Is Your IT Provider Really Providing Optimal Cyber Protection? 10 Things to Consider

Most Australian SMBs trust their IT provider to handle cybersecurity. That trust is often misplaced, and I say that without malice toward IT providers, because the problem is structural more than it is about individual competence.

IT management and cybersecurity are different disciplines. An IT provider's job is to keep your systems running, provision users, manage licensing, and respond to helpdesk tickets. A cybersecurity firm's job is to assume that someone is actively trying to break into your environment and make that as difficult as possible. These objectives do not conflict, but they are not the same thing, and the skill sets, tooling, and mindset required are genuinely different.

The question is not whether your IT provider is doing their job well. It is whether their job covers what you actually need.

Here are ten questions worth asking.

1. Do They Have 24/7 Threat Monitoring Across Your Endpoints?

Attackers do not work business hours. The most destructive phases of a breach, lateral movement and ransomware deployment, frequently happen on weekends and public holidays specifically because that is when detection is slowest.

Ask your IT provider directly: who is watching your environment at 2am on a Saturday? What tool generates the alert, and who receives it? How quickly is a human reviewing it?

If the answer is "we have antivirus and it sends alerts to our ticketing system," that is not 24/7 monitoring. That is scheduled antivirus scanning with a notification queue.

2. What Is Their Mean Time to Detect and Respond?

This is a measurable metric. Mean time to detect (MTTD) is how long it takes to identify that something malicious is happening. Mean time to respond (MTTR) is how long it takes to contain it.

The industry average MTTD for organisations without a dedicated security operations function sits around 200 days. That is not a typo. Attackers frequently live inside environments for months before being detected, often discovered only when they deploy ransomware or a third party notifies the victim.

Ask your provider what their MTTD and MTTR benchmarks are. If they cannot answer this question with a number, they are not measuring it, and if they are not measuring it, they do not know how quickly threats are being identified in your environment.

3. Are They Doing Proactive Threat Hunting or Just Responding to Alerts?

Alert response and threat hunting are not the same activity. Alert response means: a tool generates a notification and a technician investigates it. Threat hunting means: an analyst actively goes looking for indicators of compromise that have not yet triggered an alert.

Most managed IT providers do the former. Very few do the latter, because threat hunting requires dedicated security analysts and purpose-built tooling. It is also where you find the threats that bypassed your detection stack.

If your provider's security process starts when an alert fires, they are not catching the things that were designed to avoid your alerts.

4. Have They Conducted an Essential Eight Assessment of Your Environment?

If your IT provider has not done a formal ASD Essential Eight assessment of your environment, you do not have a baseline. You do not know which controls are in place, which are partially implemented, and which are missing entirely. You are managing risk you cannot see.

A proper Essential Eight assessment is not a questionnaire. It involves reviewing actual configurations, testing whether controls are enforced rather than just enabled, and verifying that the maturity level claimed reflects what is actually happening in the environment. Ask for the assessment report. If there is not one, ask when it will be done.

5. What Happens When a Threat Is Detected? Walk Me Through the Process.

This question reveals more than almost anything else. A provider with a real incident response capability will be able to describe their process specifically: who is notified, in what order, what the containment steps look like, how long isolation takes, and what the communication protocol to your leadership team is.

A provider without that capability will give you a vague answer about escalating to their team and following up with you. Vague answers in this context are meaningful data.

Incident response is not something you want to be designing for the first time during an active incident.

6. Are They Patching Applications and Operating Systems to ASD-Recommended Timeframes?

The ASD's guidance for internet-facing applications is 48 hours for critical vulnerabilities. For operating systems, it is 48 hours for extreme risk. Two weeks for everything else.

Most managed IT environments patch monthly, sometimes quarterly. The gap between "we patch regularly" and "we patch to ASD-recommended timeframes" is the gap that attackers operate in. Ask for the patch compliance report for your environment. Look at how long critical vulnerabilities are sitting unpatched.

If your provider is patching on a monthly cycle and calling it current, that is not current. That is a 30-day open window for known exploits, every month.

7. Is Multi-Factor Authentication Enforced Across All Remote Access and Privileged Accounts?

MFA being "available" is not the same as MFA being enforced. Ask whether MFA is mandatory for all remote access to your environment, all administrative accounts, and all cloud service access including Microsoft 365, email, and any line-of-business applications.

Then ask whether legacy authentication protocols are blocked. Legacy authentication bypasses MFA entirely. If your environment still allows basic authentication, IMAP, or POP3 connections to Microsoft 365, MFA is protecting significantly less than you think it is.

This is one of the most common gaps we find in assessments, and it is one of the easiest to close.

8. How Are Administrative Privileges Managed in Your Environment?

Admin credentials are the target in almost every intrusion that escalates beyond initial access. If attackers get administrative credentials, they can move laterally, exfiltrate data, deploy ransomware, and establish persistence at will.

Ask how many accounts in your environment have domain admin or local admin rights. Ask how that list is reviewed and validated. Ask whether your day-to-day IT provider staff are working from admin accounts routinely. Ask whether privileged access workstations are used for high-privilege tasks.

Environments where admin rights are distributed liberally and managed informally are environments where a single compromised credential has catastrophic potential.

9. Do They Have Cyber Liability Insurance and a Formal Incident Response Retainer?

This question matters for reasons beyond the obvious. A provider with cyber liability insurance and a formal incident response capability has made an active investment in being prepared for security incidents. One without it has not.

It also matters for your own insurance. Your cyber liability policy may have specific requirements around how incidents are detected, documented, and reported. If your provider does not have a formal IR process, there is a real risk that a claim gets complicated.

Ask what their incident response procedure is and whether they have a retainer with a specialist IR firm or handle it in-house. Ask what their obligations are to notify you and what the documentation process looks like.

10. When Did They Last Recommend Something You Did Not Ask For?

This is the qualitative question, and in some ways the most important one.

A provider who is genuinely on top of your security posture will proactively bring things to your attention. New threat intelligence relevant to your industry. A configuration gap they found during routine work. A change in the threat landscape that affects how you should be thinking about a specific control.

If every security recommendation your IT provider has made in the last 12 months came in response to something you asked about, or as a line item on a renewal invoice, they are not running a proactive security function. They are waiting for you to define the scope.

Proactive protection means someone is thinking about your exposure before you are. If that is not happening, you are not getting what you are paying for.

The Honest Summary

None of these questions are tricks. They are baseline expectations for any provider positioning themselves as responsible for your cyber security outcomes. A capable provider should be able to answer all of them clearly, with specifics.

If you work through this list and find significant gaps, that is useful information. It does not necessarily mean you need to change providers. It does mean you need an honest conversation about what your current arrangement covers and what it does not, so you can make an informed decision about your actual risk exposure.

If you want an independent view of where your environment sits, Stealth Cyber offers cyber risk assessments for Australian SMBs. No sales pitch. Just a straight read on what you have and what you are missing.