10 Security Questions to Ask Your IT Provider
Outsourced IT is normal for small businesses — but 'IT handles it' is not a security strategy. These ten questions help you understand what is actually covered, what isn't, and where responsibility sits. A good provider will welcome them.
The ten questions
- 1. Is multi-factor authentication enforced on every account, including admins — and can you show me?
- 2. Who has admin access to our systems right now, and when was that list last reviewed?
- 3. What happens, step by step, when a staff member leaves? How fast is access removed?
- 4. Are our backups automatic, stored separately, and when did we last test a restore?
- 5. Are SPF, DKIM, and DMARC set up on our email domain? Can you show me the records?
- 6. How quickly are updates and security patches applied to our systems and website?
- 7. If we were compromised at 9am tomorrow, what would you do, and what would you need from us?
- 8. What exactly is in scope of our agreement — and what security work is NOT included?
- 9. How is our data protected at your end, and who at your company can access our systems?
- 10. Can you walk me through the last security improvement you proactively made for us?
How to read the answers
You're listening for specifics, evidence, and comfort with the questions. Vague answers ('it's all covered'), defensiveness, or surprise that you asked are signals worth acting on. An independent review like Yarra Secure's Quick Cyber Risk Review can give you a second opinion without disrupting the relationship.
General guidance only, drawn from practical experience and aligned with public Australian guidance from the ASD's Australian Cyber Security Centre (cyber.gov.au) and ACCC Scamwatch (scamwatch.gov.au). Check those sources for current official advice. This guide is not legal advice.