IT Firm Internal Security Posture: 7 Questions to Ask Before You Sign
Your IT firm holds more keys to your business than almost any employee does — your servers, your email, your backups, your financial systems. That access makes your IT firm’s internal security posture one of the most consequential due-diligence steps a CEO or COO can take before signing a contract. It is also one of the most commonly skipped. This guide gives you seven specific questions to ask, what a credible answer looks like, and which red flags should end the conversation on the spot.
Table of Contents
- Why Your IT Vendor Is an Attack Surface
- Question 1: Who Audits Your Security — and How Often?
- Question 2: How Do You Control Access to Client Environments?
- Question 3: How Do You Vet the People Who Touch My Systems?
- Question 4: What Happens If You Get Breached?
- Question 5: How Do You Manage Your Own Systems and Software Updates?
- Question 6: Do You Carry Cyber Liability Insurance — and What Does It Cover?
- Question 7: Have Any of Your Clients Ever Been Breached?
- How to Weigh the Answers
- What Good Looks Like in Practice
Why Your IT Vendor Is an Attack Surface — and Why IT Firm Internal Security Posture Matters
The 2020 SolarWinds attack did not start inside its victims’ networks. It started inside the software vendor’s own build environment. From there, attackers moved laterally into thousands of organizations — including U.S. federal agencies. The lesson was not subtle: the companies and agencies that got hit were not careless with their own security. They trusted a vendor who was.
That dynamic plays out at a smaller scale every day in the small and mid-sized business market. An IT firm with weak internal controls, unmonitored admin credentials, or undertrained staff is not a partner — it is a liability with a contract. The Cybersecurity and Infrastructure Security Agency (CISA) has explicitly warned businesses about service supply-chain risk for exactly this reason.
The seven questions below are designed to surface that risk before you hand over the keys. Each one targets a specific dimension of IT firm internal security posture — from auditing and access controls to insurance and breach history.
Question 1: Who Audits Your Security — and How Often?

Any IT firm can say it takes security seriously. Far fewer can point to an independent third party that holds them accountable for it. Ask directly: do you undergo an external security audit, conducted by whom, and on what schedule?
A credible answer names a specific assessor, identifies the framework being assessed against, and gives you a cadence — annual is the minimum worth respecting. Vague answers like “we follow best practices” or “our team stays current on certifications” are not answers. They are deflections.
Frameworks worth asking about include the CIS Critical Security Controls, ISO 27001, and SOC 2 (the compliance framework). Each represents a structured, auditable standard that an outside party can verify. If the firm cannot name an auditor and a framework, you are looking at a firm that has never been held accountable to anything beyond its own judgment.
For reference: Xact IT Solutions holds the GTIA Cybersecurity Trustmark — audited annually since 2021 by Versprite, a CREST-accredited assessor, against CIS Critical Security Controls IG2 with supplementary ISO 27001 controls. That is the level of specificity a real answer requires. See what verified cybersecurity standards look like in practice.
Question 2: How Do You Control Access to Client Environments?
Your IT firm almost certainly has administrator-level access to your systems. The question is whether that access is managed with discipline or handed to every technician on staff and left open indefinitely.
Strong access control means three specific things. Access is role-based — a junior technician doing routine maintenance does not carry the same permissions as a senior engineer running a server migration. Access is logged and reviewable — every action taken inside your environment creates an auditable record. And privileged credentials are protected with multi-factor authentication, not just a username and password that one phishing email could compromise.
Ask the firm: who on your team has access to my environment, and how do you manage that list over time? A firm with mature controls can answer this in two minutes. A firm without them will give you a general statement about team culture and trust.
Question 3: How Do You Vet the People Who Touch My Systems?
Insider threats are real — and not always malicious. A technician who reuses passwords, clicks phishing links, or stores client credentials in a personal notes app is a threat even with good intentions. The question is whether the firm treats its own staff as part of its security perimeter.
Ask about background checks for new hires, how often security awareness training runs, and how the firm handles offboarding when a technician leaves. That last one is where things most often fall apart. A former employee who still holds credentials to your environment — even passively, even accidentally — is an open door.
You are not being difficult by asking this. You are doing what any responsible executive does when someone is given access to their most sensitive systems. This dimension of IT firm internal security posture is frequently overlooked, yet it is one of the easiest attack vectors for adversaries to exploit.
Question 4: What Happens If You Get Breached?
This is not a pessimistic question. It is the most important one on this list. No security posture is perfect, and any firm that implies otherwise is either uninformed or dishonest. What separates serious firms from dangerous ones is whether they have a documented, practiced plan for what happens when something goes wrong.
