5 Questions Your MSP Should Be Able to Answer (But Probably Can’t)

You’re paying thousands of dollars every month for IT servic

 

es. Your MSP handles your email, manages your servers, and supposedly keeps you secure. But here’s an uncomfortable question: Can you actually verify they’re doing what you’re paying for?

Most business owners can’t. They trust their MSP because ticket

 

s get answered and systems mostly work. But trust without verification is how businesses end up like the architecture firm that discovered—after a server crash—that their backups hadn’t worked in three years.

Here are five questions every MSP should be able to answer immediately. If yours can’t, it’s time to have a serious conversation.

1. “When was the last time you tested restoring our data?”

Why this matters: Backup software can report “success” even when backups are completely broken. The only way to know your data is recoverable is to actually try restoring it.

What you should hear: A specific date within the last 90 days, plus documentation or screenshots proving the restore worked. Professional MSPs test restores quarterly and keep records.

Red flags:

• “Our monitoring shows backups are running fine”
• “We’ll test it if you want us to” (it should already be done)
• Can’t provide a specific date or documentation
• Says testing isn’t necessary because the dashboard is green

Why MSPs avoid this: Testing restores takes time and d

 

oesn’t generate billable hours. It’s easier to trust the monitoring dashboard and hope nothing goes wrong.

Real cost of skipping this: One architecture firm lost $185,000 when their server crashed and “three years of successful backups” turned out to be completely empty. The MSP had never tested a single restore.

2. “Can you show me who has access to our confidential files?”

Why this matters: File permissions drift over time. People change roles, employees leave, systems get migrated, and suddenly everyone can access files that should be locked down.

What you should hear: An immediate answer, or “let me pull up the report—I have it right here.” They should be able to show you exactly who can access your HR folder, financial data, or any other confidential directory.

Red flags:

 

• “I’d have to log in and check” (means they’re not monitoring this)
• “Only people who need access have it” (vague and unverifiable)
• Can’t produce documentation quickly
• Haven’t audited permissions in over 6 months

Why MSPs avoid this: Setting up proper permission structures takes expertise and ongoing maintenance. It’s technically complex and doesn’t create visible value until something goes wrong.

Real cost of skipping this: A professional services firm discovered—via anonymous employee email—that their “confidential” salary spreadsheet had been visible to all 60 employees for 18 months. Three employees quit, the HR manager resigned, and company culture never recovered.

3. “How quickly can you disable access for a terminated employee?”

Why this matters: When you fire someone, every minute they retain system access is a security risk. A disgruntled employee with three hours of access can cause devastating damage.

What you should hear: “Within 15 minutes, 24/7.” They should have a documented procedure and the capability to respond immediately, even after hours.

 

Red flags:

• “We’ll get to it by end of business day”
• “During business hours, we can usually do it same-day”
• No documented offboarding procedure
• Can’t explain what systems they’d disable or in what order

Why MSPs avoid this: Immediate response requires staffing, documentation, and potentially after-hours availability. It’s easier to handle terminations during normal business hours when convenient.

Real cost of skipping this: A manufacturing company called their MSP at 2:15 PM to disable a terminated employee’s access. By 5:00 PM—when the MSP “got to it”—the employee had deleted 187 critical CAD files, customer databases, and production schedules. Recovery cost: $92,000 plus 6 weeks of disruption.

4. “What’s our current IT security posture and biggest vulnerabilities?”

Why this matters: Security isn’t static. New vulnerabilities emerge constantly. Your MSP should proactively identify and address risks before they become incidents.

What you should hear: A clear assessment of your current

 

security, known vulnerabilities, and a prioritized plan to address them. They should mention recent security assessments, patch status, and any concerning findings.

Red flags:

• “Everything looks good” (without specifics)
• “We’d need to run an assessment” (they should be doing this regularly)
• Can’t name your three biggest security risks right now
• Haven’t discussed security proactively in over a year

Why MSPs avoid this: Security assessments reveal problems th

 

at require work to fix. Some MSPs prefer not to surface issues unless directly asked, especially if they’re behind on patches or updates.

Real cost of skipping this: Security breaches are expensive, but the average isn’t meaningful—your cost depends on your specific situation. What matters is whether you’re managing known risks or ignoring them until they become incidents.

5. “Can you show me what we’ve accomplished together this year?”

Why this matters: Your MSP relationship should be strategic, not just reactive ticket resolution. You should see measurable progress on security, efficiency, and capability.

What you should hear: Specific accomplishments: systems upgraded, security improvements implemented, projects completed, risks mitigated. They should have metrics showing ticket resolution times, uptime, and other performance indicators.

Red flags:

• “We’ve kept everything running smoothly” (too vague)
• Can’t point to specific improvements or projects
• No quarterly business reviews in the past year
• Relationship is purely reactive—you call, they respond

Why MSPs avoid this: Strategic relationships require planning, documentation, and proactive communication. It’s more work than just answering tickets. Some MSPs don’t want to be measured because it reveals they’re not delivering much beyond basic maintenance.

Real cost of skipping this: You might be paying for “com

 

prehensive IT services” while receiving only reactive ticket support. Without strategic planning and measurable progress, you’re not getting full value from your investment.

What to Do Next

If your MSP can’t answer these five questions confidently with documentation, you have three options:

1. Have a direct conversation. Send them this article and ask them to address each question. A good MSP will welcome the accountability. A mediocre one will get defensive.

 

2. Demand better documentation and reporting. Tell them you want monthly reports, quarterly business reviews, and regular test results. Professional MSPs already provide this. It shouldn’t be a difficult request.

3. Consider whether it’s time to switch. If your MSP can’t answer basic questions about security, backups, and access controls, they’re not managing your IT—they’re just reacting to problems. You deserve better.

The Bottom Line

Trust your MSP, but verify they’re doing what you’re paying for. These five questions aren’t gotchas—they’re basic accountability any professional IT service provider should handle easily.

If yours can’t answer them, that’s not a sign you’re being too demanding. It’s a sign you’re not getting what you’re paying for.

---

Want help evaluating your MSP? My IT Support Report Card provides a comprehensive 70-point assessment covering backups, security, documentation, and more. Start your assessment today or learn more about evaluating your MSP.