Many businesses use third-party IT vendors that, host, store, process, or access information records, and supply management of the technology infrastructure related to their organization. Far too many IT providers use “Security” as a buzz word to foster higher sales rather than actually possessing verified working knowledge and experience to securely manage business networks. This is a situation that should never be taken lightly, as your business and its clientele are truly at risk in doing so.
A collaboration between your company and an IT Managed Services Provider should only proceed after a thorough risk assessment has been completed on your organization’s environment. A properly performed risk assessment will identify gaps in your organization’s security posture. In addition, it should also provide guidance on the appropriate policies, procedures, configurations, and technology that will need to be put in place in order to follow industry best practices for information security and data protection.
Cybersecurity exploits and data breaches are published in the media almost every day. The victims can vary from small business startups to world-renowned global organizations. Don’t make the mistake of thinking your organization is too small or that the data you manage is insignificant to cyber criminals. Every business, regardless of size, collects, manages, and stores a wide variety of Personally Identifiable Information (PII) that is extremely attractive to identity thieves and other malicious actors.
The consequences of being breached include mitigation costs, loss of revenue, reputational damage, financial damage, and severe legal penalties if sensitive data is stolen. On average, 3 out of 5 small to mid-sized businesses that suffer a data breach are never able to financially recover and are forced to close their business.
There has been an intense focus on cybersecurity in recent years, and it is vital your IT vendor is giving you a diligent, security-defined service, which has your organization’s security fundamentals at the forefront of its managed services strategy.
10 cybersecurity questions you should ask…
The following questions will help ensure your IT provider is following the best possible standards for your cybersecurity interests. Their focus should be around risk assessment as well as applying current information security and IT configuration best practices as multiple layers of defense as a standard rather than a revenue generating add-on.
1. Does your IT vendor routinely patch and verify patches for your IT infrastructure?
Security patching is the foundation of a robust cybersecurity policy that ensures all infrastructure equipment, laptops, desktops, servers, and software applications are running current vendor supported Operating System (OS) versions. Microsoft, Red Hat, and many other vendors release monthly security patches that protect against the latest known exploits discovered by security experts around the world.
The Wannacry ransomware attack of May 2017 wreaked havoc around the globe. The issue was caused by an exploit inside the Windows OS, but Microsoft had already fixed the vulnerability two months prior. Those who were impacted had not patched their operating system in time, resulting in widespread disruption and a significant cost incurred. Ransomware such as Wannacry and other forms of malware are still a very real threat today, especially for businesses.
At minimum, security patching must be a monthly task performed by your provider on a schedule that addresses all systems and devices. No device, whether it be a server, computer, router, switch, or wireless access point is too important or insignificant not to be patched. In high production environments, an appropriate patching schedule should be arranged outside of core business hours if required. In addition, monthly patching verification should also be performed along with providing monthly patch reports to the business so there is complete transparency of your provider’s maintenance efforts.
2. Does your IT vendor provide an up-to-date, managed, and monitored antivirus platform?
IT security best practices recommend, your vendor provide an up-to-date, managed, and monitored antivirus solution for your entire IT infrastructure. Antivirus is one of the first lines of defense against exploits and vulnerabilities. Therefore, the antivirus solution should be configured to deal with threats in real time as well as have a scheduled scan at specified intervals.
If the antivirus is configured properly and a virus signature is detected, the software will intercept and quarantine the virus, hopefully preventing malware from further spreading throughout the network. The antivirus platform should send an alert informing your provider this event happened. In return, your provider’s technicians should immediately respond to ensure that this event is not the start of a malicious outbreak.
Proper antivirus solutions should also be able to deploy security policies that block USB access and/or mobile devices when attached to company assets. Devices should always be tracked for compliance and remotely wiped, if found to be in breach of the organization’s security policy. This protects the integrity and confidentiality of the organization’s data. Insider threats are very real and should never be taken lightly. Even the most trustworthy employee could accidentally introduce malware into your organization’s network by connecting their personal mobile or storage devices.
3. Does your IT provider actively filter, monitor, and manage network threats and Internet activity?
As part of your security best practice baseline, your business needs to have securely managed and monitored Email Filtering, Web Filtering, Ad Blocking, and Script Blocking solutions that are integrated as part of your security regime. These items should not be considered an optional “Add-On” feature from your IT provider, but rather a requirement that is bundled with their IT managed services offering.
