What IT Service provider represents the ‘best of the best’ when it comes to Cyber Security and what questions should you be asking?
We all know it is easy to say you are the best, and marketing materials will likewise make an argument in favor of whatever company is pushing for your business; but before making a decision, consider these key indicators and be sure to ask similar questions as you evaluate potential providers.
Key Indicators of Cyber Security Success
Be on the lookout for an IT partner who has developed processes, training and controls to protect your business. The Cyber Security landscape changes frequently and does not have a one-stop solution. It requires diligence, consistency and a commitment to ongoing learning; for both you and your IT provider.
A solid IT Services firm will have processes in place to protect your business. Reputable firms invest in people who monitor and document their actions. Ask for updates on how their activities are going, copies of reports, documentation, etc.
– Do they setup backups and then make the assumption they are running (we hope not!)? How frequently are backups checked and by whom?
– What about your network appliances (e.g., firewalls), how frequently will they be patched?
– Do they provide backup reports and at what frequency?
– Ask for status reports on patch management efforts.
– How is system access granted and removed?
An IT Services firm will encourage training for their own staff as well as your own. The majority of Cyber Security attacks happen due to actions performed by internal employees. Encourage a culture of IT cyber training within your own firm, and look for the same in an IT provider you are hiring.
– What Cyber Security training do they offer to clients?
– What systems training do they offer to their own staff?
– If the IT Service provider you are considering (for example) needs to be HIPAA compliant, is their staff trained on Privacy and Security rules?
There are countless vendors out there offering services to support Cyber Security needs. Keep in mind cyber protection comes in many layers, there is not one thing (e.g., anti-virus software) that alone will protect your firm. Your IT provider will have their own preferred tools and controls to protect your network. Be sure to discuss your budget and within reason, take advantage of every protective layer you can afford. Keep in mind, the goal is to reduce risk to the lowest possible level. Here are examples of solutions we implement for our clients,
– Backups Solutions (we are fans of products from Veeam and Barracuda); look into both on-site and cloud based solutions.
– Email and Spam Protection (Barracuda Email Protection) ; consider solutions that archive, backup and actively monitor for threats.
– Anti-malware Protection (consider an AI powered solution, such as a product from F-Secure); these next generation endpoint protection solutions go beyond basic anti-virus protection.
– 2FA Protection (we’ve enjoyed success with solutions from DUO); you need to be using multi-factor authentication wherever possible to secure accounts.
– Network Appliances (note: based on your budget, firewall and even VPN solutions can vary greatly); also, if many people are working from home, you will need to consider solutions that are cloud-based and protect all devices no matter how users connect to the internet.
Remember, you can never fully outsource IT governance. Unless you hire a provider who is given carte blanche monetary and executive support, there are constraints that must be balanced with risk. Openly discuss your appetite for risk and acceptable recovery times with your IT provider. Aim to get the most protection within the budget you have available, and be sure to remember the importance of individual ownership; controls need to be implemented along with end-user training. End users need to understand the efforts being undertaken to safeguard company assets, as they individually are an enormous part in helping to keep your systems safe.