FTC's Cybersecurity Questions to Ask Your IT Vendor (2026)

TL;DR: During National Small Business Week 2026 (early May), the FTC ran webinars including "Building Your Small Business Cybersecurity Team: From In-House to Outsourcing" and "Small Business, Big Target," and reinforced its guidance that owners must actively vet IT and cloud vendors rather than take their word for it. The FTC's vendor-security questions cover TLS/website encryption, SPF/DKIM/DMARC email authentication, multi-factor authentication, software update responsibility, and contractual security requirements with independent verification. North Carolina small businesses can use these exact questions to evaluate any IT provider, and Preferred Data Corporation is built to answer every one of them.

Key takeaway: The FTC's core message for 2026 is "don't just take their word for it." A vendor that cannot give clear, specific answers to standard security questions is itself a risk, not a safeguard.

Want a provider that already meets the FTC's bar? Preferred Data Corporation has served North Carolina small businesses for over 37 years. Call (336) 886-3282 or book a vendor security review.

What did the FTC tell small businesses during National Small Business Week 2026?

The FTC used National Small Business Week 2026 to push a single theme: small businesses are big targets, and choosing the right security help is now a core business decision. As outlined on the FTC's business guidance blog, the agency ran webinars including "Building Your Small Business Cybersecurity Team: From In-House to Outsourcing" (May 5) and "Small Business, Big Target: How to Avoid Small Business Scams" (May 6), partnering with NIST and the National Cybersecurity Alliance.

The agency's standing Cybersecurity for Small Business resources go further, providing concrete questions to ask vendors and a clear directive: establish processes to confirm vendors follow your rules, and do not just take their word for it.

For NC owners, this reframes vendor selection as a security control in its own right.

What cybersecurity questions does the FTC say to ask an IT vendor?

The FTC's vendor-security guidance translates into a practical interview every NC small business should run before signing with any IT or hosting provider. The core questions, drawn from the FTC's vendor security materials, fall into five areas.

1. Website and data encryption. Is TLS included in the plan, free or paid? Who sets it up? What technologies keep the site secure?
2. Email authentication. Can you help us set up SPF, DKIM, and DMARC so our domain cannot be spoofed?
3. Software updates. Are the latest software versions available, and who is responsible for keeping them updated? If it is us, how easy is it?
4. Access and authentication. After setup, who can make changes? Is multi-factor authentication available for those who can log in?
5. Verification and contracts. How can we independently confirm you follow our security rules? Are specific security requirements written into the contract?

A strong provider answers these crisply. A weak one deflects, and the FTC's point is that the deflection is the warning sign.

How should NC small businesses score a provider's answers?

Use a simple pass/fail rubric so the evaluation is objective rather than based on a sales pitch.

• Demand specifics, not adjectives. "Enterprise-grade security" is marketing; "MFA enforced on all admin accounts, patched within X days, third-party assessed annually" is a control.
• Insist on contractual security requirements. The FTC explicitly recommends writing security obligations into vendor contracts and conducting due diligence on cloud vendors.
• Require independent verification. An assessment by a third party is the FTC's recommended way to confirm a vendor actually does what it claims.

Why does the FTC emphasize "don't just take their word for it"?

Because the vendor is now part of your attack surface. A managed IT or cloud provider has privileged access to your systems, so a provider with weak internal security, no MFA, slow patching, or no independent audit, becomes the easiest path into your business. The FTC's guidance to conduct due diligence on all cloud vendors and require security certifications exists because supply-chain and vendor-mediated compromise is a leading cause of small-business breaches. In practical terms, the security questions above are not bureaucracy; they are how you avoid hiring your own breach.

Run the FTC checklist on us. We welcome the questions. Call (336) 886-3282 or contact Preferred Data Corporation.

How does Preferred Data Corporation answer the FTC's questions?

PDC was built to pass this exact review. As a North Carolina managed IT and cybersecurity partner serving clients for over 37 years from our High Point headquarters, we answer every FTC vendor question affirmatively and in writing.

• Encryption and email authentication configured and managed, including SPF, DKIM, and DMARC, through our managed IT services.
• Provider-managed patching and updates with reporting, not "that's on you."
• MFA enforced by default on administrative and remote access as part of our cybersecurity program.
• Independent verification and contractual security terms, with documented controls aligned to client and cyber-insurance requirements.
• Cloud vendor due diligence built into onboarding and vendor risk reviews.

The FTC says to outsource carefully and verify everything. We agree, and we hand clients the evidence to do exactly that.

Frequently Asked Questions

What is National Small Business Week and why does cybersecurity matter to it?

National Small Business Week is an annual U.S. observance recognizing small businesses; in 2026 the FTC used it to run cybersecurity webinars and publish guidance because small businesses are now primary cyberattack targets. The agency's 2026 sessions explicitly covered in-house versus outsourced security teams and avoiding scams, per the FTC business blog.

What are SPF, DKIM, and DMARC, and why does the FTC stress them?

They are email authentication technologies that prevent attackers from spoofing your business domain in phishing and invoice-fraud emails. The FTC's vendor questions specifically ask whether a provider will help set them up because domain spoofing underpins business email compromise, one of the costliest small-business fraud categories.

What is the single biggest red flag in a vendor's answers?

"Just trust us," or any refusal to allow independent verification or written security terms. The FTC explicitly recommends third-party assessment and contractual security requirements, so a vendor unwilling to be verified is failing the agency's core test.

Should a small NC business build an in-house security team or outsource?

For most NC small businesses, outsourcing to a vetted managed provider delivers enterprise-grade controls (24/7 monitoring, MFA, patching, DLP) at a fraction of in-house cost. The FTC's 2026 webinar on this topic acknowledges both paths; the deciding factor is whether the provider can pass the agency's vendor-security questions.

Can I get the FTC's questions in a usable checklist?

Yes. The five areas, encryption/TLS, SPF/DKIM/DMARC, software updates, MFA/access control, and verification/contract terms, form a ready interview script. PDC will walk through each one with you and provide written answers and supporting evidence during a vendor security review.

Related Resources

• Managed IT Services for NC Businesses - Provider-managed patching, encryption, and email authentication
• Managed Cybersecurity Services - MFA, monitoring, and vendor risk management
• How to Choose a Managed IT Provider Checklist - Companion selection guide
• How to Choose a Cybersecurity Provider - Deeper provider evaluation
• Professional Services Industry Solutions - IT for NC service firms
• Contact Preferred Data Corporation - Run the FTC checklist on us