Many businesses use third-party vendors that host, store, process or access information records related to your organization.
A collaboration should only proceed after a formal risk assessment is completed. A risk assessment will ensure that any chosen third party have the policies, procedures, and technology in place that follow industry best practices for information security and data protection.
Cybersecurity exploits and data breaches are published in the media almost every day. The victims can vary from small startups to world-renowned global organizations. The consequences of being breached range from reputational damage, financial damage, and legal penalties if sensitive data is stolen.
There has been an intense focus on cybersecurity in recent years and it is vital that your IT vendor is giving you a diligent, security-defined service that has your organization's security fundamentals at the forefront of its security strategy.
Cybersecurity questions to ask your IT vendor
The following questions will help ensure that your IT provider is following the best possible standards for your cybersecurity interests. Their focus should be around risk assessment as well as assessing current information security and IT configurations.
8 cybersecurity questions you should ask
Is the IT infrastructure patched?
Do you have an up-to-date antivirus platform?
Does your provider offer vulnerability and penetration testing?
Can your provider actively monitor network threat detections?
Can your provider secure network access to only approved devices?
Does your provider offer multi-factor authentication?
How does your IT vendor assess their employees' security awareness?
How does your IT provider audit their services to ensure its effectiveness and breadth?
1. Is the IT infrastructure patched?
Security patching is the foundation of a robust cybersecurity policy that ensures all laptops, desktops, servers, and software applications are running current vendor supported Operating System versions. Microsoft, Red Hat, and many other vendors release monthly security patches that tackle the latest known exploits discovered by security experts around the world.
The Wannacry ransomware attack of May 2017 wreaked havoc around the globe. The issue was caused by an exploit inside the Windows OS, but Microsoft had already fixed the vulnerability two months prior. Those who were impacted had not patched their operating system in time, resulting in widespread disruption and the significant cost incurred.
Security patching must be at minimum a monthly task performed by your provider on a schedule that addresses Production, UAT and Dev systems. No server is too important not to be patched, and an appropriate schedule should be arranged outside of core business hours if required.
2. Do you have an up-to-date antivirus platform?
It is recommended that your vendor provide an up-to-date antivirus solution for your entire IT infrastructure. More importantly, it must guarantee that all digital assets are up-to-date and protected. Antivirus is the first line of defense against exploits and vulnerabilities. When a virus signature is detected, the software will intercept and quarantine the virus, preventing any malware from spreading around the network.
Antivirus solutions can also deploy security policies that block USB access or mobile devices when attached to company assets. Devices are tracked for compliance and can be remotely wiped if in breach of the security policy.
TIP: Make sure you're protected with the right antivirus software solutions for your needs.
3. Does your provider offer vulnerability and penetration testing?
Hardening and securing internet facing servers and applications is a key part of cybersecurity. Servers that have static IP addresses must be scanned for vulnerabilities.
Vulnerability Scanning. A vulnerability scan is triggered from an external source; it will scan a public IP range for a weak and outdated version of SSL encryption, expired certificates, out-of-date software, etc. The scan uses a vulnerability database to generate a CVE that contains the remedial actions needed to resolve the vulnerability
Penetration testing. A security expert, sometimes referred to as an ethical hacker, will perform the penetration testing. Vulnerabilities will be targeted using specialist software that will attempt to breach and exploit any found vulnerability. Cybersecurity specialists use this information to add further security measures, plug any holes found, and complete related remedial actions.
4. Can your provider actively monitor network threat detections?
Network Intrusion Protection Systems (NIPS) and Network Intrusion Detection Systems (NIDS) can monitor and alert on an entire IT infrastructure. It can output trend analysis reports, monitor network traffic, report on system performance, track, and monitor system/user behavior. This technology will learn what is normal on your infrastructure and trigger warnings if anything deviates from the normal baseline.
NIDS/NIPS are a software or hardware appliance that scans all network traffic and the hosting environment. It analyzes network packets and tracks network activity on a LAN/WAN. Over time the system learns what the expected behavior on the network is. It can alert and also automatically block unexpected traffic if required.
5. Can your provider secure network access to only approved devices?
Cybersecurity vendors can define secured network access only to qualifying approved devices. Network access is automatically denied if an unapproved device attempts network access. The whitelisting of laptops, desktops, servers, and mobile devices is assigned by MAC addresses.
Approved devices are loaded to the configuration of dedicated network hardware such as Active Security Appliances (ASA). Cisco AnyConnect is one of the popular consumer solutions that offer this solution. After a successful rollout, only approved devices can access network assets and internet resources on a delegated network.
6. Does your provider offer multi-factor authentication?
With MFA, you are required to provide something only you know (usually a password) with a security item you have (often a mobile phone) and something unique to you (such as a secure key, pin code, fingerprint or retina scan). This information validates with a security appliance that controls access to the devices.
7. How does your IT vendor assess their employees' security awareness?
Finally, and arguably one of the most important questions to ask, is around security awareness and training. Human error accounts for a significant proportion of cybersecurity issues, but adequate training can redress the problem.
Vendors must vet and background check all employees as standard, then engage in a training program to focus staff on the dangers of phishing and social engineering exploits. Training is often the best weapon your IT vendor has against cybersecurity risks. Keeping staff in tune with the latest risks and security trends will give your organization the best possible start for a strong cybersecurity policy.
8. How does your IT provider audit their services to ensure its effectiveness and breadth?
It is essential that your IT provider is externally audited on its cybersecurity policies and procedures. This will ensure that the provider is adhering to information security best practice. Many vendors are self-assessed; however, it is recommended that a third party complete the assessment. An external review creates a non-biased and thorough audit of the IT provider’s services. This way you can be assured that any recommendations for threat and risk assessments are coming from a reputable, unbiased source. This approach helps to create a unique trust between you and the provider, safe in the knowledge that the cybersecurity offerings are designed to serve your best interests rather than the providers.
A quality IT provider can add extra value to your business; they should be able to answer each question above positively as well as offering additional services that can bolster your cybersecurity strategy. These include the capability of designing a disaster recovery strategy, assisting on a reliable backup strategy, reporting on the threat landscape of your business as well as offering information security awareness training.
Christopher Gerg is the Vice President of Cyber Risk Management at Gillware. He is a technical lead with over 15 years of information security experience. Christopher has worked as a Systems Administrator, Network Engineer, Penetration Tester, Information Security Architect, Vice President of Information Technology, Director and Chief Information Security Officer. He has experience in the challenges of information security in cloud-based hosting, DevOps, managed security services, e-commerce, healthcare, financial, and payment card industries. He has worked in mature information security teams and has built information security programs from scratch and leading them into maturity in wide variety of compliance regimes. While an expert in the theoretical aspects of information security best practice, he is also experienced in the practical aspects of building secure technical environments and working with the boardroom to promote executive understanding and support. He also authored the O’Reilly and Associates book “Managing Network Security with Snort and IDS Tools.”