You are only as strong as your weakest link. In today's uncertain and risky times of cyber security, it's essential to check whether your Managed Services Provider's(MSP) security standards are up to scratch or risk them being your weak link.
Your MSP can be a back door entry to any threats if they are not following the strictest security standards. That's why we have compiled a list of questions you can ask your MSP about their security credentials. If you don't have an MSP but are considering using one, this is also an excellent list to have to and to check if they are addressing their security issues adequately.
1. What security frameworks or standards are you using?
There are quite a few, but some of the main ones include:
- ISO 27001 - Widely known standard providing requirements for an Information Security Management System (ISMS) which enables organisations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties. In addition, ensure businesses following specific policies and procedures to detect, prevent, respond and recover from security incidents.
- The ACSC Essential 8 - The Essential Eight is a series of baseline mitigation strategies taken from the Strategies to Mitigate Cyber Security Incidents recommended for organisations. Implementing these strategies as a minimum makes it much harder for adversaries to compromise systems.
- National Institute of Standards and Technology (NIST) Cybersecurity Framework - The Framework integrates industry standards and best practices to help organisations manage their cybersecurity risks. It provides a common language that allows staff at all levels within an organisation to develop a shared understanding of their cybersecurity risks and reduce them with customised measures.
2. What measures do you take to prioritise cyber security?
- Are security measures implemented during all stages of ICT system and network development, deployment, and maintenance?
- After implementing recommended risk mitigations, how do you assess cyber security risks before moving to production environments?
- Do they have a method to record, review and approve all changes to ICT systems before implementation? Who reviews them? What are their security considerations?
- How do they ensure cyber security is a core requirement for procuring and acquiring software, hardware, and services, including cloud services?
3. How do you keep data safe?
- Do they segregate your networks logically and physically from other customers and the MSP network?
- Do they have multi-factor authentication (MFA) to customer systems?
- How upfront and transparent are they with you about cyber security? Have they raised this proactively?
- What is the security patching timelines?
- What is the policy of reporting confirmed cyber security incidents and data breaches to impacted customers and other parties?
4. How do you educate your staff about cyber security?
- What cyber security awareness training do you provide for new and existing staff?
- How frequently do you run your cyber awareness training courses for staff?
- Do you provide tailored cyber security awareness training for staff, including senior managers, system administrators, and finance and HR personnel?
5. How do you practice secure administration with your systems and your customer's systems?
- Do you restrict administrative privileges using role-based access, just-in-time access with multi-factor authentication challenge?
- Do you use hardened jump boxes and dedicated privileged user workstations exclusively for privileged tasks?
- What is your password policy? How do you store passwords? Are they encrypted with proper security protocols?
- How do you log usage, including access and modifications to data and systems? Who reviews those logs? What is their cyber security qualifications?
6. How do you prepare for cyber security incidents?
- Do you have an Incident Response Plan? How often do you exercise it?
- How do you log security events? Do you use a secure, centralised logging solution such as a Security Information and Event Management (SIEM)?
- How long do you retain event logs? Have you defined the retention in your organisation policies?
- How often do you review event logs for unusual activity?
- What is your training plan to prepare staff to respond to a cyber security incident
7. What steps do you take to regularly review and improve your cyber security?
- How regularly do you assess the cyber security of ICT systems, services and networks?
- How often do you monitor your cyber security risks and posture
- Is there someone responsible for this? What are their cyber security qualifications?
What to do next
During your conversations with your MSP, you may not hear all of these areas being addressed to your satisfaction. If you don't get the answers you need, maybe it's time to pick up the phone to us!
Byte is certified to ISO 27001 and is a Microsoft Gold Security Partner as well as an Innovative Platinum Partner with Palo Alto. Byte is a security focused organisation and runs one of the most secure MSPs in the country, tailored for SMBs.
Contact Byte for a Secure Managed Services Solution today!