[BreachExchange] 4 Security Questions to Ask When Outsourcing IT Operations to Make Sure Your Business Isn't at Risk

[Audrey McNeil]

https://www.entrepreneur.com/article/292059

Outsourcing IT operations to managed IT services providers (MSP) is a
common trend for a business looking to maintain its operational efficiency
while cutting down on cost. In addition to assisting with IT infrastructure
management, 38 percent of businesses that hire an MSP do so with the
expectation that their business will have enhanced security and meet
regulatory compliance requirements. However, it is critical to understand
that “IT management” and “IT security” are not synonymous. Failing to
understand the difference between the two can result in dangerous and
expensive outcomes for your business.

IT shortcomings affect security.

“There’s nothing you can do. Just pay it,” a business owner was told by his
MSP after his firm was hit with a $50,000 ransomware attack. It’s not an
answer any company wants to hear after falling victim to hackers, and it
was not long after this conversation that our incident response team
received a call wondering if something could be done besides “just paying
it” or losing data.

Further conversations revealed important details about the firm’s
post-attack situation. The victim had no data backups or records of
security events. Additionally, all files had been deleted from the affected
laptop, and the phishing email that initiated the incident was destroyed by
the MSP in a misguided attempt to respond to the incident. These combined
factors turned what should have been an easily manageable ransomware
situation into an unnecessarily complicated and costly incident.
Furthermore, all actions taken after the attack were completely reactionary
and no measures were taken to prevent the same attack from being successful
again in the future.

Unfortunately, this scenario is not unique. Cases of incidents that could
have been avoided by simple, low-cost IT configurations and user training
are cropping up at our office with increasing frequency. In the past six
months alone, we have seen the following issues while responding to
security incidents:

Clients and MSPs with no incident response plan
Clients with no data backups or clients who did not fully understand how
their data was being backed up
No tools in place to keep records of important, security-related actions
that have taken place in the company network or these tools not being
properly utilized
“24/7” IT service providers that were completely unresponsive during
weekends
Corporate and guest WiFi networks that are not properly separated from one
another and secured

Each of these shortcomings can make preventing, detecting and responding to
security incidents much more difficult or even impossible.

Questions to ask before choosing an MSP

Security issues, like the ones listed above, result from providers
underperforming or misrepresenting their capabilities. However, others are
due to the customer not understanding or requesting the services and
solutions they need.

Most organizations that contract MSPs do so because they do not have the
expertise to effectively handle these issues in-house. It is obvious to
these businesses they need help to keep their IT resources running, but
failing to consider security when choosing an MSP presents risk. With this
in mind, business leaders searching for IT help should include the
following considerations in their decision-making process:

1. Make sure you understand what security services you need and ask for
them by name.
Ask specific questions to ensure that you understand what you are getting.
For example, if you are purchasing data backup services, make sure that you
know where the data is backed up, how long it is stored, how many versions
of your data are kept and how long it takes for data to be restored from
backups. If you are satisfied with the answer, make sure to get it in
writing.

2. Ask about the MSP’s own incident response plans and how they will help
you handle potential security incidents.
What is their response time? Do they perform incident response services? Do
they have a partner or recommended firm for these actions? A lack of an
incident response plan for their own business security should be a major
red flag.

3. Have a “technical translator.”
Asking MSPs security-related questions is only valuable to your firm if you
can understand the answers and determine what it means to your business. If
your team does not have any security-minded people on staff to conduct
interviews with MSPs, consider hiring a security consultant that can speak
with service providers with you or on your behalf. Upon engaging an MSP, a
third-party security consultant can work with you and potential service
providers to ensure your IT infrastructure is designed with your business’s
best interests in mind.

4. Make sure your security measures are effectively implemented.
Once the systems and services are in place, have your security consultant
perform an audit of their solutions and services to ensure that all
security measures and processes are implemented in manner that allows your
business to be operational without putting your business’ security on the
line.

It cannot be assumed that a MSP will fill the role of a trained security
specialist. Being mindful of the differences between IT and security and
understanding their roles and implications of your business is critical to
having business operations that are both functional and secure. Being
upfront with MSP candidates about your security concerns, asking pointed
questions about your security needs and being prepared to interpret
technical answers is critical for all businesses choosing an MSP.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170403/9903cc93/attachment.html>