Ask for specifics: Do you have a written incident response plan? How quickly would you notify affected clients? Who is the point of contact during an incident? Have you ever run a tabletop exercise to test the plan?
A firm that fumbles this question — or pivots immediately to “it won’t happen to us” — is telling you something important. The firms that have thought seriously about incident response are almost always the same ones that have thought seriously about prevention.
Also worth asking: does your cyber liability insurance cover client impact if your systems are compromised? That is covered in Question 6, but the two questions belong together in your thinking.
Question 5: How Do You Manage Your Own Systems and Software Updates?
This sounds basic — and it is, which is exactly why it matters. Unpatched software is one of the most common entry points for attackers. CISA maintains a catalog of known exploited vulnerabilities actively being used in attacks right now, many with patches available for months or years before organizations were hit.
An IT firm that manages your patching schedule but has not enforced one for its own internal systems is not a partner in your security. It is a gap in it.
Ask how often the firm patches its own workstations and servers, how it tracks open vulnerabilities across its own infrastructure, and what the turnaround time is between a critical patch being released and it being applied. A firm with mature controls measures this. A firm that has not thought about it probably does not measure much else either.
Question 6: Do You Carry Cyber Liability Insurance — and What Does It Cover?
Cyber liability insurance is now a baseline expectation for any firm operating in the IT services space. But policies are not equal, and the details matter more than the headline.
Ask whether the firm’s policy covers third-party liability — meaning, does it cover your losses if a breach of their systems causes damage to yours? Some policies cover only the vendor’s own costs: forensics, legal fees, notification. Others extend to downstream client impact. Those are very different policies.
Also ask about coverage limits relative to the firm’s client base. A firm carrying $1 million in coverage across dozens of clients is not offering meaningful protection. Ask the question directly, and pay attention to whether the firm can answer without calling their broker first.
Question 7: Have Any of Your Clients Ever Been Breached?
This is the question most people avoid because it feels confrontational. Ask it anyway.
A breach history does not automatically disqualify a firm — context and response matter. A firm that experienced a client breach five years ago, documented what happened, changed its processes, and has had zero incidents since is demonstrating exactly the institutional learning you want. That is a better signal than a firm with no history and no explanation for why.
A firm that says “never” without hesitation deserves a follow-up: how do you know? If they cannot describe the monitoring and detection capabilities that would surface a breach, that “never” is not a data point. It is a gap in visibility dressed up as a clean record.
Xact IT has had zero client breaches across every client served since 2004. That claim holds up because we have the monitoring in place to know. When any firm makes a claim like this, it is fair — and smart — to ask how they would know if something had happened.
How to Weigh the Answers
No firm will score perfectly across every question. What you are looking for is a pattern: does this firm apply the same rigor to its own IT firm internal security posture that it applies to yours? Or does it treat internal security as a distraction from the work of managing clients?
The firms worth working with treat these questions as obvious. They have answers ready because they have had these conversations internally. They may even have documentation they can share — audit reports, insurance certificates, written policies. That preparedness is itself a signal.
Red flags to note: answers that stay vague no matter how you probe, visible discomfort with the questions, pivoting to price or service features when security comes up, or any version of “you just have to trust us.” Trust is earned through evidence — not substituted for it.
For a broader framework on evaluating vendor risk, the NIST Cybersecurity Framework provides a widely adopted standard for assessing and communicating cybersecurity risk — including supply-chain and third-party risk. Referencing it during vendor conversations signals that you take the evaluation seriously.
What Good Looks Like in Practice
A firm with a mature IT firm internal security posture looks like this: independently audited certifications or trustmarks, role-based and multi-factor-protected access to all client environments, regular security awareness training for its own staff, meaningful cyber liability coverage with third-party provisions, and a clear incident response process it can describe without hesitating.
It also has a clean client breach record — and can explain why. Not because nothing has ever been attempted, but because the controls have held.
That combination of evidence, process, and verifiable history is what separates a firm that is genuinely protecting your business from one that is collecting a monthly fee and hoping for the best.
If you are evaluating IT vendors right now — or wondering whether to ask these questions about your current provider — our cybersecurity services page and managed IT services overview explain how we approach security from both sides of the relationship. The standards we hold ourselves to are the same ones we apply to every client environment we manage.
The right IT firm does not just sell you security. It lives the same standards it sells. That is the only version of this relationship that makes sense — and the only version your business can afford to accept.
Book a Free Cybersecurity Strategy Call and we will walk you through exactly how we would answer every question on this list — and show you the documentation to back it up.
Get a Second Opinion
Sometimes the best thing you can do for your business is have someone outside your current vendor relationship take a fresh look. That’s what a strategy call gives you — 20 focused minutes with our team and a no-strings-attached read on what we’d recommend.