Most MSPs will tell you they take cyber security seriously.Â
Most will point to certifications, monitoring platforms, service desk capabilities and security tooling. Many will also offer dedicated cyber security services alongside their core managed IT support.Â
The challenge isn’t whether security matters to an MSP. The challenge is understanding how security is delivered in practice.Â
An MSP typically has access to some of the most important parts of your organisation. They may administer cloud platforms, manage critical infrastructure, support users, maintain backups and hold privileged access to business systems. In many cases, they have access to all your most sensitive data.Â
That level of access is one of the reasons MSPs have become an increasingly attractive target for cyber criminals.Â
Rather than targeting organisations individually, attackers increasingly look for opportunities within the supply chain. A successful compromise of a service provider can potentially affect multiple customer environments, making MSPs an important part of the cyber security conversation.Â
This isn’t a criticism of MSPs. In many respects, it reflects the critical role they now play within modern organisations. Businesses rely on MSPs to manage and support increasingly complex technology estates and with that responsibility comes increased attention from attackers.Â
Accreditations, certifications and service levels remain important, but they only provide part of the picture. Understanding how a provider manages access, protects customer environments, responds to incidents and secures its own operations can provide much greater insight into how they approach risk.Â
Organisations should expect to have these conversations. Cyber security is a shared responsibility and both parties benefit from a clear understanding of roles, responsibilities and expectations.Â
Whether you’re selecting a new provider, reviewing an existing relationship or carrying out supplier assurance activities, the following questions can help guide that discussion.
1. How do you access our environment and data?
This is often the most important question you can ask.Â
Your MSP should be able to clearly explain how their team access customer environments, what systems they use, how access is approved and how activity is monitored.Â
The objective is to understand how much access exists, who has it and what controls are in place to prevent misuse. If a provider struggles to explain this clearly, that should raise concerns.Â
2. Does everyone who accesses our environment use a unique named account protected by strong authentication?
Shared administrative accounts continue to appear in environments far more often than they should.Â
When multiple people use the same account, it becomes extremely difficult to determine who accessed a system, what changes were made and whether activity was authorised.Â
Every individual accessing your environment should do so using their own uniquely assigned account, protected by multi-factor authentication and appropriate privileged access controls.Â
You should know who is accessing your systems and be confident that their activity can be traced back to a specific individual if required.
3. How are the devices used to access our environment secured?
Even if access controls are strong, the security of the devices being used remains critical.Â
Ask how the MSP secures engineer laptops and workstations. How are devices managed? How are vulnerabilities identified and remediated? What protections exist against malware, credential theft and unauthorised access?Â
A compromised engineer device can become a pathway into customer environments, which makes endpoint security a key part of supplier risk management.
4. Who is accountable for cyber security within your organisation and what controls are in place?
This question often reveals how seriously cyber security is treated within the business.Â
Cyber security should not exist solely as a technical function. Effective organisations establish clear ownership, governance and accountability at a leadership level.Â
Ask who is responsible for cyber security. Ask what policies, standards and controls are in place. Ask how security risks are reviewed and managed.Â
Strong security cultures are usually visible through clear ownership, defined responsibilities and evidence of ongoing oversight.
5. What are your notification and support obligations if either of us experiences a cyber incident?
Many organisations assume they will be informed immediately if their MSP suffers a security incident.Â
That assumption is not always reflected in contracts or operational processes.Â
Ask what happens if the MSP experiences a breach. When would you be informed? What information would be shared? What support would be available? Who would lead communications?Â
Similarly, understand what support the provider would offer if your organisation experienced an incident.Â
These discussions are far easier to have before an incident occurs than during oneÂ
The question behind all the questionsÂ
Ultimately, these questions are about understanding how an MSP thinks about risk.Â
Do they take ownership? Are they transparent when discussing weaknesses? Do they have evidence to support what they’re telling you? Can they explain how they protect both their own environment and yours?Â
The best conversations are usually the ones where organisations can answer these questions clearly, provide evidence when asked and openly discuss areas where risk still exists. Cyber security isn’t about claiming to be perfect. It’s about understanding risk and managing it effectively.Â
In our experience, the quality of the discussion is often as valuable as the answers themselves. MSPs that can explain their approach clearly, discuss trade-offs and back up their claims with evidence tend to make stronger long-term partners than those relying solely on certifications or marketing claims.Â
Because when an MSP has privileged access to your environment, you’re not simply buying a service. You’re placing a significant amount of trust in how they operate.Â
Â