What to Ask Your MSP About Cybersecurity
Your Managed Service Provider (MSP) is your first line of defence for cybersecurity. But how do you know if they are actually protecting you? Here are the questions you should be asking - and what good answers look like.
Your MSP should help you comply with the NIS2 directive and the CyberFundamentals framework. . Ask specifically about their approach to patch management and employee training.
Why Your MSP Is the Right Partner for Cybersecurity
Many SME owners think cybersecurity means buying antivirus software and hoping for the best. In reality, cybersecurity requires ongoing expertise, monitoring, and adaptation. Here is why your MSP is the natural partner for this:
They already know your IT
Your MSP manages your infrastructure daily. They understand your systems, users, and business processes.
Security needs continuous attention
Threats evolve weekly. Your MSP can monitor, patch, and respond faster than an annual consultant visit.
Compliance is becoming mandatory
NIS2 and CyberFundamentals require documented, ongoing security practices - exactly what an MSP can deliver.
Cost efficiency
Hiring a full-time security specialist is not realistic for most SMEs. An MSP spreads that expertise across multiple clients.
Incident response needs speed
When a breach happens, you need someone who can act within hours, not days. Your MSP is already on call.
Integrated approach
Security works best when it is built into your IT management, not bolted on as an afterthought.
Essential Questions to Ask Your MSP
Group these questions into your next meeting with your IT partner. Their answers will tell you a lot about how seriously they take your security.
Compliance & Frameworks
How do you help us meet NIS2 and CyberFundamentals requirements?
Belgian SMEs increasingly fall under NIS2 scope. Your MSP should know these frameworks and have a plan.
Can you provide documentation and evidence for audit readiness?
Compliance is not just about doing the right things - you need to prove it. Good MSPs generate audit-ready reports.
Protection & Prevention
What layers of protection do you have in place for our systems?
Good security uses multiple layers: endpoint protection, firewall, email filtering, DNS security. One tool is never enough.
How do you handle patching and vulnerability management?
Unpatched systems are the number one entry point for attackers. Your MSP should patch promptly and systematically.
Monitoring & Detection
Do you actively monitor our systems for threats, and how?
There is a big difference between reactive support and proactive threat monitoring. Ask specifically what tools and processes they use.
How quickly would you detect a breach in our environment?
The average time to detect a breach is 204 days globally. A good MSP should significantly beat that with active monitoring.
Incident Response
What is your incident response plan if we get breached?
A written, tested plan matters. Ask to see it. If they do not have one, that is a serious gap.
How do you handle backup and recovery, and when did you last test it?
Backups that are never tested are backups that might not work. Your MSP should test recovery regularly.
What Good vs Bad Answers Look Like
When you ask these questions, here is how to spot the difference between an MSP that takes security seriously and one that does not:
Good answer
We use CyberFundamentals as our baseline framework, map your controls, and generate audit-ready documentation quarterly.
Bad answer
We handle that. Don't worry about it.
Good answer
We run 24/7 endpoint detection and response (EDR) with a security operations centre that escalates alerts within 15 minutes.
Bad answer
We check the antivirus reports when we do our monthly maintenance.
Good answer
Critical patches are deployed within 48 hours. We have a weekly patch cycle for non-critical updates and test before deploying.
Bad answer
We update things when we notice they need updating.
Good answer
Here is our incident response playbook. We tested it last quarter with a tabletop exercise. Our target response time is under 4 hours.
Bad answer
If something happens, call us and we will figure it out.
Good answer
We run 3-2-1 backups with immutable copies. Last recovery test was two weeks ago - here is the report.
Bad answer
Everything backs up to the cloud automatically. It should be fine.
Cybersecurity Services Checklist
A cybersecurity-ready MSP should offer or coordinate most of these services. Use this as a checklist when evaluating your current or prospective IT partner:
Foundation
- Endpoint protection (EDR/XDR) on all devices
- Email security and anti-phishing filtering
- Firewall management and network segmentation
- Patch management with defined SLAs
- Multi-factor authentication (MFA) across all systems
Monitoring & Response
- Active threat monitoring (not just alerts)
- Incident response plan with defined escalation
- Security event logging and retention
- Regular vulnerability scanning
Compliance & Documentation
- CyberFundamentals or ISO 27001 framework mapping
- NIS2 readiness assessment and roadmap
- Audit-ready evidence and documentation
- Security policy templates and guidance
Resilience
- Backup strategy with tested recovery (3-2-1 rule)
- Business continuity planning support
- Security awareness training for employees
- Supplier and third-party risk guidance
Start the Conversation With Your IT Partner
The best time to have this conversation is now - before an incident forces it. Share this article with your MSP or IT partner and use it as a starting point for a productive security discussion. If they welcome the conversation, you are in good hands.
Frequently Asked Questions
What if my current MSP cannot answer these questions?
That does not necessarily mean you need to switch providers immediately. Share your expectations, give them time to develop their security offering, and set a timeline for review. However, if they dismiss your concerns or show no willingness to improve, it may be time to look elsewhere.
How much should MSP cybersecurity services cost?
For Belgian SMEs, expect to pay between EUR 50 and EUR 250 per user per month for comprehensive managed security, depending on the scope of services. This typically includes endpoint protection, monitoring, patching, and compliance support. Compare this to the average cost of a data breach for an SME, which runs into tens of thousands of euros.
Can I handle cybersecurity without an MSP?
Technically yes, but practically it is very difficult for SMEs. Cybersecurity requires specialised, up-to-date knowledge and 24/7 attention. Most SMEs do not have the resources for a dedicated security team. An MSP provides that expertise at a fraction of the cost of hiring in-house.
How often should I review cybersecurity with my MSP?
At minimum quarterly, with a comprehensive annual review. Additionally, schedule a review after any significant change: new systems, new employees, a security incident, or changes in regulations like NIS2 enforcement deadlines.