Managed IT services are increasingly popular. In CompTIA’s fourth annual “Trends in Managed Services” report, 64% of businesses today said they currently use a managed services provider (MSP) for at least one operational function.
Still, security is on all companies’ minds these days – and that includes mid-sized firms that have contracts with MSPs. The 2015 Society for Information Management IT Trends Study found security to be the No. 2 concern of business managers, up from seventh place in 2014. Although improved security was not a key driver of moving to an MSP for mid-sized businesses, security ranked a close second to simplification as a benefit they received. This means that, unexpectedly, businesses that used MSPs found that they were more secure. This is an important consideration, given that in 2015 a new “zero-day” vulnerability (a security hole that had previously been unreported) was identified every week.
But how can you be sure your MSP is up to the security task? Here are five security questions all SMBs should ask an MSP before signing the contract.
1. Will they do sufficient due diligence and in-depth discovery to understand your business’ security needs?
Before signing a deal, your MSP should perform a security audit to understand exactly where your vulnerabilities lie. Such an audit will raise questions that your MSP needs to ask you to ensure they do a good job of managing your IT environment. Below are some examples of questions you should be prepared to answer for them to complete this stage:
2. Do they have security expertise that’s both wide and deep?
One of the biggest benefits of contracting with an MSP is that they have the security experts that you can’t afford to hire on staff yourself. Make sure that they have specialists in areas such as viruses, spear phishing, zero-day attacks and other areas of concern. Ask how the technology team stays up to date on the latest threats and trends; technology threats constantly evolve, so it’s never enough to simply install a technology or set a policy and walk away. Look for security accreditations, in particular. If they have employees who are Certified Information Security Manager (CISM), Systems Security Certified Practitioner (SSCP), Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), Global Information Assurance Certification (GIAC) or Computer Hacking Forensic Investigator (CHFI) qualified, in particular, that will be very valuable.
3. Do they know how to secure remote or mobile workers?
According to a Trend Micro survey of SMBs, 78% of mid-sized businesses frequently have employees working from home or at other non-official remote sites. And 33% said more than 20% of their employees work this way. These types of workers have unique security needs. For starters, they probably need a virtual private network (VPN) so they can log securely into internal systems remotely.
Then there’s the fact that a large (and overlapping) segment of your workforce is mobile. IDC believes that the U.S. mobile worker population will grow from 96.2 million in 2015 to 105.4 million in 2020. This means that within four years, mobile workers will account for nearly three-quarters (72.3%) of the U.S. workforce. If your business is part of this trend, your MSP probably needs to install some sort of mobile-device management (MDM) solution to track what devices are allowed to access which applications and to wipe machines clean if they are lost or stolen.
4. Do they have comprehensive disaster recovery and business continuity safeguards in place?
Disaster recovery (DR) means you can recover your data in case something goes horribly wrong, such as a flood or earthquake or even if it is taken hostage for ransomware by a cyber criminal. According to Business Solutions Magazine, DR is the number-one managed service that small businesses want.
Business continuity (BC), on the other hand, means you can continue running your business without a hiccup even if your premises are uninhabitable and your servers unavailable. Your MSP needs to have plans for both DR and BC. Make sure to ask them what those plans are. What will they do in case of a disaster to keep you up and running? What are the communications plans if your voice-over-IP (VoIP) phone system is down? Make sure you understand and are comfortable with the answers.
5. Does the provider give you visibility into the use of your data, applications and equipment that it manages for you?
Find out what kind of reports into operations it offers. Also, make sure you will have access to relevant stats on demand that answer questions such as: What are its uptime SLAs for a given time period? What control points does it provide for security settings by users? How will you be informed of a breach? And what middleware interface does it provide for DRaaS?
Handing over part – or all – of your IT operations to an MSP is an attractive proposition. The fact that top-tier MSPs will also help you secure your infrastructure is an added bonus. Your responsibility is to choose the right MSP. You want to make sure that your provider has the technical expertise, the ability to understand your business and the capability to protect your remote and mobile workers, among other goals. If you ask the right questions and choose the right MSP, you could end up with better security than you were able to achieve on your own.