Your business has a lot of sensitive data about your operations, your partners, and your customers. You are likely (hopefully) doing everything you can to protect that information from hackers who want to steal it and make money off it. You’ve even hired an I.T. support company to make things more secure — unless your I.T. provider is inadvertently making you vulnerable to attack!
Many businesses, especially those too small to have an I.T. budget big enough for a robust internal defense team, turn to I.T. support companies to meet their I.T. needs. These providers work with many businesses, achieving economies of scale. The problem is that hackers have discovered they can achieve their own economies of scale by targeting outsourced I.T. Support and MSPs instead of individual businesses. This is a real, current threat. On Dec. 20, 2018, the Department of Justice charged two Chinese hackers with targeting managed service providers like I.T. support companies.
When you outsource your I.T. to a support company, you’re basically giving it the keys to your business kingdom. You have to give the company access to conduct system updates, install anti-virus software, and perform whatever security measures are necessary to keep your system secure. Because that provider will take on many other clients, it necessarily holds the keys to many other companies as well. This makes them a prime target for hackers who want to infiltrate an I.T. support provider’s network and compromise other networks, all while evading detection.
Despite the risk, you still need your technology managed, and outsourcing to an I.T. support provider is often the best solution for small to mid-sized businesses. Before you make your selection, it’s critical to thoroughly vet potential providers before you hand over your keys. Get references from the provider’s clients, check social media, and visit their offices — it’s amazing what you can find out on-site and in person. In addition, ask a prospective I.T. support provider these two basic questions.
- How do you handle client passwords?
Plenty of MSPs keep customer passwords in a neatly organized “secure” spreadsheet. Does it work? Absolutely. Is it secure? Not even close.
To find out the company’s own policy for how it controls access to your data, ask about not only when and how passwords are stored and who has access to them, but also how the company deals with staff turnover. That last one is crucial: Everyone has turnover, and learning how the company controls access after someone leaves speaks volumes about its security.
In your conversations with prospective providers, you should also listen for the term “two-factor authentication.” While no security method is absolutely impenetrable, two-factor authentication is the most practical way to keep things secure on the internet. I.T. support companies should be using two-factor authentication to control access to their internal systems and to your data.
- Are your employees trained to spot phishing?
If security training did not come up in your initial meetings about the I.T. provider’s service offerings, that should raise a red flag. Phishing is a universal security threat for all organizations, which is why you need to ask about it specifically. Phishing, or emails containing malware that appear legitimate, is inescapable given the average of 16 malicious emails users receive every month.
All it takes to compromise an I.T. support company — and therefore all of the client networks — is a single employee clicking on the wrong email. Even if you opt out of training for your own company, the I.T. support provider should absolutely be offering it. More important, the company needs to be practicing what it preaches. Conducting internal training on the latest threats for all of the provider’s own staff members is a crucial part of that.
In addition to the increasing rate of fraudulent emails, hackers are getting better at disguising them. Spear-phishing is a practice by which hackers closely imitate the email addresses or email signatures of a person you typically receive mail from. For example, the hackers might slightly modify your email address and send an email to your employees asking them to click on a link. If your normal email is “email@example.com,” and someone uses “firstname.lastname@example.org,” some of your employees might miss the one letter change that signals it didn’t come from you. That’s phishing. If employees aren’t trained to look carefully for these tiny red flags, they’ll almost certainly miss them. Don’t let an I.T. support provider train your personnel if it can’t — or won’t — bother to train its own.
The good news is that most I.T. support companies are doing things the right way. You just need to make sure you’re not picking one of the ones that don’t. That means doing your homework before turning over the keys to your business.
If your current I.T. Support company does not offer Cybersecurity Awareness Training for employees, including How to Spot Phishing Attempts and you're interested in learning more, reach out to The Purple Guys today.