7 Security Questions to Ask Your IT Provider

Check list 7 questions to ask your IT Provider to better understand their security risk

Is Your IT Provider Secure?

On July 2, 2021, roughly 50 IT managed service providers (MSPs) were part of a cyberattack via one of the remote monitoring and management tools they used. While this not the software that The AME Group uses, it does serve as a wakeup call to both providers and their clients. You trust them with your business, but how secure is your IT provider?

As with any IT managed service provider, The AME Group utilizes a collection of tools to help keep our clients efficiently running and secure. The ongoing assessment and maintenance of those tools must be part of any credible MSPs policies and procedures.

Top Technology Vendors Vulnerable to Threats

The fact is that every software vendor, security platform and cloud vendor are susceptible to the threats. Whether it is Apple, Microsoft or Google, they all have had problems. Apple released a critical patch in July 2021. Microsoft has had a couple of vulnerabilities hit the news recently. Google also had a “zero-day vulnerability” in their Chrome browser in June and again in July. However, there are proven steps to take to help dramatically reduce the risk by putting additional safeguards in place.

With the dramatic increase in ransomware attacks against small businesses, the need for security diligence and expertise has also increased. Gone are the days of traditional anti-virus program, installing patches when you feel like it and allowing remote access to your server that is accessible to the entire internet. This applies to your IT provider as well. Things have changed.

Be Thorough When Selecting an MSP

When partnering with a managed service provider, businesses should be extremely thorough and examine how their data and security will be managed. Contrary to what you may think, there is no over-arching regulatory body that dictates who can become an IT provider. There are no requirements to become certified, be audited or validate anything. Anyone can sign up to purchase the tools and call themselves an “MSP”.

However, there is mounting pressure to change this. Some states are requiring specific policies around incident reporting, some industries are requiring certain audit practices and the cyber insurance landscape is becoming more stringent. For example, if you have a ransomware outbreak that requires bringing in IT help to get your business running again, be ready to show proof of the controls and policies that you attested to when you sign up for the policy shortly after submitting that insurance claim.

For the last couple of years, we have consistently heard stories when speaking to potential clients about how they were hit by ransomware. In some cases, it only required them to be down a “couple of days” to restore from backups. In many cases, the result was data loss that ended in them losing clients and revenue.

An interesting point that came up during several of these conversations. The business said their current IT guy or MSP worked hard to restore their data and get their business running. But what measures were put in place to avoid being hit? Of course, the IT guy billed them for the additional time to do those restores and cleanup. Backups should be the last resort, not the go-to. We also hear how the toolsets in use are outdated, not properly maintained or simply misconfigured.

MSPs Know They Targeted

So much so that the Cybersecurity & Infrastructure Security Agency (CISA) issued an alert specifically for managed service providers back in October 2018. Two common problems, an inexperienced or understaffed MSP fails to keep its own internal systems aligned to best practice. Secondly, they are slow to evolve when faced with new threats. This is neither easy nor a cheap thing to do. So, vetting an MSP is more important than ever.

Ask These 7 Questions Today

Whether you are evaluating an MSP or re-evaluating your current provider, you must ask them about their own security.

1️⃣ Do they have some type of 3rd-party audit program that they adhere to, such as the SOC 2 (System and Organization Controls)?

2️⃣ Does the audit align to the unique requirements of an MSP versus general IT practice?

3️⃣ Who is performing the auditing and testing? Can you be provided with proof of the audit or certification?

4️⃣ How have they evolved their security stack to consider the current threats? If so, how so?

5️⃣ What are their automation and detection capabilities?

6️⃣ Who in the organization monitors and reviews security incidents? Is it an IT generalist or a true IT security professional?

7️⃣ Does the MSP have an internal IT security policy that addresses how their toolset used to managed clients is kept up to date, assessed regularly and part of the audit process?

Don’t Set It and Forget It

IT security is not an easy “set it and forget it” concept. This is true for an outsourced IT provider too. Your provider should be able to explain and provide the steps taken to evolve their business practices to keep up with the current threats. If they cannot do so, a tough conversation needs to happen.