Choosing who looks after your IT is really a decision about who you trust with your business’s data — your clients’ records, your finances, your email. It deserves more scrutiny than it usually gets. Here are seven questions worth asking any provider before you sign, with a note on what a good answer sounds like.
1. Where is your helpdesk based?
You want to know who actually answers when your team calls. An Australian-based helpdesk understands your context, your time zone and your obligations. There’s nothing wrong with a provider being honest about how they’re staffed — what matters is that you know before you commit.
2. How do you handle our backups — and have you tested a restore?
Plenty of providers “do backups.” Far fewer regularly test that those backups actually restore. Ask when they last performed a test restore and how long a full recovery takes. “We back up every night” is not the same as “we proved last month that we can get you running again in under an hour.”
3. Will you align us to the Essential Eight?
The Australian Cyber Security Centre’s Essential Eight is the baseline most organisations are measured against. A capable provider should be able to tell you your current maturity across all eight strategies and how they’d improve it — in order of what reduces the most risk first.
4. What happens if we’re breached at 6pm on a Friday?
The honest answer matters more than a reassuring one. You want to hear a clear process: who you call, what they do first to contain it, how they communicate, and how they help you meet your obligations under the Notifiable Data Breaches scheme. Vague comfort (“don’t worry, you’re covered”) is a red flag.
5. What do you actually promise — in writing?
Be wary of anyone selling “100% secure,” “unhackable” or “guaranteed compliance.” No one can deliver those, and in Australia, claims like that can be misleading. A trustworthy provider tells you what they do — monitor, patch, back up, report — and puts response times in a written agreement you can hold them to.
6. How will you help us meet our compliance obligations?
Note the wording: a provider helps you meet your obligations. Compliance is your business’s legal responsibility — a supplier supports it with controls and evidence, they don’t take it off your hands entirely. If a provider claims they’ll make you “compliant,” ask them to explain exactly what they mean.
7. Can you show us the evidence?
Whether it’s for an auditor, a cyber-insurance renewal or a client’s security questionnaire, you’ll eventually need to prove your controls are in place — not just assert it. Ask whether the provider documents what they do and can hand you evidence when you need it.
If a provider answers these well, you’re likely in good hands. If they get defensive or reach for big guarantees, keep looking.
Want a straight answer to all seven for your business? Book a consult with our Melbourne-based team.