Tuesday, 22 September 2020

Why the IT Support Partner You Choose to Work With Could Be Your Biggest Security Risk

Modern cyber crime might be one of the biggest risks your business faces. But how do you know your business is protected as well as it could be?

frustrated worker at desk making phone call

Cyber Security - let’s call it what it really means – protecting yourself against Criminals.

Modern cyber crime might be one of the biggest risks your business faces. It could cause you massive disruption, reputational damage or even ultimately to close shop. But how do you know your business is protected as well as it could be – or as well as you need it to be?

Choosing an IT company with which to partner isn’t an easy job for most businesses today.

Because technology is integrated in every aspect of our work, any technology partner will play a crucial role in keeping your business operational, minimising business risk, and driving forward improvements to business operations and profitability.

And nowhere is this more true than defending you against cyber criminals. 

What makes cyber security so vital today?

Cyber security can seem like a complex subject to anyone who is not immersed in the world of IT. Too often, risks and solutions are wrapped up in techy jargon that puts business leaders off from finding out more or from taking appropriate action.

That’s one of the reasons we love the Government’s Cyber Essentials scheme so much. It boils the complex topic of cyber security down to five essential pillars which, if you address them correctly, can protect you against the most common types of cyber-attack or criminal activity.

It’s really important that business leaders familiarise themselves with these key cyber security topics.

The business risks associated with not doing so include:

• It will distract you from serving your customers or leave your staff twiddling their thumbs
• Breaches to your company network could make your systems unavailable for days
• Data theft could cause you legal action or at least huge embarrassment
• Thieves could steal and use or sell your Intellectual property and personal data
• The ICO could fine you heavily for poor practices and poor data security
• If the breach is made public, this could seriously harm your reputation
• You could suffer loss of business as a result of publicity about the breach


Given what’s at stake, it’s therefore vital that business leaders get informed and then use this knowledge to choose, assess and review any would-be IT support partner company.

What should your IT Support Partner be doing – and when?

For example, your IT company says it will take on your software security update service – otherwise known as patch management - but what software will they update, how often and when? On release of a new patch? Within fourteen days of release? Once every six months? Once a year? The answer to this will affect how well protected you are through the term of your agreement.

While patch management is an obvious example of how the frequency with which your IT supplier addresses key tasks will directly affect the cyber security stance of your business, there are many other examples:

• Software and IT Asset configuration management
• Actively-managed antivirus & antimalware with business-quality protection
• Managed threat prevention & web threat prevention/content filtering services
• Managed device control and desktop firewalls on End User Devices
• Business-quality Network Firewalls that are suitably configured & managed
• User management and housekeeping
• Starters and Leavers policies and processes
• Security permissions reviews periodically
• Secure disposal of assets and certified data removal
• Training and testing in security for staff

And this isn’t even an exhaustive list – if you would like more detail, please get in touch with our team today and we’ll talk you through the various activities and how they might impact your business.

What should your IT partner be doing to mitigate the risks?

Simply, your IT partner should be employing appropriate, proactively-managed defence measures for you and they should be undertaking a range of essential security tasks on a regular basis and when needed. None of these are once-a-year activities.

So, for example, training shouldn’t just be undertaken when you have a new starter. You should be continually testing one of your biggest attack vectors: your people. For example, with automated phishing traps for your employees.

Similarly, user management and approved used list curation. Who is responsible for what and how are user access rights and permissions managed? What processes are in place to make this a proactive service. As we commonly find, it often happens only once a year or not at all. This approach leaves you completely unaware of the risks to your business in the intervening period.

This just isn’t good enough in today’s age, when unregistered hardware can have a tendency to creep onto your network with the factory settings (and the basic - same for every device - password) still intact. Automated scanning and testing tools are available that make it much easier and cost-effective to stay apprised of all the risks across your network.

User management is another key area where IT support companies often fall short. We have taken over accounts where users who left the company more than three years ago still had active user IDs and access rights to network resources – a huge potential business risk which would be difficult to justify if it caused a data breach in contravention of GDPR, leaving you at risk of a hefty fine.

Your IT partner needs to be able to demonstrate not only that they are undertaking essential cyber security tasks, but also how often they are doing them and under what circumstances.

What can you do to mitigate the risks?

We’ve highlighted in other blogs how you shouldn’t just take your IT supplier’s word for it that they are doing what they should be doing. The onus is on you, when selecting an IT partner, to always ask what’s not included as well as what is included.

We can also add: how often it’s included.

The number one action you can take today is to get yourself tested and bench-marked against a common, basic UK security standard called Cyber Essentials. You can find out what this means by downloading our free guide to preparing and defending your business against the most common forms of cybercrime.

This will ensure you’re well placed to ask your supplier about how they will help you protect your business against the most common type of cyber-attacks.

Know this, the ICO takes the view that Cyber Security is still firmly your responsibility – even if you work with an outsourced IT provider – it’s your responsibility to choose them and to conduct sufficient due diligence on them to ensure you know what cyber security tasks they say they’ll perform, and that they actually do what they say.

You should know what needs to be done and seek reports or confirmation that it is being done. And, if essential cyber security work isn’t being done properly, your IT provider could turn out to be your weakest link…

Of course, you are always welcome to speak with the Grant McGregor team.

Our qualified cyber consultants and IT Service people are always on hand to answer any of your questions about cyber security and how to best protect your own business operations.

Get in touch today