No matter how well your current IT provider does their job, if they do not get security done right you are at risk
As an IT provider, no matter how well you perform in every other aspect of your operation, if you don’t get security right, you will eventually fail. So how do you, as the end customer, select the right provider?
Much like seeking a legal or medical professional, you are unlikely to be able to judge their qualifications directly. But you can start by asking these main questions and taking note of not just how but also how comfortably, they are answered.
How they secure you
A decade ago, a good security stack consisted of a quality deep packet inspection (DPI) firewall, managed antivirus (AV) clients, and effective software patching. Today that falls short. We add next-generation AV clients, aka endpoint detection and response (EDR), DNS filtering, firewall log services, universal two-factor authentication, and a security operations center (SOC) backing it all up. What does this all mean? The good news is that you don’t have to know. But your MSP does. Bonus question: how frequently do they update their offerings?
If you run a business subject to regulations, even more, sophisticated protection such as application whitelisting, mobile device management, local encryption, and more may be necessary. And don’t forget to ask how they manage cloud security, secure your remote access, and your wireless access. And what about backup, business continuity, and disaster recovery? This might not strike you as part of a security plan, but this sort of “cyber resilience” is critical. An oft-overlooked issue is how they train your staff and track that training. Finally, how do they communicate all of this with you?
How they secure themselves
This will be harder to ascertain, as you are now asking them about their internal operations, which not everyone will want to discuss. But I would make the argument that this is a critical discussion that they should welcome. At the very least, they should engage with all the same tools, processes, and procedures they offer their clientele. We call that “eating your own dog food,” and it boils down to becoming an expert with your offerings and staying nimble enough to add and change security offerings as circumstances change (see: the entire year of 2020).
It is not enough to deploy all the latest technologies. IT providers must master their tools in order to learn not only their capabilities but their shortcomings. IT security is a process with many “moving parts” that are always changing. A large part of that is an ongoing practice, with the tools themselves but also with the mindset of behaving securely while practicing good OPSEC (operational security). Behaving securely includes such nuances as being sure to safeguard private information, never leaving customer equipment unguarded in a car, or simply locking data and devices away safely each night.
How they know what they know
In any field as dynamic as IT security, staying on top of new threats, learning about the broader market trends, and selecting the right tools and processes is the greatest challenge. Take some time to discuss with them how they achieve this. Do they attend events, take the training? Are they leaders in their field? Do they speak or write in their industry? This is also about how they document their process to ensure they get it right and about how they communicate. If you have regulatory exposure, this can be the most important aspect of their work.
Another issue to address is how they check their own work. No person or process is perfect after all. Do they participate in regular security reviews of their own business? Do they have a culture of security in their own practice? Do they use the same tools they offer you? Do they go through periodic reviews (internal or external of their own procedures? Do they keep their staff trained? Do they document these processes well, and can they produce proof that they do so? If practical to do so, it would be wise to visit their location and get a feel for how they operate first hand.
In the final analysis
There is no failsafe way for you to evaluate the “security posture” of your current or prospective IT provider. There are several good questions to ask, but ultimately, you will be making a judgment call. However, armed with the above, you can at least ask the right questions and form an opinion of not just the answers but how the questions are handled. Choosing a secure MSP is critical, as securing your business is the single most important aspect of how any IT provider performs. No matter what else they get right, if they don’t get this, nothing else matters.