Crucial Cloud Security Questions to Ask Your MSP

Data Security and Management is one of the most critical services to consider from your Managed Service Provider. Typically, bringing the appropriate level of expertise in-house will be expensive – if it isn’t, they may lack experience, knowledge and ongoing currency. These questions will assist you in selecting an MSP that truly understands your business requirements and will cover your risk sustainably and cost-effectively.

Do you cover the Essential Eight?

The Australian Signals Directorate and the Australian Cyber Security Centre have published the Essential Eight strategies as a baseline for mitigating cyber security incidents including for used cloud services. If your MSP can’t answer “Yes” to any of these questions, don’t go any further:

  1. Do you whitelist applications to allow only approved or trusted programs to run on my system?
  1. Do you configure Microsoft Office macro settings to only allow macros that are ‘vetted’ or from ‘trusted locations’ to run?
  1. Do you patch applications like browsers, MS Office, Java, Flash and PDF viewers within 48 hours so that security remains current?
  1. Do you harden user applications to block flash, ads and java on the internet and disable unneeded features of applications?
  1. Will you restrict administrator privileges to operating systems and applications based on the user’s duties and need, and review them regularly? This includes ensuring that user accounts with administrator privileges are not used for reading email and browsing the web. 
  1. Will you patch or mitigate risks on computers and network devices with ‘extreme risk’ vulnerabilities within 48 hours, and use the latest version of our operating system?
  1. Will you use multi-factor authentication on remote access points, for all users performing privileged actions or accessing important information?
  1. Will you take daily backups, and test them, so we can re-build our systems quickly after a cyber incident?

Additional process and operational questions

The Essential Eight questions give rise to some more business-related questions which will help you to understand how well your MSP will get to know your business and the cyber security services it needs. The hint here is that you want your MSP to know your business well – they’re your partner.

  1. Do you encrypt all the traffic between client and cloud?
  1. How is our data and traffic kept separate from the data of other users of your service?
  1. How will you notify us of security breaches, and how do we notify you if we suspect one?
  1. Will you get to know my business and what it does, so that you can understand people’s job functions and the IT requirements that flow from those?
  1. Are you adaptable enough to accommodate the needs of all my users, including those who need administrator privileges, access to macros and other features that you typically lock out?
  1. Which security tasks must we (the client) manage, and which will you manage on our behalf?
  1. Can you train our staff in how to avoid phishing attacks and other exploits?
  1. Do you monitor for malicious attacks, and how quickly can you secure the system?
  1. How quickly can you re-build our system if it is taken down by a malicious attack?

Further validation questions to reinforce the MSP’s performance

An independent assessment is always a strong endorsement, and an ISO certificate is hard to beat. Distance between staff can influence response times and quality.

  1. Can you provide independent evidence of your security performance, such as an ISO 27001 Information Security certification?
  1. Where is your data centre located?
  1. Where is your helpdesk located, and how far is that from technical support staff?
  1. How will your maintenance on your systems affect our service?

Questions unique to your business

Your business will also have its own specific questions, for example

  1. Can you meet the requirements imposed on us by external regulators? For example, ISO certification bodies, financial, medical or other regulators?

Questions about ending the relationship

It’s always good to start out knowing what will happen if you must end things.

  1. What if you fail to meet your obligations?
  1. How do we safely extract our data from your systems if we move to a new MSP?
  1. How will you destroy any data we need to delete from your system?

Other non-security questions to consider

  1. Who owns the data we store on your systems?
  1. What professional services can you offer to help grow our business?
  1. What functions do you outsource to other providers?

Finally, give them a chance to shine

  1. What sets you apart from other MSPs?

When it comes down to it, you are outsourcing to your MSP a function that would otherwise be part of your business, so the MSP must work as closely with you as if it were part of your business. Your MSP should be as responsive as if it is in the same building as you.

Most importantly, your MSP should offer better security than anything you can muster in-house.

If your IT solutions aren’t delivering value, get in touch with us today.


Register for an initial online discussion over Zoom, phone, or in person. And let’s find out where your business most needs our award-winning services and support.

By analysing your specific needs and priorities, we’ll give you a realistic and practical recommendation on what’s required to accelerate your modern architecture.

Our Senior Consultants will help you evaluate and understand your options, so you can make decisions that benefit both your business and your employees, while mitigating unnecessary risk.​

Combining Strategy, Transformation, Management and Optimisation, we identify and remove the obstacles to a successful outcome, before you even know they’re there.​

Step 1: Recap and review

Together we’ll examine the steps you’ve already taken in IT procurement and review the parameters for the architecture planning you’ll need in place going forward.

Step 2: Shape the

Future planning for optimal performance, focusing on effective communication and collaboration, device lifecycle and configuration management and security.

Step 3: Identify your requirements

This is where we clearly identify the steps you need to have in place to develop your Strategic Technology Roadmap to create a Modern Dynamic Workplace. 

Step 4: Get the

You’ll receive a high-level report with our recommendations to accelerate your modern architecture, and the next steps for delivering your Strategic Technology Roadmap.

We’ll get you there. Faster.

With a high-level plan in place, you’ll have a clear understanding on the business case, benefits, and high-level budget considerations for your technology platform to accelerate your modern architecture. And you’ll be ready to leverage the Cloud to deliver the services and applications your teams need.


Find out what a great MSP relationship should be delivering.

How successful was your business transition to a remote workforce during the COVID crisis? Read how the National Breast Cancer Foundation was able to transition to a remote workforce environment almost overnight, and with 93% employee satisfaction.


Is Your MSP Giving You Solutions or Problems During COVID-19? 5 Key Signs of Insufficient Management

There’s nothing like a one in 100-year pandemic to test how your IT operations are performing and how prepared you are for change.