Questions to ask your IT provider about their security

October 15th, 2019
Questions to ask your IT provider about their security

Questions to ask your IT provider about their security - blog feature image 900x300

Why is security important?

Businesses need to have systems and processes in place to protect themselves from malware, phishing and other hacks, as cyber-crime is on the increase. Even smaller organisations are vulnerable to having their data stolen or compromised.

Many companies are looking to experts to give them the solutions and peace of mind that their information is protected and, if the worst should happen, their IT partner can help them restore their most recent data as soon as possible.

Why should you speak to your IT provider?

It’s important to have an understanding of what measures your provider is taking to protect themselves from cyber threats, as well as their clients.

As criminals become more sophisticated in their techniques, IT companies need to be up-to-date with the latest risks.

Unfortunately, one tactic hackers are using, is to target the IT support provider directly, and once into their systems, they are then able to attack multiple clients at the same time.

Whoever you work with should be more than happy to discuss what steps they’re taking in order to be proactive.

Questions you should ask

Depending on the type of support you use and any particular industry requirements your IT partner supports you with, there are different questions you might want to ask them.

Here are some suggestions to help you get started:

1. Vulnerability testing

A vulnerability test looks at the servers, systems, internet, network and other technology a company uses and identifies places where it might be at risk of attack.

Ask your provider how recently they did a vulnerability test and if you can see the results.

2. Qualifications

What accreditations does the business have as a whole and what certifications are held by engineers, technicians and anyone responsible for cyber security?

We’ve talked about Cyber Essentials before, and they should have their systems tested.
Ideally, they may also be assessors for one of the governing bodies – ATG are approved assessors for IASME.

3. Ongoing learning

Are they constantly learning? Do they have a policy in place for how often staff should have refresher courses in the most important parts of security (as applicable to their role)? Do they proactively look for new accreditations?

Questions to ask your IT provider about their security - quote

4. Threat intelligence

There are four different types of threat intelligence, according to the NCSC (National Cyber Security Centre). They are:

  • Technical (indicators of malware types)
  • Operational (which looks at details of a specific attack and if a company is able to determine a future threat)
  • Tactical (methodologies used by the attackers)
  • Strategic (the ability to critically assess threat)

It’s important that your IT provider has a good understanding of each of these types and has robust systems to deal with them.

5. Compliance/governance

All UK businesses are expected to follow GDPR guidance around client information and ensure data protection laws are also in force. Being in breach of this legislation can be costly and damaging to a business’ reputation.

Ask them about what compliance rules they follow; for instance, they may have IASME Governance or ISO 27001 and 27002 certifications, which looks at good practice in information security management, amongst other things.

6. Have they been attacked?

While you would very much hope that an IT company was able to prevent its systems from being compromised, we know that everybody is vulnerable.

Ask if they’ve ever been a victim of a cyber-attack, the cause (e.g. human error), how they recovered and how quickly.

7. Internal processes

Speak to the provider about what processes they have in place to protect themselves from malware and external threats? They should have robust, well-documented procedures in place, and these should be along the same lines as those they recommend to their clients.

8. Staff responsibility

Find out how many people are responsible for dealing with threats. Are there named people throughout the organisation? Is there a team dedicated to resolving issues in the event of things being compromised? How do they guarantee business as usual?

9. Review process

Clarify how often they review their policies and systems. When was their last audit? Is there a team which represents all departments and teams? How do they decide to make updates or changes, and how do they communicate this to their staff?

These questions should help you find the right IT provider, or at the very least, ensure the company you are already working with are up to scratch when it comes to theirs and your cyber security.

We already have systems and procedures in place at ATG which cover all of the above, as do our clients. If you would like to discuss these in more detail, contact us today.