Every business we assess has an IT provider already. Almost none of them are lying about what they do — they keep servers running, resolve tickets, and answer the phone when someone's laptop stops working. That is a real, valuable job. It is also not the same job as defending a business against an attacker who is actively trying to get in.
The confusion is understandable. Managed IT and cybersecurity share a toolbox and, often, a vendor. But they answer different questions. IT asks: is the system available? Security asks: is the system compromised? A provider can score perfectly on the first question while missing the second for months. We see it in almost every Cyber Readiness Assessment we run. Below are the five signs that tell you which question your current provider is actually answering.
011. Success is measured in tickets closed, not intrusions stopped
Ask your provider for last quarter's numbers. If the answer is response times, resolved tickets, and uptime percentages, you are looking at an operations report. A security-literate provider can also tell you how many login attempts were blocked, what unusual behaviour was investigated, and what — if anything — was found and closed. If that second conversation has never happened, nobody has been looking.
022. Multi-factor authentication is “available”, not enforced
Multi-factor authentication is the single highest-leverage control against credential theft, and it is also the control most often left half-deployed. “It's turned on for anyone who wants it” is functionally the same as not having it, because the accounts an attacker wants most — finance, admin, the owner — are exactly the ones people find MFA inconvenient enough to skip. Enforced means enforced: no exceptions, no opt-outs, checked on a schedule.
033. Backups exist. Nobody has restored one.
A backup that has never been test-restored is a belief, not a control. We have opened engagements where the nightly backup job had been silently failing for months, and nobody found out until it was needed. A tested, immutable, offline-capable backup is the difference between a ransomware incident being a bad afternoon or a closed business — and 60% of small businesses that suffer a breach close within six months.
044. Patching happens when someone remembers
Known vulnerabilities are the easiest door for an attacker to walk through, because the fix already exists — somebody just has not applied it yet. “We patch when we get to it” is not a schedule, and an unpatched internet-facing system stays exposed for as long as it takes someone to notice. A managed, monitored patch cadence closes that window before it is found.
055. Nobody can describe what “normal” looks like for your business
The most dangerous intrusions do not look like malware. They look like a legitimate login from an unusual location at 2am, or an account suddenly downloading a decade of client files. Spotting that requires a baseline of what normal looks like for your business, and monitoring that watches for departures from it — not just a virus scanner waiting for a known signature.
“Our previous provider told us we were fine. We found seven ways in within a fortnight.”
None of this makes your current provider dishonest. It makes them what they were engaged to be — and it is worth finding out, in writing, whether anyone has actually verified the five points above for your business. A Cyber Readiness Assessment answers all five in ten business days, whether or not you ever switch providers.
Where this leaves you
Knowing the risk is not the same as knowing your own exposure.
The Cyber Readiness Assessment gives you a written, prioritised answer in ten business days — credited toward your first year if you go further with us.