Email Filtering scans and filters all inbound and outbound Email for spam, phishing attempts, malicious attachments, and many other threats. Email filtering can also be used to make sure employees are not sharing sensitive company information with others by enforcing Data Loss Prevention rule sets. Some Email filtering services also bundle the option to send Encrypted Emails for times when sensitive information must be shared from one party to another. In addition, many Email filtering providers offer either a Disaster Recovery Mailbox or Email “Store & Forward” in the event that your Email services are down or unreachable.
Web Filtering keeps employees on task while also helping your business stay more secure from various threats found on Internet websites. Web Filtering uses rule sets such as a white list or black list that either allow or block user’s access to specific websites and/or certain types of content. Web filtering may either be hardware or software based and many provide the option of configuring groups for more granularity when setting up allow and block rules. For instance, company policy dictates that adult content, gambling, drugs, dating, racial/hate, hacking, and social media websites should all be blocked. However, part of your marketing strategy is to use specific social media such as LinkedIn, Facebook, and Twitter. Rule sets could be configured to block all of these categories for everyone, but allow only your marketing people access to these specific social media websites so they may perform their job function.
Ad Blocking and Script Blocking. Cyber criminals are not afraid to spend money to make money, and just about anyone can purchase Ad Space on Ad Rotators that service multiple websites. It is becoming more and more prevalent where the Ads showing up on these rotators are collecting privacy data from your web browser, running malicious scripts in the background, and can potentially compromise your computer systems if allowed to run. As a result, it has become a security best practice to block the majority of Ads and Scripts in order to maintain baseline security measures in business networks.
As an optional layer of protection, Network Intrusion Protection Systems (NIPS) and Network Intrusion Detection Systems (NIDS) can monitor and alert on security events within an entire IT infrastructure. NIPS/NIDS can be implemented as software or as hardware appliances which scan all network traffic, analyze packets, and track network activity within a designated environment (LAN/WAN). Over time the system learns the normal state of the network and can automatically issue warnings or block unexpected traffic if required. The data collected can be used to output trend analysis reports, monitor network traffic, report on system performance, track and monitor system/user behavior.
4. Does your provider offer and encourage multi-factor authentication?
One of the most popular ways of securing data is using a multi-factor authentication software and/or hardware to add additional protection layers not only to the corporate infrastructure, but also Internet resources. Multi-Factor Authentication (MFA) services are the standard authentication model for systems that require a user to prove their identity prior to accessing specific system resources beyond supplying a username and password.
With MFA, users are required to provide something only they know (usually a password or pin code) with a security item they have (often a mobile phone or a secure key) and something unique to them (a username, fingerprint, or retina scan). This information validates with a security mechanism or an appliance that controls access to the system resource.
Businesses are strongly urged to adapt to MFA in order to strengthen their authentication mechanisms for their internal resources as well as any business related online resources. Using the MFA process will help ward off brute force hacking attempts by malicious actors.
5. Does your IT provider secure network access to only allow approved devices?
Cybersecurity conscious IT vendors should always define secured network access only to qualified approved devices. This can easily be configured on Windows Servers that utilize the Network Policy Server (NPS) role. The NPS role is built into Windows Server (versions 2012R2, 2016, and 2019) and requires no additional licensing cost. It only needs to be enabled and configured.
With NPS enabled and properly configured, network access is automatically denied if an unapproved device attempts network access. The whitelisting of laptops, desktops, servers, and mobile devices is assigned by MAC addresses. A MAC address is a unique hardware address that is assigned by the hardware vendor to the network interface of every network capable device.
Most managed switches can be configured to work with an NPS server in order to lock down the switch ports to only approved devices. As an added layer of security, unused network jacks should be physically disconnected from the network switch and only connected if put into use. In addition. unused network interfaces on network switches should be administratively shut down when not in use. This way there will be no network connectivity available if someone gains physical access to the network switch and attempts to plug into an open port.
When Leveraging NPS, approved devices are checked to make sure that Windows Updates (if applicable) and the device’s antivirus is enabled and up to date before being allowed to connect to the primary network. If these devices do not meet these criteria, they are sent to a remediation network where the devices will be allowed to connect only to remediation servers to get their updates and be scanned for malware before being allowed to access the primary network.
6. Does your IT vendor provide and measure your employee’s security awareness training?
Arguably one of the most important questions to ask, is around Security Awareness and Training. Human error accounts for a significant proportion of cybersecurity issues, but adequate training can be leveraged to address and correct the problem.
