Finding and vetting a new IT Managed Service Provider (MSP) can be a daunting task for small businesses. In the not so distant past, the kinds of questions that businesses needed to ask of their IT providers ran to ‘can you fix my computers?’, ‘will you support my server?’, ‘do you take support calls?’, Etc.
Today’s business landscape is much different. Along with complex environments that are run both on-premise as well as in the cloud; security risks have become a very real, and present danger. In fact, security has become such big business for the bad guys – that our government has gotten involved and is now issuing guidelines for small businesses to ask of their IT providers.
So what is a small business to do when it is faced with the task of finding a new IT provider? What questions do they ask? What questions SHOULD they ask? As an MSP provider – we have put quite a bit of thought into what questions we need to anticipate, as well as what questions we WISH prospects would ask us. Below we have compiled a list of questions we think every small business should ask of their next IT provider (whether it is IntegraMSP or not).
As the ‘IT experts’, it is up to the MSP to answer the tough questions for our clients and not expect them to try to find the answers on their own. Our clients and prospects are the best at what THEY do – so we need to be the best at what WE do.
Questions to ask of your prospective IT Managed Service Provider
- Do they have Insurance? What kind(s) of insurance do they have?
The MSP should be able to supply you with certificates of insurance that state their coverage as well as liabilities. They should have General Business Liability, Errors and Omissions, as well as Cyber Insurance. These are important policies to have for any MSP. They should also have Workers Compensation if they have technicians coming out to your office to provide service as well as be able to supply Certificates of Insurance to work within your office if it is needed.
- What is their response time to a request?
In today’s fast-paced world, time is of the essence. Response time is important to our clients. What we encourage you to do when vetting your next IT MSP – ask them to put in a support request live-time. Are you able to call your new IT provider to get assistance? Is the phone being answered by someone local and working for the MSP, or is it an outsourced provider? If onsite support is needed; how quickly can someone get to your location to work on your problem? Will you see/speak with the same techs, or will it be someone new each time? Will local support be provided by an employee of the MSP or will it be outsourced to a contractor? For many clients, it is important to ‘know’ the technician that will be in their offices and working with their sensitive data.
- Can you get references?
Having the ability to contact current clients of an MSP is often invaluable in gauging how well the MSP works with their clients. Knowing there is trust there and a willingness to speak to how they work with each other is important. Does the MSP address their client’s needs? Is the client comfortable with the technicians they deal with. Does the client TRUST their MSP with their network?
This is a big one in today’s IT environment. With bad actors now operating as (very lucrative) businesses with well-organized affiliates; the threats are being generated at a dizzying pace. Every 39 seconds there is an attack somewhere on the web; which ads up to about 2.24K a day. These kinds of stats can scare ANY company. But there are nuances and differences in the levels of security a small business may need. Do you have Industry Compliance requirements? Does your cyber insurance require you to meet certain criteria? What kind of security does your business need? There are definite minimums to what you will need as far as cyber security. You will NEED 2FA – that should be a non-starter. If your prospective MSP does not push for implementing 2FA/Multi-factor Authentication – look elsewhere. Security should include antivirus, antispam, threat-detection and monitoring/patching at a minimum.
Ask the MSP if they provide different levels of security that fit the different needs of your business. They may not know exactly what your particular business needs are; but if you are able to provide to them what compliancy needs you have in regards to security – they should be able to provide you what you need.
- That brings us to Antivirus
An MSP should be able to happily answer the question of what Antivirus they offer and why they offer it. They may ask for you to sign an NDA (in case they feel that is proprietary information – that is ok) – but they should provide that information to you if you ask. A good antivirus is a critical component of the security arsenal of any MSP. A good question to ask is if the AV (antivirus) has extra features such as adversarial detection and threat hunting.
- IS the MSP involved in a lawsuit? With a client?
Do not think of this as an intrusive question – it is an important one. If they are actively involved in a lawsuit, what are they in a lawsuit for? Was it tied to a breach? Was it caused by a cyber threat? You will best know what your risk level is in doing business with an MSP that is currently involved in legal proceedings. If they do not want to discuss it – it could be a red flag.
- Backup – Business Continuity and Disaster Recovery
Backups and how they are managed are one of, if not THE most critical part of security for a business as well as just a needed part of everyday business. Ask the MSP if they have backup redundancy. Do they backup onsite as well as offsite. Do they have the capability to launch your network in the cloud in a short period of time to keep your business up and running in the chance of a critical system failure – whether it be a dead server or a natural emergency. Do they back up your emails? Do they back up your computers or just servers? Do they have the capability to backup your server if it is in the cloud? Do they check to make sure your backups are good? Do they have a Business Continuity and Disaster Recovery Plan in place? How long do they keep your data?
Essentially – do they have a good, solid answer of how your data will be backed up and your access when you need it. If they mention a ‘tape backup’ – politely thank them for their time and move on to the next candidate.
- Is the MSP aware of the CISA recommendations? Can they speak to them?
The CISA (Cybersecurity & Infrastructure Security Agency) released guidance for businesses after a slew of very costly and damaging cyber-attacks happened recently. The document has been on the lips of many IT providers since it was released a few weeks back.
The information is a lot to take in and process for the average small business – it is not in their wheelhouse – but it is in an MSP’s. An MSP should be able to help answer some of those questions for you. The CISA guidelines are really great – but they don’t take into consideration that often many of the roles they layout for organizations to have, such as a ‘supply chain risk council’ – will fall on the shoulders of one individual in the client’s company that also has many other duties and they may not have the training to be well-versed on supply chain risk.
That is often WHY a small business needs a good MSP. It is THEIR job to understand that part. The CISA recommendations tend to skew towards larger, enterprise-level businesses – but that does not mean an MSP should not care about them. Can your new MSP help you mitigate cyber security risks – of course they should. They should have a ‘stack’ of tools, processes and procedures to address cyber incidents quickly and effectively. They should be able to tell you what to expect in the case of an outage of service. They should have a plan they follow if they are involved in a third-party data breach/cyber-attack. They should have disaster recovery and response plans that they have developed internally and for their clients.
These are just a start to the questions – but one of the questions we did not include was price. What is this going to cost me? Price is of course a determiner in picking a new service provider. It kinda has to be. BUT – what is also important is the VALUE of what you are paying for when you contract with an MSP. Do they value your business? Are they a trusted advisor or just a cost center? Are they a means to an end or do they help you streamline your business and provide value by securing your environment and taking care of your important business data and processes. Your IT Managed Service Provider holds your network in their hands. They mitigate risks, they help your team keep running and you need to see them as an extension of your business. The performance of your MSP can make or break your company. Make sure to do your research.
- Written by Jennifer Gilligan