Monday, 2 December 2019

The 6 questions to ask your IT provider about their own security

How can you assess whether your IT provider is doing enough to protect your business, its systems and data?

How can you assess whether your IT provider is doing enough to protect your business, its systems and data? The Grant McGregor team suggests some of the key questions you should be asking.

Anecdotally, it seems that security is rising up the corporate agenda. How many tenders did you complete five years ago that asked you to include a data security statement? Or require you to evidence Cyber Essentials certification? And how many ask for this today?

More, right?

Finally, it seems that IT security has the attention of senior management in the corporate world. While this may be long overdue, it is also true that the same security-first message still hasn’t got through to many SMEs.

If you are small or mid-size business owner or manager, it’s time to consider whether you should be asking your own suppliers about their IT security arrangements – starting with any outsourced IT support providers because they, probably hold the keys to your (data) castle.

The security questions to ask your IT support partner

While GDPR makes it important to be talking to every partner with whom you share data, there will inevitably be some additional due diligence you’ll want or need to undertake with an IT provider.

It’s important to understand what your IT partner is doing to protect their own business, systems and data, as well as those of its clients. You do, after all, want an IT partner who can demonstrate they are up to date with all the latest risks, vulnerabilities and solutions because ,these days, good IT support is as much about protection as it is fixing issues. Arguably more so.

Let’s consider some of the questions you should be asking your IT support company.

1. What professional qualifications and business certifications does the business hold?

It’s almost unbelievable that the IT Support industry is unregulated. That means anyone can set themselves up to support you without the need for any qualifications whatsoever.

IASME standard, Cyber Essentials, ISO and other cyber security certifications would be a good indication that your IT support company takes their own IT security very seriously. Also, if the company can show their employees have highly regarded industry certifications such as those from CompTIA and Microsoft, it should give you peace of mind that the people looking after your IT have the right technical skills.

This question is important because it will give you confidence that the claims the company is making about its skills and competencies have been externally verified.

2. Have you been a target of a cyber-attack? What happened?

All companies are in the firing line: when it comes to cyber attack no one can afford to be complacent. If you do detect some complacency in your supplier’s answer to this, be wary.

MSPs are at more risk of being the target of hackers because they have access to the networks and devices of all their customers. If your business is the safe deposit box, IT Support businesses are the bank so it makes sense to go after the bigger target. You need to know what any potential provider is doing to protect systems and data.

Because of the universal threat, you should expect the answer to the first question to be “yes, frequently”. You ideally want the answer to the second to be “nothing; we identified and stopped the threat before it could pose any problem”.

However, it’s also really important to understand what your IT providers are doing to protect against attacks, so we recommend that you follow up with two further security questions.

3. What vulnerability testing do you undertake? How often? What were the results?

Vulnerability testing now needs to be an ongoing process and your IT supplier should be able to explain what approaches they use to test the security of their own systems as well as what services they can offer to test yours as well as the regularity with which these procedures are undertaken.

For a 360˚ approach, it’s worth asking whether, as well as internal and external vulnerability and penetration testing, your supplier undertakes insider threat testing and social engineering due diligence.

Gaining an understanding about the detail, frequency and results of such testing will help you understand whether your potential supplier is walking their own talk.

4. What processes are in place to gather threat intelligence?

The go-to source for threat intelligence in the UK is the National Cyber Security Centre (NCSC). It publishes weekly threat updates and provides detailed information and advice on its website.

A good MSP is likely to get information from other sources as well, including the suppliers of the solutions that they use and/ or provide to clients. If they have internal resources dedicated the threat assessment, you should gain confidence in how seriously they take this issue.

A companion enquiry to this question will be to understand how the supplier then cascades and communicates these threats to clients – and what support is offered to help the clients to respond quickly. Can the supplier provide a typical workflow so you can understand how quickly and easily you can respond to identified threats?

5. What training do you have in place for staff? How do you keep knowledge current?

Whether the problem is the result of an inadvertent slip or lapse, a genuine mistake or a deliberate violation, we know that human error accounts for a significant number of workplace problems – and, in this, IT is no different.

Email is particularly vulnerable with 91% of breaches starting with one. Therefore, what measures to they have in place to educate their staff about phishing?

As a customer, you need to have full confidence that the people who are going to be looking after your systems and data – and, ultimately, your people and business reputation, are investing in their own people, so that they too are an asset, rather than a source of potential problems. If they take this issue seriously, any potential supplier should be very happy, if not proud, to share this information with you, after all.

6. What internal processes do you have in place? What processes are in place should systems be compromised?

Alongside training, your supplier needs to be able to demonstrate they have the right processes in place to support staff to do a great job. Quality reporting, feedback, issue reporting and resolution and optimised workflows are the base line, but your supplier should be able to highlight specific security processes as well – from how new starters and leavers are managed, through device management, to SLA monitoring.

A key part of your analysis of these security policies should focus on what happens in the event of a disaster to ensure business continuity. If you’re going to be relying on this company to help your fail-over mechanisms operate seamlessly, you need to know they’re not going to be battling with their own business continuity issues.

Ask how often disaster recovery systems and processes are tested and how the last test went. The maxim here to focus on is: unless you have fully tested your business continuity plans, you don’t have business continuity plans.

To protect yourself and your company from cybercrime, an awareness of risk management is vital. But cyber-attacks can still happen and although it’s not necessarily your fault, it is your responsibility to conduct a level of due diligence on key suppliers – especially IT providers – to help protect your business.

If you’d like to know more about things you should consider when choosing an IT Partner, we’ve put together a guide containing 6 industry secrets – you can request a free copy here…

AlisaRut/Shutterstock.com