Engineers in hard hats celebrate a cybersecurity hero unveiling a shield on his shirt in a lively office with blueprints and laptops.

6 Questions Smart Engineering Firms Ask Their IT Provider Every Quarter

July 13, 2026

6 Questions Smart Engineering Firms Ask Their IT Provider Every Quarter

If you're only talking to your IT provider when something breaks, you're doing it wrong.

Most engineering firms don't worry about technology every day. They worry about project deadlines, staffing challenges, client expectations, and keeping work moving.

Then an RFP asks for proof of cybersecurity controls.

A municipality wants documentation showing how project data is protected.

A healthcare client requests evidence of security practices.

A cyber insurance renewal asks questions no one is completely confident answering.

Suddenly, technology isn't an IT issue anymore.

It's a leadership issue.

The firms that navigate these situations well aren't necessarily spending more on technology. They're reviewing it consistently, documenting what they find, and addressing issues before they become problems.

Here's the simple version:

A quarterly IT review shouldn't tell you whether everything is fine.

It should tell you exactly where you're exposed, what's improving, and what needs attention next.

Question 1: What Security Risks Need Attention Right Now?

Every engineering firm has vulnerabilities.

The important question is whether anyone is actively identifying them.

Ask your IT provider:

  • Which systems are missing security updates?
  • Have there been unusual login attempts?
  • Are any users carrying unnecessary administrative privileges?
  • Does anyone still have access who shouldn't?
  • Which vulnerabilities have remained unresolved for more than 30 days?

Avoid vague answers.

"Everything looks good" is not useful.

You want specifics.

A good provider should be able to show what was discovered, what was fixed, and what remains under review.

Because invisible risks are usually the ones that create the biggest surprises.

Question 2: Have You Tested Our Backups Recently?

Many firms believe they're protected because backups exist.

That assumption causes problems.

Ask:

  • When was the last recovery test?
  • What data was restored?
  • How long did recovery take?
  • Were any issues discovered?
  • Are cloud applications included in backup coverage?

A backup that has never been tested is not a recovery strategy.

It's a theory.

When a project folder is accidentally deleted or a server experiences a failure, that's a terrible time to discover recovery isn't working the way everyone assumed.

Quarterly reviews should eliminate uncertainty long before an outage occurs.

Question 3: Where Is Technology Slowing Engineers Down?

Not every technology problem generates a support ticket.

Most productivity losses happen quietly.

Examples include:

  • Revit models taking too long to synchronize
  • Civil 3D files loading slowly
  • Drawing sets transferring slowly between offices
  • Field staff struggling with remote access
  • Engineers waiting on systems multiple times each day

Each delay seems minor.

Combined, they become a significant operational expense.

Ask:

  • What recurring performance issues are we seeing?
  • Which systems generate the most complaints?
  • Are workstations still appropriate for current workloads?
  • What should be upgraded, optimized, or replaced?

Technology should help engineers move faster.

Not teach them to tolerate inefficiency.

Question 4: Are We Still Aligned With Current Compliance Requirements?

Compliance isn't static.

Requirements change.

Contracts change.

Cyber insurance requirements change.

Client expectations change.

Engineering firms often encounter requirements connected to:

  • Municipal infrastructure projects
  • Utility contracts
  • Healthcare facility work
  • Defense-related engagements
  • Cyber insurance renewals

Ask:

  • Have any requirements changed recently?
  • Are there gaps in our policies?
  • Is additional employee training needed?
  • Do we have current documentation supporting our controls?
  • Could we answer a client questionnaire confidently tomorrow?

This matters because external evaluators don't judge what you intended to do.

They judge what you can prove.

That distinction becomes very important during audits, procurement reviews, insurance renewals, and client security assessments.

Question 5: What Should We Budget For Next Quarter?

The most expensive IT purchases are usually the unexpected ones.

Quarterly reviews should provide visibility into:

  • Aging workstations
  • Infrastructure nearing end-of-life
  • Warranty expirations
  • Software renewals
  • Storage growth
  • Security investments that should be planned rather than rushed

Good planning creates options.

