Eito./Blog
Guide

How to Talk to Your IT Provider About Cybersecurity

You don't need to be technical to have a productive conversation with your IT provider about security. Here's what to ask and what to listen for.

Cas6 February 20268 min read

Here's a scene that plays out in Australian businesses every day: the owner knows they should be doing more about cybersecurity, they have an IT provider or MSP handling their systems, but they have no idea what security is actually in place. When they ask, they get answers full of jargon that sound reassuring but don't actually mean anything.

This guide is for you, the business owner or manager who isn't technical but needs to have a real, productive conversation about cybersecurity with the people you're paying to manage your IT.

Start with the Right Mindset

You don't need to understand how everything works. You need to understand what's in place and what isn't. Think of it like talking to your accountant. You don't need to know tax law, but you need to know if your BAS is lodged.

Your IT provider should be able to explain your security posture in terms you understand. If they can't, or won't, that's a red flag.

Come Prepared

The best conversations start with a clear picture of where you are. Running a self-assessment before the meeting gives you specific questions to ask instead of vague "are we secure?" conversations that go nowhere.

Run Eito's free assessment and download the PDF report before your meeting. It gives you a strategy-by-strategy breakdown that your IT provider can immediately act on.

Questions to Ask

Here are specific, plain-English questions that will get you real answers:

About MFA

  • "Is multi-factor authentication turned on for every account that accesses our email and cloud services?"
  • "Are there any admin accounts that don't have MFA? Why not?"
  • "What type of MFA are we using: SMS codes or an authenticator app?" (Authenticator apps are more secure.)

About Updates and Patching

  • "How quickly do you apply security patches after they're released?"
  • "Are there any systems or applications that are no longer supported or receiving updates?"
  • "Can you show me a report of our patch status?"

About Backups

  • "How often is our data backed up?"
  • "Where are the backups stored? Are they separate from our main systems?"
  • "When was the last time you tested a restore? Can you show me the results?"
  • "If we got hit by ransomware today, how long would it take to get back up and running?"

About Access and Permissions

  • "How many people have admin access to our systems?"
  • "Do admin accounts have separate credentials from daily-use accounts?"
  • "When someone leaves, how quickly is their access removed?"

What Good Answers Sound Like

A good IT provider will answer clearly, specifically, and without getting defensive. Here's what to listen for:

  • Specific numbers, not vague reassurance: "All 12 accounts have MFA" vs "Yeah, we've got MFA sorted."
  • Honesty about gaps: "We haven't tested a backup restore in six months. Let's schedule one" is a much better answer than "It's all fine."
  • Willingness to show evidence: reports, dashboards, logs. If they can't show you proof, it might not be happening.
  • Clear responsibility: who is responsible for what? What's included in your agreement and what's not?

Red Flags to Watch For

  • "You don't need to worry about that". You're paying them to worry about it, but you absolutely need to understand it.
  • "We've got it covered" without specifics. Covered how? Prove it.
  • Resistance to the Essential Eight framework. It's the Australian standard. Any reputable provider should know it and welcome the conversation.
  • No written documentation of what's in place. If it's not documented, it doesn't exist.
  • Defensiveness when you ask questions. Good providers welcome informed clients.

Sharing Your Assessment Results

If you've run a self-assessment, share the PDF report with your IT provider. It gives both of you a shared language and a clear list of gaps. Frame it as a starting point for conversation, not an accusation.

Try something like: "I've done a self-assessment against the Essential Eight framework. Here's what it flagged. Can we go through it together and figure out what we need to address?"

Most IT providers appreciate clients who come prepared. It saves them time on discovery and lets them focus on actually fixing things.

After the Conversation

  • Get a written summary of what's in place and what needs fixing.
  • Ask for a timeline and cost estimate for closing the gaps.
  • Agree on who is responsible for each control, you or them.
  • Schedule a follow-up in 3 months to check progress.
  • Reassess in 6 months to see how your posture has improved.

The Bottom Line

You don't need to become a cybersecurity expert. You just need to ask the right questions and expect clear answers. The Essential Eight gives you a framework for that conversation, and a self-assessment gives you the specific details to make it productive.

Your IT provider is your partner in this, but you're the one accountable for your business. Take 15 minutes to understand where you stand, and the conversation practically writes itself.

Get Started

Ready to see where you stand?

Take 5 minutes to run a free Essential Eight Quick Check. No account required. Your data never leaves your browser.

Start Free Assessment