Key Takeaways
- The Cybersecurity and Infrastructure Security Agency publishes specific guidance on the risks of managed service provider relationships and what customers should ask before signing, which most small businesses have never seen.
- A vendor's inability to clearly explain who else, including subcontractors, can access your data is one of the clearest warning signs during evaluation, according to federal guidance on MSP risk.
- Asking whether a vendor conducts tabletop exercises for scenarios like ransomware or data loss reveals whether they have an actual incident response plan or just a sales pitch about having one.
- A scoring matrix that weights service catalog, security stack, and contract terms side by side helps a small business owner make an apples to apples comparison instead of deciding on price alone.
Landscaping companies get cold called by IT vendors constantly, usually right after a slow season budget conversation or a story about a competitor getting hit by ransomware. Almost none of those calls come with a way to actually evaluate whether the person on the phone is legitimate or just good at selling. This scorecard gives you one.
What questions should you actually ask an IT vendor before signing?
The most useful questions aren't about price or features first, they're about access, accountability, and what happens when something goes wrong. The Cybersecurity and Infrastructure Security Agency's guidance on managed service provider risk was written specifically because so many small and mid sized businesses sign IT contracts without understanding what they're agreeing to give a vendor access to, and what protections they should require in return.
Use the 12 questions below as a scorecard. Score each vendor from 1 to 5 on how clearly and confidently they answer, not just whether they answer at all. A vendor who gets defensive or vague on more than a couple of these is worth a second look before you sign anything.
The scorecard
- What exactly is included in your base price, and what costs extra? Vague answers here almost always mean surprise invoices later.
- Who else, including subcontractors or offshore teams, will have access to our systems and data? CISA's guidance specifically flags subcontractor disclosure as a core risk factor in MSP relationships, and a vendor who can't answer this clearly is a real red flag.
- How do you monitor for threats, and what does your incident response process actually look like? Ask for specifics, not a brochure description.
- Do you conduct tabletop exercises for scenarios like ransomware or major data loss? This reveals whether they have a real, tested plan or just a policy document nobody has walked through.
- How often do you test backups, and how do you verify a restore actually works, not just that a backup file exists?
- What are your guaranteed response times, and what happens if you miss them?
- Do you have a third party security audit or certification, such as SOC 2? Not every MSP has one, but the ones that do can prove their claims instead of just stating them.
- How is pricing structured, and how often can it change during our agreement? Get this in writing, not just verbally.
- What connections will exist between your systems and ours, and is that traffic isolated to a dedicated, secure connection? This is a direct recommendation from CISA's hardening guidance for MSP customers.
- Can you share references from businesses similar in size to ours? A vendor with only enterprise references may not be built for a company your size.
- What is your process for offboarding if we ever end the relationship? How you separate from a vendor matters as much as how you start.
- What role will you play in our long term technology planning, beyond just fixing things when they break? This separates a proactive partner from a reactive vendor.
Why the subcontractor question matters more than it sounds
A vendor who can't tell you who else touches your data isn't being evasive by accident, it's often because they genuinely don't have full visibility into their own supply chain, and that gap becomes your risk the moment you sign. CISA's guidance on this specifically recommends organizations obtain confirmation of any subcontracts or independent consultants that could expose company data to another external party, along with clear documentation of the MSP's responsibility for actions performed by those parties.
For a landscaping company running scheduling, payroll, and customer data through a lean back office, this isn't an abstract enterprise concern. It's the difference between knowing exactly who can see your customer list and payment records, and finding out only after something goes wrong.
What a red flag actually looks like in this conversation
A legitimate MSP will usually welcome this scorecard, because it gives them a chance to differentiate themselves from vendors who are purely transactional. The warning signs tend to show up as a pattern rather than one bad answer:
- Pushing hard toward a signature before answering security specific questions
- No clear answer on subcontractor or offshore access
- Inability to describe an actual incident response process, only a general reassurance that they'd "handle it"
- Pricing that's unclear about what happens after the first year
- No willingness to provide references from businesses your size
Turning the scorecard into a decision
Score each vendor across these 12 questions, then build a simple weighted comparison rather than deciding on price alone. Weight security and access related answers more heavily than convenience features, since a lower monthly cost from a vendor who can't answer the subcontractor question isn't actually the cheaper option once you account for the risk you're taking on.
An IT vendor relationship is one of the few contracts a small business signs that hands over meaningful access to nearly everything the business runs on. Taking twenty minutes to run a prospective vendor through this scorecard before signing is a small investment against a much larger problem down the road.