Top Ten Questions to Ask Your IT Provider About Cyber Security Measures Protecting Your Business

In today’s digital age, cyber security is a critical concern for businesses of all sizes. As threats continue to evolve, it’s essential to ensure that your IT provider is taking the necessary measures to protect your business. Here are the top ten questions you should ask your IT provider about cyber security measures.

1. What is your approach to cyber security?

Understanding your IT provider’s approach to cyber security is crucial. This includes their strategies for preventing, detecting, and responding to cyber threats. It’s important to ensure that they have a comprehensive and proactive approach to cyber security.

Ask for an example “IT Security Policy” document – this will give you quick and comprehensive insights into their security approach.

2. How do you protect our data?

Data is one of the most valuable assets of any business. Ask your IT provider about the measures they take to protect your data. This includes data encryption, secure storage, and data backup procedures.

Ask for a sample “Disaster Recovery Plan” document.  This will outline how data is being backed up, stored securely, and the process (including time targets) for the restoration of corrupted or deleted data.

3. What are your policies on access control?

Access control is a key aspect of cyber security. Ask your IT provider about their policies on who has access to your data and systems, and how they manage and monitor this access.

It’s critical to understand who has access to YOUR data, if this access is monitored/logged, and what technical mechanisms are in place to ensure only authorised users can access your data.

4. Do you provide cyber security training for our employees?

Employees are often the weakest link in cyber security. Ask your IT provider if they offer cyber security training for your employees to help them recognise and avoid potential threats. What training platform is being used?

– What topics are covered, and how often is training run? 

– Are users tested on their knowledge?

– Are phishing simulations run, and how often?  What happens if a user fails a simulated attack?

5. How do you stay updated on the latest cyber threats and vulnerabilities?

The cyber security landscape is constantly changing. It’s important that your IT provider stays updated on the latest threats and vulnerabilities and takes appropriate measures to protect your business.

– What sources are being used for threat intelligence?

– Is your IT provider or MSP part of industry or government groups?

– Who is responsible for sharing this knowledge (internally and externally) to ensure the relevant parties remain up to date?

6. Do you conduct regular security audits and vulnerability assessments?

Regular security audits and vulnerability assessments can help identify potential weaknesses in your cyber security measures. Ask your IT provider if they conduct these assessments and how they respond to any vulnerabilities they find.

Ask for sample reports on vulnerability management for an existing client over the past 3 months.  Evidence is required to ensure these tasks are being carried out – and should be easily accessible by your provider.

7. What is your incident response plan?

In the event of a cyber-attack, a quick and effective response is crucial. Ask your IT provider about their incident response plan, including how they will communicate with you, recover lost data, and prevent future attacks.

Ask for a sample copy of their “Cyber Security Incident Response Plan”.  This will provide invaluable insights into how they respond to potential data breaches.

8. How do you ensure compliance with relevant regulations and standards?

There may be specific regulations and standards for cyber security that your business needs to comply with, depending on your industry. Ask your IT provider how they ensure compliance with these regulations.

Regardless of what industry you operate in, Cyber Security should be approached using specific (or a combination of) frameworks. The Australian Signals Directorate “Essential 8” is a good place to start.  Do they meet the requirements for minimum Maturity Level 1?

9. What measures do you take to secure our remote workers?

With more employees working remotely, securing remote workers has become a critical aspect of cyber security. Ask your IT provider about the measures they take to secure your remote workers.

This may include the use of personal devices, VPN, MFA, DNS protection and more.  A comprehensive (and documented) approach to remote worker security is critical.

10. Can you provide references from other clients?

Finally, ask your IT provider if they can provide references from other clients. This can give you a better idea of their track record in providing effective cyber security measures.

It may also be wise to ask for a case study of a data breach that has been handled by your IT or Security provider.  The more detailed the better (obviously obfuscating the entities involved).   This will help you get an understanding of how they will respond if your business suffers a cyber incident.

In conclusion, asking these questions can help ensure that your IT provider is taking the necessary measures to protect your business from cyber threats. Remember, cyber security is not a one-time effort, but an ongoing process that requires constant vigilance and adaptation to the evolving threat landscape.

If you would like advice or assistance with any of the above, please contact us and one of our friendly consultants will be happy to help!