5 questions to ask your IT provider about security monitoring
Most businesses have spent real money on security. Firewalls, antivirus, email filtering, multi-factor logins: the defences are there, doing the job of keeping threats out. But one layer rarely shows up on the invoice and matters more than any of them: the layer that watches for threats already inside, and the person who acts when the alarm sounds. That layer is security monitoring, and it's the part most often missing.
Most serious breaches don't happen because a business had no defences. They happen because something slipped through, sat quietly inside for days or weeks, and nobody was watching closely enough to notice. The tools were there. The seat where someone should have been watching was empty.
When your layers work together they do two jobs: stop more threats at the door, and catch the ones that still get through. This post is about the second, because it's the one most often left unmanned.
So before you assume your setup is covered, here are the five questions to ask your IT provider about the watching layer, and what a confident answer sounds like.
The five questions at a glance:
- How would you know if a threat was already inside your network?
- Who is monitoring your security, and around the clock?
- How fast can someone respond when a threat is detected?
- What's the plan to contain a breach if one succeeds?
- How do you know your monitoring works?
1. How would you know if a threat was already inside your network?
You would only know if something is watching for the intruder once they're in, rather than just trying to block threats at the door. That capability is called threat detection.
Every layer you have is designed to keep threats out. But good security assumes some will occasionally get through, because they do. The real question is whether anything is looking for the intruder once they're inside. A strong answer describes detection: monitoring that watches for unusual behaviour on your network and devices, the digital equivalent of a motion sensor inside the building rather than just a lock on the door. A weak answer talks only about the tools that were supposed to keep them out, which is the one thing you already know didn't work here.
2. Who is monitoring your security, and around the clock?
Someone, whether an in-house person or a managed monitoring service, has to read the alerts, ideally 24/7. Detection tools generate signals, but they don't read themselves.
This is the single biggest gap in most setups, because the honest answer is often "the system flags it and we look when we can." Ask plainly: is there a person or a monitored service responsible for watching, and when? This matters more than it sounds. Nine to five on weekdays leaves roughly two thirds of the week unwatched, and attacks are deliberately timed for exactly those hours: nights, weekends and holidays, when defences are thinnest. If the watching only happens in office hours, it's absent precisely when you're most likely to be hit. You want genuine round-the-clock coverage, not a tool that quietly logs the break-in for someone to find on Monday.
3. How fast can someone respond when a threat is detected?
Fast means minutes, not days. Whoever is watching should be able to isolate a compromised device or disable an account straight away, not just forward you an alert.
There's a big difference between being alerted and being protected. An alert tells you there's a fire; it doesn't put it out. Find out what happens in the minutes after a real threat is detected. Can whoever's watching step in, isolating a compromised device, shutting down an account, stopping the spread? Or does the alert simply land in an inbox, waiting for someone to notice and decide what to do? The gap between detection and action is where a contained incident turns into a serious one.
4. What's the plan to contain a breach if one succeeds?
A good containment plan is written and rehearsed before an incident, not improvised during one. It should cover who takes charge, how affected systems are isolated, and how you recover clean data.
Even the best watching layer assumes that one day something will get through and take hold. What separates a bad day from a disaster is whether there's a plan ready before it happens, not one being written in a panic while systems are down. Pin down what happens in the first hour of a confirmed breach. Who takes charge, how do you cut the affected systems off from the rest, how do you get clean data back, and how quickly can the business keep running? A provider who's thought about this will describe a clear, rehearsed sequence. One who hasn't will describe good intentions. The difference tends to show up at the worst possible moment.
5. How do you know your monitoring works?
You know it works if it's regularly tested with simulated attacks and backed by reporting you can understand. Monitoring that is never tested is a promise, not a protection.
Settings drift, alerts get muted, staff change, and coverage quietly erodes without anyone noticing. Ask how they prove it works. Do they run tests that simulate a real intrusion and measure whether it's caught, and how quickly? Is the reporting something you can follow, rather than a dashboard nobody reads? You're not after perfection, just evidence, and a provider who can show their working.
What good answers have in common
None of these questions ask about product names, and that's deliberate. A capable provider will answer them in everyday terms, describing who does what and how fast, not listing software. They'll welcome the questions, because being watched closely is exactly what they want you to value.
If the answers you get are vague, or lean entirely on the tools rather than the people and the response behind them, that tells you something important. It usually means the seat behind the wheel is emptier than you'd assumed. In practice, that watching layer is delivered as a managed service, often called managed detection and response (MDR), where a team monitors and responds on your behalf around the clock.
That's worth knowing before an incident, not after.
If you're not confident how your own provider would answer these five, we'd be glad to help you find out. Book a free security review with entrustIT and we'll show you how well your current security monitoring would catch and respond to a threat that's already inside, where the gaps are, and what's worth addressing first.
.jpg?width=1200&height=400&name=Blog%20CTAs%20(3).jpg)