Are you Protected? Questions to Ask your IT Provider
Many of us rely on managed service providers (MSPs) to handle our company’s day to day IT needs, from ensuring that employees have the right hardware and software to perform their duties to keeping your network running smoothly.
It’s crucial to recognize the role that your IT provider plays in securing your organization against common digital security risks.
Engage with your MSP to provide assurances and reports that all of these things are being addressed on a regular basis. The key is to trust and validate. You should trust and have confidence in your IT provider to perform the necessary duties in order to ensure that your organization is protected but take it a step further and validate that trust by asking questions.
- Patch Management
- Why / What?
- It’s critical that devices (laptops, phones, tablets, etc.) that are used to conduct day to day business are kept up to date. Software updates typically contain valuable information about bug fixes, vulnerability remediation, etc., that bad actors can use to take advantage of businesses who may be slow to install them.
- How to Validate?
- Request quarterly reports to ensure that all critical vulnerabilities are being remediated
- Why / What?
- Backups
- What / Why?
- Client data should be backed up and stored offline, so they remain separate from your company’s network and systems if they become compromised.
- Your MSP should also factor in your cloud / SaaS backup strategies (e.g., Salesforce, Google, etc.) as many of the tools your business is using may offer backups as part of the service you are paying for.
- How to Validate?
- Request proof that daily backups of critical data exist and are stored securely offsite.
- What / Why?
- Secure Authentication
- What / Why?
- Challenge your MSP to ensure that secure authentication processes (multi-factor authentication, single sign-on, etc.) exist to prevent bad actors from gaining access to them.
- How to Validate?
- Ask your MSP to categorize where MFA and / or SSO are in place wherever possible in each of the systems that your business uses
- What / Why?
- Security Awareness & Training
- What / Why?
- As the first line of defense, you and your staff need to know how to recognize real world cyber threats like phishing and learn about hot topics like artificial intelligence cybersecurity or new forms of malware
- You should familiarize yourself with the training that your MSP offers, including if they have options for specific job training dependent on roles (example)
- If you have a bookkeeper or accountant, are they aware of specific attacks that people might deploy to access financial data or bank accounts
- How to Validate?
- Ask your MSP for reports to show when employees are completing their required training and how they are scoring on any associated assessments
- What / Why?
- Device Encryption
- What / Why?
- Encryption is the process of encoding information so it is more difficult for hackers to steal it. Company provided workstations / devices should be fully encrypted to protect against data loss
- If employees are using personal devices for work purposes, is there a written policy in place that governs how employees deploy encryption on their own devices?
- How to Validate?
- Request a list of all workstations / devices that are governed by your MSP and ask them to identify the status of encryption on each device (on or off). Your MSP should be prepared to provide sufficient reasoning for leaving any devices unencrypted.
- What / Why?
- User Account Management
- What / Why?
- Employees should only be allowed to access systems that they need in order to do their job. Your MSP should make sure that this is consistent across your company.
- Example: a sales professional likely doesn’t need to be able to edit journal entries in your accounting system, but they’ll definitely need to be able to record sales activities in your CRM
- Ensure that employees have the appropriate level of access to systems, etc.
- Ensure that employees’ access is revoked in a timely manner (immediately) upon termination
- Employees should only be allowed to access systems that they need in order to do their job. Your MSP should make sure that this is consistent across your company.
- How to Validate?
- Have a conversation with your MSP about which systems each employee needs access to and what level of access they need within those systems. You should also agree with your MSP on certain criteria (e.g., terminated employees should have their access revoked within 24 hours).
- Document these conversations and hold your MSP accountable for abiding by them. Ask them to send you a quarterly report of existing employees and the level of access they have to all of your systems. Ask them to send you a quarterly report of all terminated employees and identify when their access to various systems was revoked.
- What / Why?
- Spam Filtering
- What / Why?
- With the rise of phishing attacks, all inbound communications (email, Slack, chat, etc.) should have some level of filtering to ensure that confirmed spam never makes it to your employees so they don’t have to determine whether it is spam or not
- How to Validate?
- Get assurance that your MSP is using best practices when deploying spam filtering. If you continue to see spam emails in your inbox, notify your MSP and ask them to adjust your filters accordingly
- What / Why?
- Governance
- What / Why?
- Your MSP should be helping to write IT and InfoSec related policies for your business and employees. This could be incorporated in your employee handbook or handled separately, but it is necessary in today’s world to have written policies in place to protect your organization from liability under litigation and hold employees accountable for a baseline standard of practices when using technology
- How to Validate?
- You should have a copy of any written policies that your MSP has written or helped to write for your organization to prevent and respond to information theft and system failure. If not, ask for them. At a minimum, you should have at least an information security policy and a business continuity / disaster recovery policy.
- What / Why?
Are you Protected? Take our digital risk assessment, and quickly understand how at-risk your business is.