With the increased uptake of cloud services across most organisations, it is crucial to assess your IT providers. You need to make sure they approach your business cyber security professionally.
It is more important than ever to take a holistic view of your IT estate and identify areas of risk and weakness. If you don’t understand what your business security needs are, you won’t be able to identify an IT partner that can meet them.
Every business is different, but a few key fundamentals are the same, whatever your organisation does. Here are a few ideas that can help steer you when selecting your IT partners.
How does the provider approach security?
It may seem obvious, but checking your IT provider is approaching cyber, and IT security seriously is a good starting point.
Security and control standards can be useful when assessing your providers for cyber security. They outline best practice and lay the foundation that a provider has defined processes, controls and documentation on their approach to security.
We believe as a minimum, your providers should be Cyber Essentials certified. It is a baseline that should give you an idea if a provider is applying acceptable base standards to protect against cyber threats.
Ideally, your provider will be ISO 27001 certified. This certification sets out a standard of security controls and procedures outlining how a business approaches information and data security. Although not specifically designed for cyber security, this forms the basis of many cloud providers approach. As the certification is assessed on an on-going basis, you can be sure the providers are continuously investing in systems, processes and best practice.
Many providers state they provide services from ISO 27001 data centres and that this ticks all the boxes. Unfortunately, this is the data centre adhering to best practice and doesn’t mean your providers are.
It is essential also to understand the risks of using a provider who outsources certain aspects of their services. If your outsource providers is overseas and outside the EU, what steps do they take to make sure defined processes and procedures are being adhered to? It is critical if you have HR, payroll and financial data moving outside the EU as your risk increases. The risks to your business if this data is lost or stolen would be disastrous to your reputation, client base and financially.
Does your IT provider check their employees and provide appropriate on-going training?
So you are happy that your providers handle your systems and data in a compliant way, but have you considered how they recruit and manage their employees? Take some time to ask your provider about their screening process when appointing new employees. For example, DBS checks should be standard for any provider applying high levels of security within their business. It reduces the risk of employing someone that may be more likely to take part in illegal activity which may include them becoming an insider threat to the provider and consequently your business.
Additionally, ask your provider about what regular training their employees undergo. It should be comprehensive, covering information and security best practices, and data privacy and incident management. However, if they cannot provide you with this information, it is a good indicator that they aren’t regularly training their employees or take cyber security seriously.
It is essential to ask these questions of any provider, not just your IT provider. All employees should be trustworthy, fully aware of their cyber security policies and know the procedures to follow in the event of a breach.
Does your existing IT provider advise you on ways to improve security?
If the answer is no, it is very concerning. Any IT partner should provide on-going cyber security advice, especially as threats are becoming more sophisticated. It doesn’t just mean telling you to purchase the latest technology. They should also advise you on your current policies and procedures you have in place for information management, and cyber security.
We regularly help our clients to review their information management and cyber security policies, and they appreciate our guidance hugely. Recently, we have also been actively encouraging our clients to adopt multi-factor authentication (MFA). It provides an additional layer of security to approve a log-in to an application. In turn, reduces password and identity theft, as well as other cyber attacks. Microsoft state that MFA can block over 99.9% of account compromises.
Whether you take the advice or suggestions on board or not, will always be your decision. But by having information at hand from your IT provider will allow you to make informed decisions. You can assess the types of risks posed and make choices based upon this.
Benchmark your security and staff
Ideally, your IT provider at the beginning of any new relationship should benchmark your status quo. This should include your current cyber security and information management from systems, policies, procedures and your employees. This assessment mustn’t focus just on the technology in place.
Your provider will highlight areas of weakness and suggest improvements. That may be increase training for your employees, a review of policies or upgrade of current systems. Start by creating a plan of action, with achievable goals. Then you and your provider can consistently benchmark your business to ensure your business is secure as possible. It makes the process as transparent as possible to both companies.
With benchmarking in place, you will be able to see clearly how your investment in cyber security is directly impacting on your business. If it does not have the desired effect, your IT provider should be aware of this through the benchmarking and should recommend an improved approach to meet your goals.
So to close
As a business, it is your responsibility to make cyber security a priority. It is not just for your protection, but for your clients and their information. You must vet your IT provider to ensure that they are as cyber secure as you expect them to be.
By understanding your providers approach to cyber security clearly, your leadership will be able to make an informed decision about the providers they want to work with. You can reduce your risk by working with competent providers whose approach matches your businesses responsibilities to clients and can help set you apart from your competitors.
By investing in the right provider, taking on-board their advice and suggestions, you will be as secure as possible. You can also use it as an opportunity to gain a competitive advantage.
We know it is straightforward to select a provider based on price. But it is crucial to understand why they are cheaper. Would you take a more inexpensive service if it meant a risk to your security? I would think not.
Want to speak to us? You can book a meeting online with one of our directors.