Talking With Your IT Managed Service Provider About Security

Written By Steve Sharer

Many organizations, especially nonprofits, rely on IT Managed Service Providers (MSPs) to handle their technology needs. But one of the trends we see is that organizations often don’t have a clear understanding of how their MSP is working to protect them against cyber threats.

This lack of clarity can leave you in an awkward position, with lingering questions like:

  • How do I know if our MSP is doing the right things to keep us safe?

  • Who is responsible for security—our MSP, our internal team, or both?

  • Are we doing everything we can to protect our staff, donors, and beneficiaries?

Cyber security isn’t just an IT issue—it’s a leadership issue. Whether your organization already works with an MSP or is considering bringing one on, it’s important to have a direct conversation about security. Asking the right questions will help you understand how they’re implementing best practices, where there are opportunities for improvement, and what responsibilities fall on your organization versus the MSP.

How to Approach the Conversation

Think of this as a vendor evaluation or interview. A good MSP should be able to answer these questions clearly and provide supporting policies or documentation. If they don’t have solid answers, don’t be afraid to ask for more details or clarification. You need to feel confident in their ability to protect your organization.

If you don’t yet have an MSP but are in the process of hiring one, use these questions in your evaluation process to ensure they meet your security expectations.

Key Questions to Ask Your MSP

Data Protection & Backups

  • How often is our critical data backed up?

  • Where is the backup stored (third-party service, physical drive, cloud storage)?

  • Are the backups encrypted?

  • In an emergency, what is the process for restoring data, and how long does it take?

Tip: Before discussing backups, define what your critical data is (e.g., donor databases, accounting systems, file storage) and where it’s stored (e.g., SharePoint, Google Drive, Salesforce).

Vulnerability & Threat Protection

  • How do you handle vulnerability patching? What are the timelines for patching critical vulnerabilities?

  • Do you perform vulnerability scanning or penetration testing on our environment? How often?

  • How are our organization’s devices protected against malware?

  • What protections are in place to prevent phishing attacks?

  • How do you monitor for security-related alerts?

Incident Response & Security Policies

  • What is your incident response and management process?

  • Can you share documented security policies and procedures with us?

  • What security measures are in place for the software we use, both cloud-based (SaaS) and installed on devices?

Security Expertise & Training

  • Does your company have dedicated security staff, or do you partner with a security-focused organization?

  • What security training does your team undergo?

  • How do you ensure our employees are trained on security best practices?

Roles & Responsibilities

  • What security responsibilities belong to our organization, and what does the MSP handle?

  • Are there any shared responsibilities we should be aware of?

  • Does your company hold security certifications like ISO 27001 or SOC 2?

Improving Security Together

  • What are some things we can do as an organization to improve our security posture?

Taking Action

If you walk away from this conversation with confidence in your MSP’s security approach—great! If not, you may need to push for better security measures or reevaluate whether your MSP is the right fit.

At the end of the day, security is a shared responsibility. Whether you rely on an MSP or handle IT in-house, it’s essential to have clear expectations, strong policies, and an ongoing dialogue about security.

By asking the right questions, you’ll gain a better understanding of your organization’s security landscape—and ensure you’re doing everything you can to protect your mission, your people, and your data.

Need Help Having This Conversation?

If you have questions or could use support navigating this discussion with your IT MSP, we’re happy to help—free of charge.

We’ve seen too many nonprofits experience security incidents due to MSP inaction, and we want to support the community. As an independent third-party advocate, we’ll be in your corner, ensuring you get the clarity and security you deserve.

Reach out to us anytime—we’re here to help. Get in touch here.

Steve Sharer
Previous

How To Fill Out Cyber Security Questionnaires
Next

The Anatomy of a Ransomware Attack