Managed IT Cybersecurity Microsoft 365 & Azure Infrastructure & Cloud Who We Help Manufacturing & Engineering Legal Firms Accountancy & Finance Professional Services Healthcare & Social Care Charities & Membership Areas we cover Sheffield Rotherham Barnsley Doncaster Chesterfield How We Work Onboarding About NorthCTO Contact Book a consultation
Cybersecurity

Seven Security Checks Your MSP Should Already Have Done

These are not futuristic controls. They are the basics of taking responsibility for a client’s environment.

Published: 12 June 2026

A managed IT provider should do more than answer tickets and renew licences. If they are responsible for your systems, they should be able to show what they have done to reduce obvious risk.

The list below is not everything. It is the sort of baseline that should already be in motion for a serious SME.

1. MFA and Conditional Access are actually enforced

There is a difference between “MFA is available” and “MFA is enforced sensibly across the organisation”. Conditional Access should reduce risky sign-ins, protect admin roles and avoid lazy blanket exceptions that quietly become permanent.

2. External mailbox forwarding is blocked

Mailbox forwarding is a favourite route for data theft and invoice fraud. If forwarding is allowed everywhere by default, your email system is too trusting. Exceptions should be rare, approved and reviewed.

3. App consent has been reviewed

Malicious or over-permissioned apps can sit inside Microsoft 365 with access users never really understood they were granting. Your provider should know which apps have access to your tenant and whether users can approve new ones without oversight.

4. Local admin and passwords are controlled

Shared local admin passwords, unmanaged privileged accounts and old service credentials are exactly the kind of problems that make incidents spread. LAPS or an equivalent approach should be in place, and admin rights should not be handed out as a convenience.

5. Backups have been tested

A backup dashboard is not proof that the business can recover. Your MSP should know what can be restored, how long it takes, who has access, whether backups are protected from deletion and when the last meaningful test happened.

6. Patching and endpoint protection are visible

It is not enough to have tools installed. Your provider should be able to report on patch status, endpoint health, devices falling behind and the exceptions that need attention.

7. Ownership is documented

You should know who owns the domain, DNS, Microsoft tenant, backup platform, licences and core admin accounts. If the answer is vague, you do not have proper governance. You have dependency dressed up as support.

If these checks have not been done, the useful question is not “whose fault is it?” It is “what are we doing about it now?”

NorthMSP includes security baseline work as part of how we onboard and support clients. Start with our free security and IT health check or read about our cybersecurity service.