Is Your IT Provider Not Taking Security Seriously?

By Brent Lacy | RewiredMSP.com

Seventy-five percent of businesses experienced a cybersecurity incident in the past year. If your IT provider is not talking to you about security, that is the most expensive silence in your budget.

Your IT provider is not taking security seriously.

They might be good at keeping the servers running. They might respond quickly when your email goes down. They might even do a decent job of patching Windows on schedule.

But when was the last time they sat down with you and explained your actual risk posture? When was the last time they showed you the threats they blocked this month? When was the last time they tested whether your security tools actually work?

If you cannot remember, that is a problem.

I have spent thirty years in this industry. I have walked into hundreds of businesses that thought they were protected because they had an MSP. And I have seen what happens when that MSP was focused on uptime but not on security. The results are not good.

The Security Gap Is the Biggest Risk You Have

The 2026 WatchGuard MSP Cybersecurity Trends Survey found that 75 percent of businesses experienced a cybersecurity incident in the past year. Three out of four. That is not a theoretical risk. That is the norm.

And the threats are getting worse. AI-driven attacks are increasing in volume and sophistication. Ransomware groups are targeting MSPs specifically because compromising one provider gives them access to dozens of client networks. The attack surface is growing as more businesses adopt cloud services, remote work, and IoT devices.

Meanwhile, the average MSP is stretched thin. The 2026 Kaseya State of the MSP Report found that staffing constraints are the number one operational bottleneck. When your provider is short-staffed, security is often the first thing that gets deprioritized. Not because they do not care. Because they are busy fighting fires.

But here is the thing about security: by the time you know you have a problem, it is already too late.

What “Not Taking Security Seriously” Looks Like

Here is what I see when I assess a business whose provider has been treating security as an afterthought.

No security assessment has ever been conducted. The provider set up a firewall and antivirus five years ago and has not looked at the security posture since. They do not know what vulnerabilities exist. They do not know what an attacker would see if they looked at your network today.

There is no incident response plan. If you get hit with ransomware tonight, what happens? Who do you call? How do you isolate the affected systems? How do you communicate with your employees and customers? If your provider cannot answer these questions, you do not have a plan. You have hope. And hope is not a security strategy.

Multi-factor authentication is not enforced. MFA is the single most effective control against credential-based attacks. It is not expensive. It is not complicated. And many MSPs still have not implemented it across all client systems. If your provider has not enabled MFA on every account that supports it, they are leaving the front door open.

Security awareness training is not happening. The weakest link in any security program is the person who clicks on a phishing email. Security awareness training reduces that risk significantly. But it takes time and effort. Many providers skip it because it is not billable in the same way that fixing a server is.

There is no documented security policy. Every business should have a written security policy that defines acceptable use, password requirements, data handling procedures, and incident response procedures. If your provider has not helped you create one, they are managing your security by instinct instead of by design.

The Cost of Security Complacency

The numbers are staggering.

IBM’s 2025 Cost of a Data Breach Report put the global average cost of a breach at $4.4 million. The US average was $10.2 million. And credential-based breaches took an average of 292 days to identify and contain.

During those 292 days, an attacker is inside your network. They are exfiltrating data. They are mapping your systems. They are preparing for the next phase of the attack. And you do not know it is happening.

The 2025 Ponemon Cost of Insider Threats Global Report found that the average annual cost of insider threat incidents is $17.4 million. And 45 percent of file security breaches involve insider threats. Not hackers in hoodies. Your own employees. Or former employees whose access was never revoked.

The WatchGuard survey found that 47 percent of businesses will pay more for 24/7 monitoring and faster response. They are telling you what they want. The question is whether your provider is listening.

What Good Security Looks Like

A security-focused MSP will have the following in place, and will be able to show it to you.

A current security assessment. Not a checklist from 2019. A thorough evaluation of your current risk posture, conducted within the last 12 months, with documented findings and recommendations.

A written incident response plan. Documented procedures for what to do when (not if) a security incident occurs. Tested at least annually. Communicated to all relevant staff.

Multi-factor authentication on every account that supports it. No exceptions. Not just for administrators. For everyone.

Regular security awareness training. At least quarterly. With documented participation. With simulated phishing tests to measure effectiveness.

A documented security policy. Reviewed and updated annually. Acknowledged by all employees. Enforced consistently.

24/7 monitoring with documented response procedures. Not just alerts. Documented procedures for what happens when an alert fires. Who responds. How quickly. What steps are taken.

Regular penetration testing or vulnerability scanning. At least annually. With documented results and remediation plans.

Questions to Ask Your IT Provider About Security

If you are a business owner, these are the questions you should be asking your provider. Today.

1. When was the last security assessment conducted on my environment? If they cannot give you a date within the last 12 months, that is a red flag.
2. Do you have a written incident response plan for my account? If they hesitate, you do not have a plan.
3. Is multi-factor authentication enabled on all my accounts? If not, why not?
4. When was the last security awareness training for my employees? If they have never done training, your people are your biggest vulnerability.
5. Do you conduct regular vulnerability scanning or penetration testing? If not, you do not know what an attacker would see.
6. Can you show me the threats you have blocked in the last 90 days? If they cannot produce a report, they are not monitoring effectively.

The Bottom Line

Security is not a product you buy. It is a discipline your provider practices every day.

If your IT provider is not talking to you about security, they are not taking it seriously. And if they are not taking it seriously, you are one incident away from a very expensive lesson.

Ask the questions. Demand the documentation. And if your provider cannot provide it, find one that can.

That is the Rewired MSP standard. Not just keeping the lights on. But making sure the doors are locked.

Brent Lacy has spent nearly 30 years in the IT industry building and advising managed service providers. He is the author of Rewired MSP: Mastery, Scalability and Performance, vCIO Rewired: Virtually Conquering IT Obstacles, and Near Miss: Preventable IT Failures Threatening Your Business Security. He does not sell consulting services or subscriptions. He shares what works.

Related articles:

– Is Your IT Provider Too Busy to Monitor and Document?

– Is Your IT Provider Giving Users Too Many Rights?

– The Hidden Risks of PE-Backed MSPs