88% of SMB Breaches Involve Ransomware: 5 Questions to Ask Your IT Provider This Week
Most SMB breaches now involve ransomware, and the #1 factor is lack of expertise. Five pointed questions every business owner should ask their IT provider.
Ransomware hit 88% of small and mid-sized businesses that experienced a breach in 2025, more than double the rate at large enterprises. The number one contributing factor wasn’t budget. It was lack of expertise. Forty percent of affected companies cited security gaps they didn’t even know existed.
Those numbers should change how you think about your IT provider relationship. Not because you need to become a cybersecurity expert yourself, but because you need to know whether the people managing your technology can answer the hard questions. This post gives you five of those questions, framed as a conversation you should have this week.
1. “Do We Have Immutable Backups, and When Was the Last Restore Test?”
Backups are table stakes. Every IT provider will tell you they’re backing up your data. The question that separates a competent provider from an inadequate one is whether those backups can survive a ransomware attack.
Immutable backups are copies of your data that cannot be modified, encrypted, or deleted for a set retention period. Traditional backups stored on the same network as your production systems get encrypted right alongside everything else during a ransomware event. Immutable backups stored in isolated or air-gapped environments remain intact because the ransomware literally cannot reach them.
The second part of this question matters just as much. A backup that has never been tested is a backup that might not work. Ask your provider when they last performed a full restore test, how long the restoration took, and what the recovery point was. If the answer is “we haven’t tested it” or “it’s been a while,” that’s a gap you need closed immediately.
According to SonicWall’s 2026 Cyber Protect Report, untested backup and recovery plans are one of the most common weaknesses across SMBs. A strong backup and disaster recovery strategy includes regular test restores, documented recovery time objectives, and offsite or immutable storage that ransomware cannot compromise.
2. “How Fast Would You Detect Ransomware on Our Network?”
The median time from initial intrusion to ransomware execution dropped to just five days in 2025. That means attackers are spending less than a week inside your network before they lock everything down. If your IT provider can’t detect an intruder within that window, you’re going to find out about the breach from a ransom note, not an alert.
Ask specifically about detection capabilities. Do they run endpoint detection and response (EDR) on every device? Is someone monitoring alerts around the clock, or do they check a dashboard during business hours? What’s their average time to detect and respond to a confirmed threat?
Twenty-four-hour monitoring through a security operations center is no longer a luxury reserved for large enterprises. It’s a baseline requirement for any business that handles client data, financial records, or regulated information. If your provider offers monitoring only during business hours, ask them what happens when an attacker hits your network at 11 PM on a Friday, which is exactly when many ransomware groups time their deployments.
3. “What Does Our Network Segmentation Look Like?”
A flat network is one where every device can communicate directly with every other device. If malware lands on a laptop in your accounting department, it can spread laterally to your file servers, email systems, production databases, and backup infrastructure without hitting a single barrier. Flat networks turn a single compromised endpoint into a company-wide catastrophe.
Network segmentation divides your environment into isolated zones so that a breach in one area doesn’t automatically cascade to everything else. Your guest Wi-Fi shouldn’t have a path to your financial systems. The front desk PC shouldn’t be able to reach your backup servers.
Ask your IT provider to explain your current network architecture. Can they show you a diagram? Do they know which systems can talk to which? If the answer involves guessing or hedging, your network likely hasn’t been segmented with ransomware resilience in mind.
Proper segmentation is part of a managed security engagement because it requires ongoing maintenance, not just initial setup. As your business adds devices, applications, and locations, the segmentation design needs to evolve with it.
4. “Do We Have an Incident Response Plan, and Have We Practiced It?”
Most businesses that have an incident response plan have a document sitting in a shared drive that nobody has opened in two years. That’s not a plan. That’s a liability.
An effective incident response plan covers who does what when a breach occurs. It names specific people, their roles, their contact information, and the sequence of decisions that need to happen in the first hours. It includes communication protocols for employees, clients, vendors, legal counsel, and (depending on your industry) regulators. It addresses whether to pay a ransom, how to engage law enforcement, and when to activate your cyber insurance policy.
The plan only works if people have practiced it. A tabletop exercise walks your leadership team through a simulated incident so they make the hard decisions in a conference room instead of during an actual crisis. Ask your IT provider when they last ran a tabletop with your team. If the answer is never, that should be a priority before the end of the quarter.
The average cost of a ransomware incident for an SMB ranges from $120,000 to $1.24 million. Much of that cost comes from slow response times, unclear decision-making authority, and communication breakdowns, all problems that a practiced incident response plan directly addresses.
5. “What’s Our Exposure If an Employee Clicks a Phishing Link Right Now?”
Phishing remains the most common entry point for ransomware. The question isn’t whether one of your employees will eventually click a malicious link. It’s what happens after they do.
A well-defended environment has multiple layers between a phishing click and a full compromise. Email security filters catch the majority of phishing attempts before they reach inboxes. Multi-factor authentication prevents a stolen password from granting immediate access. Least-privilege access controls limit what any single compromised account can reach. EDR on the endpoint detects and quarantines malicious payloads before they execute.
Ask your IT provider to walk you through these layers specifically. What percentage of phishing emails are being caught before delivery? Is MFA enforced on every account, including admin accounts? Are user permissions regularly reviewed to ensure people only have access to what they need?
If your provider can’t describe these layers clearly, or if the answer to several of those questions is “we haven’t set that up yet,” your employees are one click away from giving an attacker a foothold. Security awareness training reduces the odds of that click, but it’s the defensive layers behind it that determine whether a click becomes a catastrophe or a contained event.
What Good Answers Sound Like
A strong IT provider won’t just answer these questions. They’ll welcome them. Here’s what you should hear:
- Specific, verifiable details. “We run immutable backups on a 30-day retention cycle with weekly test restores” is a good answer. “We handle that” is not.
- Honest acknowledgment of gaps. No environment is perfect. A provider who says “we’ve identified these gaps and here’s our plan to close them” is more credible than one who claims everything is covered.
- Evidence, not just assurances. Reports, dashboards, and documentation should be available to back up their answers. If they can’t show you proof, they may not have the capabilities they claim.
If your IT provider can’t answer these five questions confidently, it might be time for a second opinion. That’s not an insult to your current provider. It’s basic due diligence for a business facing a threat that grew 34% last year and continues to accelerate.
Start the Conversation This Week
You don’t need to overhaul your IT environment overnight. Start with a single meeting where you walk through these five questions with your provider. Write down their answers. Ask for documentation to back up the claims. If the responses are strong and specific, you’ll have confidence that your business is better protected than the average SMB. If the responses are vague, evasive, or incomplete, you’ll know exactly where to focus next.
For a deeper self-assessment of your security posture, SonicWall’s “Seven Deadly Sins” framework from their 2026 Cyber Protect Report outlines the most common security weaknesses across SMBs. We’ll be publishing a detailed walkthrough of that self-assessment soon, so keep an eye on our blog for that companion piece.
Need Help With Ransomware Readiness?
Our team can help you evaluate your backup strategy, detection capabilities, and incident response planning.
Get a Free AssessmentRansomware isn’t slowing down, and the data shows that SMBs bear the worst of it. The five questions in this post aren’t complicated, and they don’t require technical expertise to ask. They require the willingness to hold your IT provider accountable for the security of your business. The providers worth keeping are the ones who are ready for that conversation.