Businesses must properly vet and background check all employees as a standard, then engage in a training program to focus staff members on the dangers of phishing, social engineering, and other exploits. Training is often the best weapon your organization has against cybersecurity risks. Keeping staff in tune with the latest risks and security trends will give your organization the best possible start for a strong cybersecurity posture. Training should always be ongoing and required as a condition of employment, rather than viewed as optional and performed whenever convenient.
Keep in mind that for security awareness training to be effective, it must also provide measurable results. This can be achieved through specially crafted mock social engineering, spoofing, “malicious” attachment, and phishing campaigns. These campaign exercises are specially designed to test the employee’s reactions when confronted with these real-life security issues after the training has ended and reinforce their awareness.
For example, a specially crafted phishing email is sent to an employee. If the employee reports the phish, it is noted in the system and no further action is required. If the employee follows the phish, the employee is notified that this was a test and the system continues with a training review to point out what the employee should have done and then quizzes the employee to ingrain the correct behavior. All results of the mock phish are accumulated by the management system and reports are shared with the predefined management personnel.
Employees with excessive violations will either require additional training in order to correct their behavior, or be terminated in order to securely protect the organization from an insider threat. That decision is a matter left for the organization to decide in accordance to their accepted security policies and procedures.
7. Does your IT provider assist you with developing proper documentation, policies, processes, and procedures for protection of Personally Identifiable Information (PII) and regulatory compliance such as PCI DSS and HIPAA?
Personally Identifiable Information (PII) is any information with regard to one’s identity.
PII Includes, but is not limited to:
|Full Name||Driver’s License/State ID Info|
|Date of Birth||Passport Information|
|Street Address||Account Info|
|Phone Number||Medical Info|
|Email Address||Employee Records|
|Place of Birth||Financial Records|
|Social Security Number||Vendor Records|
PCI DSS Is the Payment Card Industry Data Security Standard. PCI DSS requirements apply to any organization that accepts credit and debit cards as a payment method.
HIPAA is the Health Insurance Portability and Accountability Act of 1996 which provides data privacy and security provisions for safeguarding medical information.
Regardless of the type of regulatory compliance your business requires, one constant holds true for all. They all require specific policies, processes, and procedures with regard to overall security and the safe handling, management, and destruction of data with regard to PII.
Depending on the complexity of your business environment and the type of regulatory compliance required, your business’s comprehensive policies and procedures can evolve to well over 100 pages. As you can imagine, this can be a daunting task for the inexperienced. In addition, it is not recommended to use someone else’s policy, process, and/or procedure templates as they may not accurately reflect your business or its operations.
That isn’t to say that templates could not be used as a guide. However, the end result needs to reflect in detail how the business will operate, how often these items are checked for compliance, and how often they will each be updated. Policies, processes, and procedures also include the actions that will be taken to address employees who do not conform to the rules of the organization.
Have a look here for examples of typical policies that are necessary for protecting the business as well as their consumer’s PII along with maintaining satisfactory regulatory compliance for PCI-DSS and HIPAA.
A key item that many businesses over look is the Breach Notification Policy. Many states have direct legal mandates with regard to security breaches and the notification of such activity. Section 134.98 of the Wisconsin Statutes requires business to notify individuals within 45 days if an unauthorized person has acquired their personal information. If you are a Wisconsin business, it is well worth your time to look into this statute and seek legal advice in order to develop a proper Breach Notification Policy for your business.
8. Does your IT provider offer Vulnerability Scanning and Penetration Testing?
Hardening and securing internet facing servers and applications is a key part of cybersecurity. Web, Email, and remote access servers are just a few examples of Internet facing servers. Any servers that allow public access (from the Internet) must continually be scanned for vulnerabilities.
If your business doesn’t have a server, vulnerabilities can be found in hardware such as routers and network switches. These vulnerabilities can be from improper configuration, or from out of date software / firmware. Even network computers can be poorly configured, have firewalls or antivirus turned off, or file and share permissions that provide just about anyone who has access to your network unrestricted access to your company’s data.
