10 Cybersecurity Questions You Should Be Asking Your IT Vendor

Many businesses use third-party IT vendors that, host, store, process, or access information records, and supply management of the technology infrastructure related to their organization. Far too many IT providers use “Security” as a buzz word to foster higher sales rather than actually possessing verified working knowledge and experience to securely manage business networks. This is a situation that should never be taken lightly, as your business and its clientele are truly at risk in doing so.

A collaboration between your company and an IT Managed Services Provider should only proceed after a thorough risk assessment has been completed on your organization’s environment. A properly performed risk assessment will identify gaps in your organization’s security posture. In addition, it should also provide guidance on the appropriate policies, procedures, configurations, and technology that will need to be put in place in order to follow industry best practices for information security and data protection.

Cybersecurity exploits and data breaches are published in the media almost every day. The victims can vary from small business startups to world-renowned global organizations. Don’t make the mistake of thinking your organization is too small or that the data you manage is insignificant to cyber criminals. Every business, regardless of size, collects, manages, and stores a wide variety of Personally Identifiable Information (PII) that is extremely attractive to identity thieves and other malicious actors.

The consequences of being breached include mitigation costs, loss of revenue, reputational damage, financial damage, and severe legal penalties if sensitive data is stolen. On average, 3 out of 5 small to mid-sized businesses that suffer a data breach are never able to financially recover and are forced to close their business.

There has been an intense focus on cybersecurity in recent years, and it is vital your IT vendor is giving you a diligent, security-defined service, which has your organization’s security fundamentals at the forefront of its managed services strategy.

 10 cybersecurity questions you should ask…

The following questions will help ensure your IT provider is following the best possible standards for your cybersecurity interests. Their focus should be around risk assessment as well as applying current information security and IT configuration best practices as multiple layers of defense as a standard rather than a revenue generating add-on.

1. Does your IT vendor routinely patch and verify patches for your IT infrastructure?

Security patching is the foundation of a robust cybersecurity policy that ensures all infrastructure equipment, laptops, desktops, servers, and software applications are running current vendor supported Operating System (OS) versions. Microsoft, Red Hat, and many other vendors release monthly security patches that protect against the latest known exploits discovered by security experts around the world.

The Wannacry ransomware attack of May 2017 wreaked havoc around the globe. The issue was caused by an exploit inside the Windows OS, but Microsoft had already fixed the vulnerability two months prior. Those who were impacted had not patched their operating system in time, resulting in widespread disruption and a significant cost incurred. Ransomware such as Wannacry and other forms of malware are still a very real threat today, especially for businesses.

At minimum, security patching must be a monthly task performed by your provider on a schedule that addresses all systems and devices. No device, whether it be a server, computer, router, switch, or wireless access point is too important or insignificant not to be patched. In high production environments, an appropriate patching schedule should be arranged outside of core business hours if required. In addition, monthly patching verification should also be performed along with providing monthly patch reports to the business so there is complete transparency of your provider’s maintenance efforts.

2. Does your IT vendor provide an up-to-date, managed, and monitored antivirus platform?

IT security best practices recommend, your vendor provide an up-to-date, managed, and monitored antivirus solution for your entire IT infrastructure. Antivirus is one of the first lines of defense against exploits and vulnerabilities. Therefore, the antivirus solution should be configured to deal with threats in real time as well as have a scheduled scan at specified intervals.

If the antivirus is configured properly and a virus signature is detected, the software will intercept and quarantine the virus, hopefully preventing malware from further spreading throughout the network. The antivirus platform should send an alert informing your provider this event happened. In return, your provider’s technicians should immediately respond to ensure that this event is not the start of a malicious outbreak.

Proper antivirus solutions should also be able to deploy security policies that block USB access and/or mobile devices when attached to company assets. Devices should always be tracked for compliance and remotely wiped, if found to be in breach of the organization’s security policy.  This protects the integrity and confidentiality of the organization’s data. Insider threats are very real and should never be taken lightly. Even the most trustworthy employee could accidentally introduce malware into your organization’s network by connecting their personal mobile or storage devices.