They set up your computers. They fix your email when it breaks. They keep your printers working. And somewhere along the way, you assumed they were also handling your cybersecurity.

Here's the uncomfortable truth: most IT providers are not cybersecurity experts. They're IT generalists. And the difference between those two things is the difference between your business surviving a ransomware attack or going out of business in the six months after one.

The Numbers You Can't Ignore

• 43% of all cyberattacks in 2025 targeted small businesses
• 88% of those breaches involved ransomware
• 1 in 5 small business owners who got hit went bankrupt or out of business within months

These are not abstract numbers. This is happening to businesses like yours, right now, while their IT providers tell them everything is fine.

So how do you know if your IT provider is actually protecting you? You ask them the right questions. And you don't accept vague answers.

Question 1: Are You a Cybersecurity Expert, or an IT Company That Does Some Security on the Side?

This is the question that exposes everything.

A good IT provider will be honest. They'll tell you whether security is their specialty or whether they're a generalist.

The bad answer sounds like this: "Don't worry, everything's fine. We've got it covered."

That's not an answer. That's a deflection. If they can't articulate exactly what cybersecurity services they provide, what tools they use, and what their expertise is — they don't have it.

Question 2: What Enterprise-Grade Tools Do You Use to Protect My Business?

Here's where you separate the real from the fake.

Most small businesses are protected with basic SMB tools — cheap antivirus, simple firewalls, off-the-shelf email filters. These tools were not built to stop modern attacks. They stop yesterday's threats, not today's.

Enterprise-grade tools are different:

• They use AI to detect anomalies
• They monitor behavior, not just signatures
• They catch attackers who are already inside your network

Ask your provider specifically: do you use enterprise-grade endpoint detection? Do you have a security operations platform monitoring my environment?

If they say "we use a popular antivirus" — that's not the answer you want. If they say "we don't know how to install enterprise tools" or "those are too complex for small businesses" — they're telling you they're not equipped to protect you.

Question 3: Is Someone Monitoring My Network 24/7?

Cyberattacks don't happen during business hours. Attackers specifically target nights, weekends, and holidays — when no one is watching.

If your IT provider checks in once a week, or only responds when something breaks, you are not protected.

Ask: "Who is watching my network at 2 AM on a Sunday?" If the answer is nobody, you have a problem. Real cybersecurity means real-time monitoring, someone watching the moment an alert fires, and someone responding while the attack is still happening — not three days later when your data is already encrypted.

Question 4: Are the Tools You Use Actually Configured Correctly?

This one catches even providers who have the right tools.

Most cybersecurity tools fail not because they're bad, but because they were installed and forgotten. Default settings. No tuning. No regular review. A misconfigured enterprise tool is barely better than a basic one.

Ask your provider: "When was the last time you reviewed and updated the configuration of my security tools?" If they can't give you a specific date or process, they're not maintaining your protection.

How to Verify They're Telling the Truth

Here's the part most SMB owners miss. You can't just take their word for it. You need to verify.

If your IT provider says they use a specific cybersecurity tool, check whether they're actually a registered partner with that vendor. Real cybersecurity providers are authorized to sell and deploy these products.

Ask: are you a registered partner of this vendor? How many of your customers are using this tool? Can you show me a portfolio of clients running enterprise-grade security?

If the answer is zero, or one, or "I'd have to check" — they're not really using it. A real provider can show you their partner certifications, a portfolio of clients on enterprise tools, and proof.

What an Honest Answer Sounds Like

Here's what surprised me most after 28 years in cybersecurity: the best IT providers are the ones who admit what they don't know.

A good IT provider, when asked these questions, might say:

"Honestly, we're great at IT, but cybersecurity is a different specialty. Let me bring in a partner who can handle that side. You'll still have us managing your IT — but we'll work alongside cybersecurity experts so you get the protection you need."

That's maturity. That's a provider who cares more about your business than their ego. The bad answer is defensiveness: telling you not to worry, telling you it's all fine, telling you enterprise tools are unnecessary, refusing outside expertise.

The Conversation to Have Today

Schedule a meeting with your IT provider this week. Ask them these four questions. Listen carefully. Verify their claims — vendor partnerships, customer portfolios, proof.

If they're honest about gaps and willing to bring in cybersecurity expertise — keep them. If they're defensive, vague, or insistent that everything is fine without being able to prove it — you know what you need to do. For a deeper view of what actually happens when an unprotected SMB gets hit, read how SMB ransomware attacks actually unfold.

Where Fortress Fits In

There's a platform called Fortress built specifically for this moment.

It gives IT providers and MSPs the enterprise-grade cybersecurity tools, AI-powered monitoring, and expertise they need to protect small businesses — without requiring them to become cybersecurity specialists overnight. The vendor-agnostic Marketplace covers endpoint, email, identity, and backup; the TPRM & GRC module covers compliance; and MerlinAI handles the 24/7 monitoring most generalist IT shops can't deliver in-house.

A good IT provider will hear about Fortress and say "let's pilot this together." That's the response you want. Watch the demo if you want to see what that conversation can look like.

Because the question isn't whether your business will be attacked. It's whether the people protecting you are ready when it happens.

Explore more: whether your SMB needs cybersecurity · adding $50K MRR with vCISO