Many small businesses rely on an MSP, IT provider, or internal IT generalist to keep systems running. That relationship is important. But cybersecurity decisions often require a different set of questions than day-to-day technology support.

Small-business research from sources including CrowdStrike, Guardz, and the UK Cyber Security Breaches Survey shows that SMBs often rely on third-party guidance, owners, or untrained internal staff for security decisions. The goal is not to replace existing IT support. The goal is to ask better questions, clarify ownership, and make sure the business can prove the controls customers, insurers, and leaders care about.

1. Are all administrator accounts protected with MFA?

Administrator accounts are high-value targets. Ask which accounts have administrator rights, whether MFA is enforced, whether shared admin accounts exist, and how admin access is removed when someone changes roles or leaves.

2. Are backups tested with real restores?

It is not enough to know backups run. Ask when the last restore test happened, what data was restored, how long recovery took, and which systems would be restored first after ransomware or a destructive mistake.

3. Who receives suspicious email reports?

Employees need a clear place to send suspicious emails, links, payment requests, and account prompts. Ask who reviews reports, how quickly they are triaged, and what happens when multiple employees report the same message.

4. What happens in the first hour of ransomware or account takeover?

Ask who isolates affected systems, who disables accounts, who contacts leadership, who preserves logs, who calls insurance or legal counsel, and who communicates with customers if needed. If the answer is informal, the business should create a first-hour playbook.

5. Which controls are enforced versus only written in policy?

A written policy is useful, but customers and insurers often want evidence that controls are operating. Ask which controls are technically enforced, which are manual, and what evidence exists for MFA, patching, backups, endpoint protection, access reviews, and email security.

6. What logs or alerts are reviewed, and by whom?

Security tools can generate alerts that nobody reads. Ask which alerts are reviewed, who owns them, what counts as urgent, and whether logs would be available after an incident.

7. What evidence can we provide to customers, auditors, or insurers?

Small businesses increasingly face security questionnaires, cyber insurance requests, and customer due diligence. Ask where evidence lives and who can produce it: policies, screenshots, reports, access-review records, backup-test results, vendor reviews, and incident-response plans.

How WCS works alongside MSPs

Walden Cybersecurity Solutions focuses on cybersecurity guidance, prioritization, evidence, and readiness. WCS can help turn MSP and IT-provider answers into a practical roadmap that leadership can fund and teams can execute.

If you are not sure what to ask first, request a Security Snapshot or schedule a cybersecurity consultation.