Cyber security is about protecting the Confidentiality, Integrity and Availability or your data. There should be a good understanding of what you are looking for protection from and a good partner will have an established Cyber Security Playbook and Incident Response Plan prepared.
Perimeter security should involve some sort of firewall, either hardware or software that prevents access to the network. This should be penetration tested routinely. The ports that are open should be only the ones required by you. This firewall must be in support, maintained and patched up to date
Your Client Machines should equally be in support, patched and up to date. If they are taken off premises they must have encrypted hard drives.
Your systems should be patched and up to date with a quality solution that is not the subject of potential hostile State manipulation (like Kaspersky). Machines should have routine sweeps scheduled as well as operate actively in day to day use. The state of your AV estate should be reviewed routinely.
Either by Strong Passwords or ideally Multi Factor Authentication (MFA) should allow access to only the data that the user needs to do their day job. Artificial Intelligence solutions looking out for unusual access patterns are ideal.
Distributed Denial of Service is the simplest way to take an organization off line. Your systems must be able to protect you from this form of attack.
Your staff are prone to visiting sites that can either infect them with malware that can compromise your systems or lure them into giving away their user credentials. Either way you need a solution that blocks or warns them about the site that they are visiting.
Your staff are subject to the risk of giving away system access through clever campaigns over other communications methods such as phone calls. They will use information that they have already gleaned to make more and more believable calls. Your partner should help you train users in these risks.
Phishing, Spearphishing and Whaling are various forms of attack that manipulate your staff into giving away their credentials or undertaking actions in the believe they are in email communication with someone they are not. A good partner will have strategies in place for dealing with this risk, training your staff and routinely testing the susceptibility of your organization.
Plans are part of your data security. Central to this is your back up strategy that should be 3 legged. You should have a back up on site that facilitates a quick restoration of data. You should have an off site back up that forms your last line of recovery and you should have a disconnected back up, not more than 24 hours old.