Vulnerability Scanning. A vulnerability scan is performed to search an Internal network as well as Internet facing servers and applications for a variety of vulnerabilities. Examples of these vulnerabilities include, but are not limited to, weak and outdated versions of SSL/TLS encryption, expired security certificates, out-of-date software, various system misconfigurations, and other vulnerabilities. The scanner uses a vulnerability database to generate a Common Vulnerabilities and Exposures (CVE) Report that also contains the remedial actions needed to resolve identified vulnerabilities.
Penetration Testing. Penetration Testing is the process of exploiting a vulnerability or series of vulnerabilities in order to breach a system and gain what would normally be considered “unauthorized” access. A security expert, sometimes referred to as an ethical hacker, performs penetration testing. Vulnerabilities will be targeted using specialized software and scripting that will attempt to exploit and breach any identified vulnerability. Cybersecurity specialists use this information as a proof of concept (POC), to identify additional holes found in the security measures, to add further security measures, and verify related remedial actions.
9. Does your IT provider engage in independent auditing of the network and services to ensure their effectiveness regarding security best practices?
Is your IT provider openly willing to have a qualified security provider audit your network for potential security gaps? Or do they claim to “Own your network” while you’re under contract with them?
It is essential that your IT provider’s performance in your business’s network is routinely audited by a reputable outside source to ensure that the provider is adhering to information security best practices. An external review provided by a qualified third party creates a non-biased and thorough audit of the IT provider’s services as well as review your company’s posture regarding your cybersecurity policies and procedures. This way you can be assured that any recommendations for threat and risk assessments are coming from a reputable, unbiased source. This should be viewed as a process of professional collaboration for the greater good, rather than market competition.
However, many vendors prefer to remain “self-assessed” for fear of market competition. Regardless, it is always recommended that a third party complete the assessment in order to attain a fresh and unbiased perspective. IT providers that openly embrace this approach develop a unique trust between you and the IT provider, safe in the knowledge that the cybersecurity offerings are designed to serve your best interests rather than the provider’s.
10. Does your IT provider hire certified IT engineers specifically trained in cybersecurity and require continuing education as a condition of continued employment?
A huge problem we see among many managed service providers, is the lack of formal education and certification specifically in Information Technology (IT). This problem is compounded exponentially when it comes to the lack of formal education and certification of those who are professing their knowledgeable prowess with regard to Information Security (IS).
Far too many sales and marketing people from various fields such as telecommunications, hardware vendors, software developers, office supply chains, printer and copier vendors, even computer and electronics sales and repair have jumped into managed IT services as a niche to make more money. Unfortunately, this can easily present a bad situation for organizations that rely on these types of merchants as their “Trusted Technology Advisors” when it comes to Information Security.
In short, your IT provider is not an expert in his or her field just because they’ve been in business for a long time and/or happen to know a few tricks to keep your systems up and running. A real IT expert has been through rigorous formal educational training and has earned certifications in critical technical areas such as Systems Administration, Systems Engineering, Network Administration, Network Engineering, but most importantly… in Cybersecurity.
Expert IT providers should be able to provide proof of the IT/IS college degrees and industry recognized certifications they have personally earned along with that of their staff. They should also be able to demonstrate a consistent track record of continuing education that each member of their staff has achieved as a condition of their continued employment with the service provider. By far, the majority of the continuing education and industry recognized certifications should be devoted to Cybersecurity and Information Security Management.
A quality IT provider can add extra value to your business; and should be able to answer each question above positively. In addition, they may also offer additional services that will bolster your cybersecurity strategy. These include the capability of designing a durable business continuity plan, a reliable backup and disaster recovery strategy, and additional management, monitoring, and reporting on the threat landscape of your business.
Any IT provider that cannot answer each question above positively, or wholeheartedly embrace the security recommendations listed above should be summarily avoided in order to protect your business. If your provider attempts to dodge, redirect, or make excuses for any of the questions above, it is a clear sign that they place their business interests above yours. Obviously, this is not a sign of a good partnership, and your business as well as your clientele deserve better.
There are plenty of hard working, qualified, and certified IT providers out there with a clear focus on security who deserve to work with your business. As a business owner, you just have to be willing to separate the wheat from the chaff in order to find them.
Cybersecurity Best Practices – Center for Internet Security
HIPAA – U.S. Department of Health & Human Services (HHS)
PCI-DSS – Official PCI Security Standards Council
National Institute of Standards and Technology (NIST)
Schneier on Security
Ready to have a conversation?
We would really love to hear from you! Give us a call at 608-563-1975 or fill out the form below to start working with our team.