Poor planning creates emergencies.

You shouldn't be learning about critical upgrades only when something fails.

Question 6: Where Are We Exposed Because No One Owns The Process?

Many technology failures aren't technical failures.

They're ownership failures.

Ask:

  • Who reviews access permissions?
  • Who validates backup recovery?
  • Who reviews security alerts?
  • Who maintains compliance documentation?
  • Who removes former employee access?
  • Who verifies unresolved vulnerabilities are addressed?

When ownership is unclear, responsibility quietly migrates toward leadership.

Eventually, someone discovers an important task was assumed to be handled by someone else.

Quarterly reviews should expose those gaps before they become incidents.

How One Engineering Firm Found Three Hidden Risks In 30 Minutes

A 45-person engineering firm believed its technology environment was in excellent shape.

Projects were on schedule.

No major outages had occurred.

Employees rarely complained.

During a quarterly review, three issues surfaced:

Risk #1: Former Contractors Still Had Access

Several inactive contractor accounts retained access to archived project folders.

Risk #2: Backup Testing Had Stopped

Backups were running successfully, but no recovery test had been performed in nearly a year.

Risk #3: MFA Wasn't Fully Deployed

A handful of accounts still lacked multifactor authentication.

None of these issues had caused an incident.

Yet all three represented unnecessary risk.

Within two weeks:

  • Contractor access was removed
  • Recovery testing was completed
  • MFA deployment reached full coverage

No emergency.

No breach.

No disruption.

Just visibility.

That's the value of a quarterly review.

How Mature Is Your Quarterly IT Review?

Level

What It Looks Like

Level 1

No formal review process

Level 2

Occasional discussions

Level 3

Documented quarterly reviews

Level 4

Evidence-based reviews with metrics and ownership

Level 5

Executive reporting, accountability, and trend tracking

Most firms believe they're operating at Level 4.

Many are actually operating at Level 2.

Documentation is usually the difference.

The Quarterly IT Scorecard Every Leadership Team Should Review

Area

Status

Risk Level

Backups

Green

Low

Multifactor Authentication

Yellow

Medium

Access Reviews

Red

High

Vulnerability Management

Yellow

Medium

Endpoint Protection

Green

Low

Compliance Documentation

Yellow

Medium

This type of scorecard provides leadership visibility without requiring technical expertise.

Five Metrics Worth Tracking Every Quarter

At minimum, request:

  • MFA coverage percentage
  • Backup recovery success rate
  • Number of inactive accounts removed
  • Average workstation age
  • Critical vulnerabilities open longer than 30 days

Without metrics, you're relying on opinions.

With metrics, you're measuring progress.

Questions Your IT Provider Should Never Dodge

A strong provider welcomes these questions.

Ask:

  • Show me the last recovery test.
  • Show me privileged accounts.
  • Show me unresolved vulnerabilities.
  • Show me evidence of access reviews.
  • Show me MFA coverage.
  • Show me compliance documentation gaps.

The goal isn't perfection.

The goal is visibility.

One-Page Quarterly Review Template

Review Item

Owner

Risk Level

Due Date

Backup Recovery Validation

IT Provider

High

Quarterly

Access Review

Operations

High

Quarterly

MFA Verification

IT Provider

Medium

Quarterly

Compliance Documentation Review

Leadership

Medium

Quarterly

Asset Lifecycle Review

IT Provider

Medium

Quarterly

Risk Remediation Assignment

Leadership Team

High

Quarterly

Use this framework every quarter and you'll have more operational visibility than most firms.

Your Next-Week Action

Before next week ends, ask your IT provider for the results of the most recent backup recovery test.

Not whether backups are running.

Ask what was restored, how long recovery took, what issues were discovered, and what changes were made afterward.

The quality of that answer will tell you a great deal about your actual level of resilience.

Schedule your 10 minute discovery call with 911 IT. Use it to verify whether your quarterly review process is identifying risks, assigning ownership, and providing evidence instead of assumptions. You'll leave with a clearer understanding of where you stand.