But how do you know they’re doing what they say — or that it’s working?

You get a report. You see a dashboard.
But are incidents being reviewed by someone who knows your environment?

Have you ever tested what happens when something does get through?

If you’re not checking, you’re just hoping.

But your core systems are in the cloud — and you can’t restore SaaS like you can a server.

There’s no restore-from-yesterday button. Your provider won't rollback a public cloud application for you — there are 40 other businesses on those servers.

If someone deletes records or your access is revoked, recovery is limited — and slow.

Most teams don’t realise that until it’s too late.

There’s a cybersecurity policy and a disaster recovery plan — both written by a consultant.

They’ve been reviewed. They align with best practice.

But in reality? People work around them.

Because following them slows things down, breaks processes, or gets in the way of doing the job.

So the controls only exist in theory, and they're only checked next time you're audited.

But it’s generic.

It talks about phishing and strong passwords — not your systems, your threats, or your reality.

If it doesn't apply to your business, then you're not training your people on the things that matter.

And that’s what matters.

Card payments are outsourced.
Your files — including the DR plan — are in SharePoint.

But if the breach hits or access goes down, you won’t even be able to open the plan that’s meant to guide you.

And when that happens?

You’ll take the call.

Customers won’t care that it was a supplier.
Regulators won’t care that it wasn’t “your” system.

They’ll want to know why you weren’t ready.

Because you can outsource the service —
but you can’t outsource accountability.