Is Your IT Supplier a Hidden Cyber Risk? How to Vet Your Partners
In the current world, your business is only as secure as the weakest link in your supply chain. For many SME’s, that link is the IT support provider or cybersecurity firm they entrust with their most sensitive data.
The truth is that there are many providers out there with a polished website, glowing testimonials and bold claims about their expertise. But beneath the surface, the reality is often alarmingly different. If you are outsourcing your cybersecurity, its time to move beyond appearances and start verifying the facts.
The Illusion of Security: What to Look For
It is surprisingly easy to make your business look and feel like a professional cyber security provider to the untrained eye. As cyber threats become more sophisticated, the gap between marketing security and practicing security has never been wider.
Unfortunately, we encounter several of these on a daily basis. We meet other suppliers showboating and lying as well as meeting customers that have been easily breached due to the supplier’s negligence.
Here are some of the things you can look out for
The “Certification” Mirage
Service providers often boast about having credentials like Cyber Essentials. This is a good standard for anyone to achieve when starting their cyber security journey. It is only a base line level and is the minimum that anyone should be delivering.
It is not a badge of honour though and requires annual recertification with rigorous verification. The catch is that a lot of the companies marketing themselves as cyber experts, know enough to be able to tick box their way to Cyber Essentials or they rely on the fact that you won’t know how to check if they have it. The good news is that you can easily check. Here is a link to the ISAME website https://iasme.co.uk/cyber-essentials/ncsc-certificate-search/
If your provider claims to have Cyber Essentials but is not on the list then you have to ask what else are they being dishonest about?
Corporate Instability
A company’s history is a window into its operational health. A quick check on Companies House can reveal a lot about a provider’s stability.
Are they a company that has been liquidated and rebranded multiple times in the last decade?
Frequent name changes and liquidations are often signs of a business failing to remain viable or attempting to distance itself from past failures or legal issues. Or sometimes just racking up a debt and walking away only to start again.
You want a partner with a foundation of stability, not one that might vanish tomorrow.
Ignoring the Fundamentals
If an IT provider isn’t practicing what they preach, they are not just ineffective—they are a liability. A glaring example is basic email security. Protocols like DMARC (Domain-based Message Authentication, Reporting, and Conformance) are the industry standard for preventing domain spoofing and phishing attacks. If your “cybersecurity expert” hasn’t bothered to configure basic DMARC records for their own domain, they are leaving the door wide open for impersonators. If they can’t secure their own email, how can they be expected to secure yours?
We’ve written an entire article dedicated to this top here. https://castrasolutions.co.uk/insights/2026/why-business-email-compromise-attacks-are-increasing/
Why Due Diligence Matters
When you grant a third-party vendor access to your systems, you are essentially handing them the keys to your digital kingdom. If that provider is financially unstable, technically incompetent, or misleading about their own security posture, you are inheriting their risks.
Supply chain attacks are one of the most common ways businesses are compromised. Cybercriminals often target smaller, less secure IT providers to gain a “backdoor” into the networks of their many clients. By failing to perform proper due diligence, you could be inviting a threat actor directly into your internal environment.
Take Control: Your Verification Checklist
Don’t just trust a brochure. Take 15 minutes to perform your own “health check” on your suppliers:
Verify Certifications: Search the official database for Cyber Essentials and other certifications they may have. Don’t accept a PDF certificate.
Check Financial Health: Spend a few minutes on Companies House. Look for signs of insolvency, frequent name changes, or a history of dissolved entities.
Technical Audit: Use free online tools to check if their domain has valid SPF, DKIM, and DMARC records. If these are missing, it’s a massive red flag. i.e. https://tools.sendmarc.com
Ask Direct Questions: Don’t be afraid to ask for their internal security policies or how they protect their own infrastructure. A professional partner will be happy to show you their due diligence.
The Bottom Line
Cybersecurity is built on trust, but it must be earned through transparency and technical excellence. If your current provider is hiding behind smoke and mirrors, it’s time to move on. Your data, your reputation, and your business continuity are too important to leave in the hands of someone who doesn’t take security as seriously as you do.
If you’d like to find out more about how we provide security for our customers then please get in contact with a member of our team.

