Choosing a cybersecurity vendor isn't like hiring a plumber. The wrong choice doesn't just cost you time and money — it can leave your business exposed for months before you realize anything is wrong.
We've seen it firsthand. A manufacturer in the Treasure Valley signs a contract with an IT company that checks all the boxes on paper. Twelve months later, they're calling us after a ransomware attack that their provider never detected. The provider had monitoring tools, sure. Nobody was actually watching them.
We're not a national call center. We have offices in Boise and Idaho Falls, and when something goes wrong with one of our clients, someone who knows your business picks up the phone. That's the standard we hold ourselves to, and it's the standard you should hold any cybersecurity vendor to.
So how do you actually vet a cybersecurity vendor before you sign?
1. Do you carry your own cyber liability insurance — and can I see the certificate?
Any cybersecurity vendor worth hiring carries professional liability (E&O) and cyber liability insurance. If something goes wrong on their watch — a misconfiguration, a missed alert, a breach tied to their tools — you want to know they can be held accountable. Ask for the certificate of insurance. A confident, reputable provider will hand it over without hesitation.
2. Have you ever had a breach? What happened?
This sounds like a trap question, but it isn't. Every honest security company will tell you that no environment is 100% immune. What matters is how they responded. Ask for specifics: What happened? How was it discovered? What did they change afterward? A vendor who says "we've never had an incident" either hasn't been around long enough or isn't being straight with you.
3. What does your 24/7 monitoring actually look like?
"24/7 monitoring" is one of the most overused phrases in managed IT. Pin them down. Do they have a Security Operations Center (SOC)? Is it in-house or outsourced? What's the escalation path when an alert fires at 2 a.m. on a Sunday? If the answer involves a lot of "our tools automatically..." without a human being in the picture, ask more questions.
4. What does your own internal security look like?
Your vendor has access to your systems, your credentials, your backups. That makes them a high-value target for attackers. Ask: Do your employees pass background checks? How do you manage internal access to client environments? Do you enforce MFA on your own team? Have you completed a SOC 2 audit or similar third-party review of your own practices? You're trusting them to protect you — they should be able to prove they protect themselves first.
5. Do you have experience with businesses like mine?
This matters more than most buyers realize. If you're a manufacturer in the Treasure Valley, a food processor in Twin Falls, or an engineering firm in Idaho Falls, your IT environment has specific requirements that a generalist vendor may not understand. OT/IT convergence, CMMC compliance for defense contractors, ITAR-controlled data — these aren't things you want your vendor learning on the job with your network. Ask for references from similar Idaho businesses, and call them.
6. What happens if we part ways?
Vendors are usually happy to talk about onboarding. Ask about offboarding. How do you get your data back? How quickly are your credentials revoked? Who retains what access, and for how long? This question reveals a lot about how professional and organized a vendor actually is — and it protects you if the relationship doesn't work out.
7. Can you walk me through a real incident response you handled?
Not a hypothetical. Not a case study from their website. Ask them to walk you through an actual incident — a ransomware hit, a phishing compromise, a hardware failure — and describe what they did step by step. Good vendors have these stories and tell them well. Vendors who have never been truly tested will give you a very theoretical answer.
A real cybersecurity partner doesn't just sell you tools — they take accountability for your security posture and pick up the phone when it matters.
TotalCare IT has been serving businesses in the Treasure Valley and East Idaho for over a decade. If you're evaluating IT and cybersecurity providers and want straight answers to every one of these questions, we're happy to have that conversation in person — at our Boise office, our Idaho Falls office, or yours.
[Book a 15-minute call with our team →]
1 min read
Totalcare IT : Aug 13, 2025 11:00:00 AM
Imagine your facility is secured — locked doors, alarm systems, cybersecurity tools all in place. But while your internal systems are protected, a...
1 min read
Chelsea Zimmerman : Sep 2, 2021 10:37:55 AM
Operation Warp Speed astonished America with how quickly the vaccine was not only developed but deployed. This in part is due to the leadership of...
1 min read
Totalcare IT : Jan 22, 2026 10:00:00 AM
When most people think about cybersecurity threats, they imagine hackers sitting behind screens in far-away places. While those threats are real,...
Totalcare IT