One of the most critical services you may be considering for an MSP to provide is in the area of Data Security. Typically, bringing the appropriate level of expertise in-house will be expensive – if it isn’t, it might lack experience, knowledge and ongoing currency. These questions will assist in you the selection of an MSP that will understand and cover your risk sustainably and cost-effectively:
Do you cover the Essential Eight?
The Australian Signals Directorate and the Australian Cyber Security Centre have published the Essential Eight strategies as a baseline for mitigating cyber security incidents. If your MSP can’t answer “Yes” to any of these questions, don’t go any further:
- Do you whitelist applications to allow only approved or trusted programs to run on my system?
- Do you configure Microsoft Office macro settings to only allow macros that are ‘vetted’ or from ‘trusted locations’ to run?
- Do you patch applications like browsers, MS Office, Java, Flash and PDF viewers within 48 hours so that security remains current?
- Do you harden user applications to block flash, ads and java on the internet and disable unneeded features of applications?
- Will you restrict administrator privileges to operating systems and applications based on the user’s duties and need, and review them regularly? This includes ensuring that user accounts with administrator privileges are not used for reading email and browsing the web.
- Will you patch or mitigate risks on computers and network devices with ‘extreme risk’ vulnerabilities within 48 hours, and use the latest version of our operating system?
- Will you use multi-factor authentication on remote access points, for all users performing privileged actions or accessing important information?
- Will you take daily backups, and test them, so we can re-build our systems quickly after a cyber incident?
Additional process and operational questions
The Essential Eight questions give rise to some more business-related questions which will help you to understand how well your MSP will get to know your business. The hint here is that you want your MSP to know your business well – they’re your partner.
- Do you encrypt all the traffic between client and cloud?
- How is our data and traffic kept separate from the data of other users of your service?
- How will you notify us of security breaches, and how do we notify you if we suspect one?
- Will you get to know my business and what it does, so that you can understand people’s job functions and the IT requirements that flow from those?
- Are you adaptable enough to accommodate the needs of all my users, including those who need administrator privileges, access to macros and other features that you typically lock out?
- Which security tasks must we (the client) manage, and which will you manage on our behalf?
- Can you train our staff in how to avoid phishing attacks and other exploits?
- Do you monitor for malicious attacks, and how quickly can you secure the system?
- How quickly can you re-build our system if it is taken down by a malicious attack?
Further validation questions to reinforce the MSP’s
An independent assessment is always a strong endorsement, and an ISO certificate is hard to beat. Distance between staff can influence response times and quality.
- Can you provide independent evidence of your security performance, such as an ISO 27001 Information Security certification?
- Where is your data centre located?
- Where is your helpdesk located, and how far is that from technical support staff?
- How will your maintenance on your systems affect our service?
Questions unique to your business
Your business will also have its own specific questions, for example
- Can you meet the requirements imposed on us by external regulators?
For example, ISO certification bodies, financial, medical or other regulators?
Questions about ending the relationship
It’s always good to start out knowing what will happen if you must end things.
- What if you fail to meet your obligations?
- How do we safely extract our data from your systems if we move to a new MSP?
- How will you destroy any data we need to delete from your system?
Other non-security questions to consider
- Who owns the data we store on your systems?
- What professional services can you offer to help grow our business?
- What functions do you outsource to other providers?
Finally, give them a chance to shine
- What sets you apart from other MSPs?
When it comes down to it, you are outsourcing to your MSP a function that would otherwise be part of your business, so the MSP must work as closely with you as if it were part of your business. Your MSP should be as responsive as if it is in the same building as you.
Most importantly, your MSP should offer better security than anything you can muster in-house.