5 Questions to ask your IT vendor about Their security

Your IT vendors are regularly advocating that you upgrade your equipment, enable additional safeguards such as two factor authentication, and pushing expensive security solutions.

Yet many are neglecting their own security, when it should be at least equivalent to their clients’, if not significantly more. Recently a managed services provider was breached, and many of their clients were infected through the provider’s own systems: https://www.darkreading.com/attacks-breaches/ransomware-attack-via-msp-locks-customers-out-of-systems/d/d-id/1333825

Here are a few questions you should ask any potential IT vendor:

 

Do they use multi factor authentication everywhere possible?

Password compromises are going to happen, so two factor is a necessity for any administrator. What is often neglected is two factor authentication for tools the IT vendor / managed services provider uses. Software that allows remote access to client systems is a gold mine for hackers and is often exposed directly to the internet. One professional services company was breached and had at least 11 clients compromised via their systems: https://www.msspalert.com/cybersecurity-breaches-and-attacks/phishing/wipro-breached/

 

Do they use shared administrator accounts?

This cannot be avoided in every case, but 95% of the time, it can. A shared administrator account cannot be properly tracked and audited. It also allows elevated permissions to jr technicians that may not need it.  Because it’s not tied to a user, when employees leave the passwords are rarely changed causing more openings to the networks. One big retail breach involved the use of a third party vendor’s login: https://www.infosecurity-magazine.com/news/home-depot-breach-third-party/

 

Are they encrypting their own devices?

At a minimum they should be encrypting mobile devices (laptops and tablets) and any systems containing passwords or sensitive information. These devices often travel with the staff, staying in bags, cars or at other clients. One of the excuses you may hear is ‘we use virtual desktops so we do not have to’. In that case start looking for another vendor right away! There are three major exploits currently ravaging remote desktops across the US and UK.  At minimum they should be using multi factor authentication.

 

Do they have any internal security policies written, and will they share them with you?

Compliance is a part of doing business, and every company will be audited by regulators or a client at some point. So, a company must have its policies and procedures documented, organized, and be ready to provide them when requested.  If they are guiding you on policies you should have in place, they should be able to provide their own as examples as well

Do they maintain reasonable insurance policies, including cyber insurance?

One large breach can put a company out of business, so its critical that technology companies cover all their bases. Want to learn more about how Clear Guidance Partners can help your security? Talk to a partner today

Anthony Cabral, CISO