Cyber attacks can be complex but in our experience, most are actually quite simple and just exploit basic weaknesses.
Your business might rely on internal IT staff or an outsourced provider for your cybersecurity. But just because you don't handle your cybersecurity yourself, doesn't mean you should have blind faith that all is well.
To help you check if your business is being properly protected from cyber attacks we have put together 9 cybersecurity questions you should ask your IT provider.
How do you keep my data secure?
What steps does your IT provider take to make sure your data is secure at all times. This can be looked at in two parts. Who has access to the data and how is that better protected.
How it's protected can be very technical but you should still ask the question. Who as access to the data is something your company should be aware of and should be involved in deciding.
Access to your data should only be given to those who need it. It is possible to set up privileges on a system so that employees can only access the data they need to access. By giving everyone access to all your data you increase the threat of that data being breached (as well as potential GDPR issues).
The more people with access to your data means the more access points hackers have to reach your data. A data breach doesn't have to be a malicious act either. Human error makes up 88 per cent of UK data breaches. By limiting access to only those who truly need the data then you reduce the risk of that data being accidentally breached.
How often do you backup our data?
It has now become a case of when not if your business becomes the victim of a cyber attack. So your data needs to be well backed up and that backup needs to be stored off-site (most commonly this is done in the cloud).
How often your data is backed up depends on your business. We would recommend that your data is backed up every hour but some businesses can operate with a daily backup and still be able to function if their data is lost.
How often that data is stored is another question you will want to ask. You will also want to know if the backup recovery is tested and how often. It is no good backing up your data if it then can't be recovered.
How often is the IT infrastructure patched?
Security patching has become a fundamental part of cybersecurity. It ensures that all devices on your network are running the current vendor-supported operating systems. For example, Microsoft release regular updates for Windows. These updates often fix security issues that have been highlighted by recent activity.
As cybercriminals become more sophisticated they find vulnerabilities to exploit in existing products. The vendors then have to fix those vulnerabilities and roll out the fixes in an update. If your devices aren't patched regularly then those fixes are not getting done and your network is vulnerable to attack.
Does your provider actively monitor network threat detection?
How proactive is your provider? Do you have to keep calling them to report issues or are they coming to you with the issues they've found and solutions to fix them?
In terms of cybersecurity, if your provider is purely reactive then the risk of a breach is high. If they are proactive they are likely to spot vulnerabilities and fix them before they can be used by cybercriminals.
Does your provider secure network access to only approved devices?
Can any device be used to access your network? Employees using their own devices can reduce hardware costs but when those devices are connected to your network they can be exploited by hackers.
Chances are the security on your employee's devices are not as comprehensive as you will have normally in the business. Each time one of these devices are allowed access to the network you could be weakening your cybersecurity. You might not even be aware these devices are being used.
It is possible to set up secure network access so only approved devices can access your network.
Do you have an up-to-date antivirus platform?
Even if your business does have antivirus software if it is not up to date then it won't be effective. As with the patching earlier in the article, there will be security updates for your antivirus software. Without these updates your network is vulnerable.
Do you even have an Antivirus set up? It is important to understand what antivirus (if any) is being used and how often is it being updated.
Does your provider offer multi-factor authentication?
Multi factor authentication (MFA) is a popular way of securing data. It adds an additional layer of security to all devices it is set up on and can also be used to for online accounts as well.
MFA is simple to set up and is a great way to further increase your online security. MFA is becoming standard across many online applications and takes away the sole reliance of a password to protect your accounts and devices. Find out more about Multi factor authentication here.
Does your provider offer vulnerability and penetration testing?
All the security measures in the world are no good if they don't work. How often does your provider run vulnerability testing on your network?
There are commonly two types of test that can be run. A vulnerability scan or a penetration test. A vulnerability scan scans a public IP for weak or out of date SSL encryption, expired certificates or outdated software.
Penetration testing uses a security expert to try and hack into a network. They will attempt to exploit and breach any vulnerabilities in security. Some businesses have to complete this testing as part of their industry regulations but it can be useful for all business to understand how well their security works.
How does your IT provider audit its services to ensure its effectiveness?
Your IT provider must be externally audited on its cybersecurity policies and procedures. Are they following best practices? If they are not your network can be breached by anyone breaching your provider's network.
Ask your provider is they are certified in any way. Not only will you know they are secure but you can also be assured that the recommendations you are getting are coming from a reputable source. InfoTech Solutions is proud to be Cyber Essentials certified.
Just because you are outsourcing your IT support doesn't mean you shouldn't know what that provider is doing for you. These question will help you understand how well your business is being protected from cyber attacks.
Hopefully, you are happy with the answers you receive but if you have concerns about any of the questions you ask then InfoTech can help. We offer a free Discovery Audit that will report on your existing cybersecurity as well as the performance of your IT infrastructure.