Recently there have been several high-profile cyber-attacks on major UK companies including M&S, Jaguar Land Rover and Co-Op. Recent headlines have suggested that M&S have ended their Managed Services contract with their provider after their cyber-attack cost up to £300m in lost profits after major disruptions. The message to business leaders is clear: choosing an MSP isn’t just about cost or capability, it’s about trust, resilience, and genuine security.
Here are five critical questions every organisation should ask before handing over essential IT-services:
Do they treat cyber security as a core service, not just an add-on?
Managing helpdesk tickets and networks isn’t enough. The right MSP protects your business with robust security frameworks, rapid incident response, and ongoing vulnerability testing. From staff cybersecurity training to advanced threat detection, cybersecurity should be a core consideration. If they can’t prove it, buyer beware.
Do they have independent credentials and transparent evidence of performance?
When picking a new Managed Service Provider (MSP), it’s worth looking beyond promises and flashy marketing. A good place to start is by checking their certifications and accreditations. These are a clear sign that they take cybersecurity seriously and are independently audited on their capabilities. For UK organisations, for example:
–Cyber Essentials Plus shows they meet strong cybersecurity standards
– ISO 27001 proves they have a format approach to managing information security
-CREST accreditation means their security testing is independently verified.
A reputable MSP should walk the walk, not just talk the talk. Their credentials should align with their services and claims.
Also consider their affiliations and partnerships. Membership or accreditation with bodies like the National Cyber Security Centre (NCSC), the UK Cyber Security Council, or local trusted organisations such as the Cyber and Fraud Centre Scotland can signal that they are actively engaged with the wider cybersecurity community and committed to staying up to date with emerging threats and best practices.
The right MSP will combine certified expertise with strong industry connections, giving you confidence that your IT and cybersecurity are in safe hands.
Can they demonstrate proactive defence and not just reactive support?
-Do they thoroughly review your current IT setup during onboarding and provide a clear report on recommended changes?
-Do they perform regular penetration testing and vulnerability scanning?
-Are they continuously monitoring and remediating rather than simply “fixing what’s broken”?
A provider with a reactive-only posture is asking you to run unprotected on a minefield.
What happens when worst-case hits?
-Do they have a clear, tested incident-response plan?
-Do you understand the chain of command, the escalation path, the communication plan?
Account management and regular business reviews
Cybersecurity isn’t static, and neither should your MSP relationship be. You need:
-A clear, dedicated point of contact who knows your business and your IT landscape.
-Quarterly Business Reviews (QBRs) to review performance, upcoming risks, planned updates, and strategic projects.
-Transparent reporting on tickets, patching, monitoring, and cybersecurity posture.
Providers who treat account management as an afterthought leave your business exposed and uninformed.
How we can help
Choosing an MSP is not a procurement checkbox. It’s a strategic security decision. At Consider IT we combine hands-on IT support, proactive cyber defence, and industry-leading accreditation so our clients can focus on their business, not whether next week’s attack will bring them to their knees.
If you’re reviewing your MSP relationship or considering cyber-resilience upgrades, let’s talk. We’d love to help simplify your decisions in plain English (and avoid acronyms overload!). Get in touch for a friendly chat.
