12 Difficult Questions MSPs Must Answer

By Lily January 24, 2022

Spread the love

Customers ask questions, and that’s a good thing. It’s even better when you have the answer they need at the ready.

As an MSP, there are many challenging questions that customers and prospects will present to you. Today’s customers are more concerned about cybersecurity than ever.

A startling 70% of consumers will stop doing business with a company after a cyberattack which means it’s a safe bet that some of those questions will be related to security. MSPs need to provide answers that boost consumer confidence, particularly in this area.

Let’s look at a dozen tough questions that dig deep at the underlying cybersecurity skillset of your organization.

Being prepared with answers to these questions directly impacts how your organization presents and might make the difference in closing the deal. 

Spoiler: Number 10 is ESSENTIAL. Not having an answer to this question may put you out of business.

Question 1: Do you have trained, certified subject matter experts in cybersecurity?

This question speaks to the core competency of your MSP organization concerning cybersecurity.

Many MSPs have expertise in areas of technical support and administration but are woefully unskilled in cybersecurity. With how critical cybersecurity is in general IT operations, this is a dangerous oversight.

This also plays a role in whether your business can achieve security accreditation by an organization like CompTIA for their Security Trustmark + rating. 

Question 2: Are you using best-of-breed tools to monitor their systems and yours?

The quality of your toolset speaks loudly about the quality of your service.

To a customer, if you are using substandard or low-quality tools for monitoring, you are likely not observing everything. This can lead to outages and downtime that you could have avoided. 

Question 3: Do you reasonably limit access of their personnel to only those tasks you are required to complete?

This question directly targets whether your organization understands and implements the principle of least privilege. This is highly important for any organization that deals with sensitive data.

With the advent of general data protection regulation (GDPR), sensitive data is no longer limited to healthcare or financial data but includes personal information. 

Question 4: Do you continuously monitor and patch their tools to the latest versions so hackers cannot exploit security holes?

Automated patch management processes are part of “Systems Administration 101,” and whether you have formalized processes or automation in place tells a customer about your MSPs maturity level. 

Question 5: Do you implement Multi-Factor Authentication across their entire network?

The utilization of MFA is no longer just a recommendation. According to Microsoft, it is a critical piece of security infrastructure as it can prevent 99.9% of account attacks.

Customers interested in protecting their data understand this and know that you will provide this for them. 

Question 6: Does their internal security provide multiple layers to thwart hackers who may have made it through one layer?

The layered approach to security is considered a foundational piece of cybersecurity. It is assumed that attackers will break a control at some point, so having multiple layers is crucial.

Whether your company understands this and delivers on it conveys a strong message to customers about your ability to secure their data. 

Question 7: Do you create enough isolation of their systems so a compromised system cannot affect others?

Much like the previous questions, answering this requires showing that you understand it and have delivered on it in the past for other customers. It is also intended to gauge your security maturity as an MSP. 

Question 8: Do you have a formal process in place should an incident occur?

It is straightforward as an MSP to simply answer yes and move forward, but this is an opportunity to show your capabilities.

Have a prepared explanation for what steps are in your process, what types of incidents you address, and data or systems are included. This can help customers feel confident that their data will be protected and recoverable. 

Question 9: Do you have a security training program for your personnel?

Much like the certification question above, this question is meant to determine how ingrained security is in your MSP culture.

It can convey that you take the time to improve the security skills of your technicians so that their skillset is current.

Question 10: Do you work for clients that require compliance under HIPAA, NIST/CMMC, SOX, GDPR, and PCI?

This is a question that is not to be answered without thoroughly examining your MSP capabilities. Even basic customer endpoints are likely to contain sensitive data and have to adhere to compliance mandates.

Saying yes to this means that your MSP has technicians with security skills and, as an organization, can deliver on data security measures for the customer.  

Question 11: Do you have an accredited third party test their security from outside and inside attacks?

Even though many customers will not require this, having an established relationship with a third-party tester that you have worked with before is essential, especially for showing Payment Card Industry Data Security Standards (PCI/DSS) compliance.

It shows the customer that you have the experience to liaison with a penetration testing team throughout the engagement if needed. 

Question 12: Do you have a complete set of security policies that your organization follows consistently?

This question again looks at the maturity of your organization and ability to provide on the customer’s day-to-day security needs.

Answering yes to this can assure the customer that your company has taken the time to consider the security implementation related to your business practices and delivers in a repeatable manner rather than one-offs.

Being Prepared

By thinking about these questions in advance, you may have discovered some details about your service that you had not considered before.

Taking the time to consider whether your MSP can deliver on these questions allows you to make improvements before a customer asks you a difficult question.

Even if the answer is that you cannot provide, being prepared for it will enable you to shine rather than stumble in your response.

Do you provide the best cloud-based cybersecurity solutions to your customers? Click here to book a 15 minute call to learn about Ananda and Actifile.

Spread the love