From the outside, everything looked fine. A local business paying a monthly fee to their existing IT provider and getting tickets closed when they raised them. The kind of arrangement that runs for years before anyone takes a proper look under the bonnet.
When we onboarded them recently, here’s what we found: The Hyper-V host running all of their virtual servers had not received a single update since the day it was installed, five years earlier. The virtual machines sitting on top of it had not been backed up since March. Windows security patches on the production servers were over seven months behind. Their Microsoft Secure Score had not been reviewed in over a year. And remote access into the network was still happening through a VPN secured by a username and password, with no MFA in front of it.
None of this is unusual in our part of the country. We’re seeing similar patterns across the South West, which got us thinking about what every business should be able to expect as the basic standard from whoever is looking after their IT. Here are seven questions any business owner can ask their provider this week: We’d rather you knew them whether you choose Integy or not.
1. When did your provider last verify your backups?
A backup you have never restored from is not a guarantee that it will work when the time comes. The technology behind it makes no difference until somebody proves the data comes back clean. A good provider runs scheduled test restores and shares the result without being asked. Ask your provider for the date of your most recent full restore test and request to see the report it produced. If they cannot tell you, that is your answer.
2. Are all your servers, physical and virtual, on a documented patching schedule?
Patching must cover everything that holds your data or controls access to it. That means the physical host underneath your virtual servers, plus every VM running on it. The NCSC’s vulnerability management guidance sets out clear timescales, and Cyber Essentials requires high-risk or critical patches to be applied within 14 days of release. Ask to see the current patching schedule and the date the most recent patch was applied across servers and infrastructure devices.
3. Is multi-factor authentication enforced on every route into your network, including VPN?
A username and password on its own is no longer a defence anybody should be relying on. From 27 April 2026, the updated Cyber Essentials scheme treats missing MFA as an automatic fail on any cloud service that offers it, with no discretion left to the assessor. That covers the same route attackers are taking through stolen Microsoft 365 tokens and the older VPN setups still sitting on many networks. List every login point and check which ones enforce MFA, including VPN.
4. When did you last see your Microsoft Secure Score, and has it gone up in the last six months?
Microsoft Secure Score gives every Microsoft 365 tenant an objective measure of its security posture, and the recommended actions update as new threats emerge. A provider genuinely working on your security can show you the score, what they have closed off, and how the trend has moved. That monthly visibility is exactly what Integy Intelligence is built for. Ask for your current Secure Score, the figure from six months ago, and which remediations have been closed off in between.
5. Is your hypervisor host being maintained, or just the virtual machines sitting on top of it?
This is the question that caught out the client we mentioned at the start. People often forget that the Hyper-V or VMware host underneath is a server in its own right, with its own attack surface and its own update cycle. Patching the virtual machines but leaving the host untouched is like servicing the cars and ignoring the road they drive on. Ask for the patch history of your physical hosts as well as the VMs.
6. Does your provider align you with Cyber Essentials and CIS as a baseline, not as an add-on?
Cyber Essentials, run by the NCSC and IASME, is the UK government’s minimum bar for cyber hygiene. The CIS Controls set out the international consensus on what good looks like. We build Cyber Essentials and CIS alignment into our standard service from day one, so day-to-day operations are mapped against them by default. Ask whether your current setup is already aligned with Cyber Essentials or whether closing the gaps would be a separate, chargeable project.
7. Do you get a monthly report showing exactly what’s been done and what’s coming next?
A reactive ticket count is not a report on your IT. A meaningful monthly review should show you the proactive work that happened, which Secure Score actions were closed, which patches were applied, and what is planned for the next cycle. Without that, you have no way to judge whether you are getting value, and your provider has no easy way to prove it. Ask to see the last three monthly reports your provider has produced for you.
The standard your business deserves
Businesses across Devon, Somerset and the wider UK deserve more from their managed IT services than a fast ticket queue. Comfort breeds complacency, and the gap between a provider closing tickets and a provider actively raising your security posture can be enormous. You usually do not see it until somebody else takes a look.
That is the gap our model is built around. Every Integy client has a dedicated senior engineer, a monthly review showing what has been done and what is coming next, and continuous work against Microsoft Secure Score, Cyber Essentials, and CIS Controls as the baseline rather than the upsell.
