Is your IT provider doing enough to protect your business?

By Paul Maxwell, Director, Stratia Cyber

Over the years I have spoken to a lot of small businesses that use IT/Managed Service Providers (MSPs) to provide their IT services. 

When I ask them about their information and cyber security, I get the same response, more often than not: “We don’t need cyber security, because we have outsourced our IT.”

This sounds like a simple answer to a simple question. But taking this approach does not absolve the business of its responsibility to its customers, shareholders or itself. It also fails to address any aspects of information and cyber security that need to be dealt with on their business premises.

A resilient IT infrastructure or service isn’t nice to have: it’s essential.  Having the right IT systems in place is not enough. These systems need to be prepared against potential threats and attacks. It also doesn’t end with technology: underlying processes and procedures need to be in place to ensure that the service is run consistently and securely. Business users need to be trained to operate the IT securely and manage information security. These local security issues are something that your IT provider is almost certainly not contracted to cover. 

Seven questions to evaluate your IT provider

When I talk to businesses I ask if they have discussed the following points as a minimum with their provider. These questions offer an easy way to assess whether you are receiving adequate protection from potential cyber threats.

  1. How regularly are security updates performed? Frequent software updates ensure vulnerabilities get patched promptly, before hackers exploit them.
  2. Is there a disaster recovery plan? A solid backup and disaster recovery strategy are crucial for any business in case of major data loss due to cyber attacks or other disasters. 
  3. What proactive measures are in place? Good cybersecurity requires proactive measures such as threat hunting and intrusion detection systems.
  4. Is cybersecurity training provided for staff? Staff can unknowingly pose a security risk, and regular training helps maintain awareness across the team.
  5. Is the organisation GDPR compliant? If dealing with EU citizen data or operating within the EU, compliance with General Data Protection Regulation (GDPR) rules is necessary.
  6. Has independent assurance been carried out? Do they carry out independent penetration testing? Are they certified in international standards such as ISO27001?
  7. How robust is your contract? It’s important to understand items such as areas of responsibility, who is responsible for recovery costs and what right of audit of your supplier is in place.

Independent assurance like ISO 27001 certification or the NCSC Cyber Essentials Plus scheme demonstrate a company’s commitment towards adhering globally recognised best practices for information security management systems.

Regular independent penetration tests give real-world insights into network vulnerabilities before they’re exploited maliciously. Audits conducted by external entities offer unbiased perspectives on current risk levels and improvement areas. Would your provider be happy to share the report and assert that any findings have been fixed?

Your chosen IT provider should be able to answer all these points to your satisfaction, highlighting their dedication towards protecting your information and your business’s reputation. Don’t shy away from asking about these issues.

The threats British businesses face

Many businesses underestimate the importance of cybersecurity and the level of threat faced by British businesses today. Figures from the Government NCSC Cyber Security Breaches 2022 report show that 39% of British businesses experienced a cyber-attack during the previous year, with an average recovery cost of £19,400 among medium and large businesses. Every business has valuable data, ranging from customer information to trade secrets: these are all lucrative targets for cyber attackers.

The question arises: how well-equipped is your IT provider at safeguarding you from these threats?

Perks and perils of using IT providers

Choosing to outsource IT has its advantages, but there are some inherent risks to doing so. I’ve listed some examples of both below.

Benefits:

  1. Expertise: A good IT provider will be knowledgeable about cyber threats and how to protect against them.
  2. Resource Allocation: If you outsource your IT and cybersecurity, you can focus more on your core business functions.
  3. Cost-Effective: Outsourcing is usually more affordable than hiring a full-time internal team. For small businesses in particular, this is highly important. 

Risks:

  1. Aggregation point for attackers: For cyber attackers, breaching IT/MSP companies is a cost-effective way to target multiple companies. The Capita breach led to 90 companies which used the outsourcing group’s services reporting breaches of personal information. 
  2. Provider Vulnerabilities: If your provider itself gets compromised, it can lead to a security breach for you as well.
  3. Limited Control: When you outsource, you may not have complete control over your cybersecurity measures or data handling.

Knowledge is power

The first line of defence against cyber threats is knowledge about potential risks and preventive strategies (risk management), but it’s equally important to have effective reactions when incidents occur (incident response).

Stay informed about what exactly it is that your IT provider does for your security—not only will this provide peace of mind, but it will also save time and money down the line if a breach occurs.

If after reading this, you still feel uncertain about the status quo or have lingering queries regarding your own cybersecurity posture, please reach out! Contact Stratia Cyber today; let us help ensure that even amidst ever-evolving cyber threats; your business remains protected.