Your business has a lot of sensitive data about your operations, your partners, and your customers. You are doing everything you can to protect that information from hackers who want to steal it and make money off it. You’ve even hired an IT support company to make things more secure — unless your IT provider is inadvertently making you vulnerable to attack!
Many businesses, especially those too small to have an IT budget big enough for a robust internal defense team, turn to IT support companies to meet their IT needs. These providers work with many businesses, achieving economies of scale. The problem is that hackers have discovered they can achieve their own economies of scale by targeting outsourced IT Support and MSPs instead of individual businesses. This is a real, current threat. On Dec. 20, 2018, the Department of Justice charged two Chinese hackers with targeting managed service providers like IT support companies
When you outsource your IT to a support company, you’re basically giving it the keys to your business kingdom. You have to give the company access to conduct system updates, install anti-virus software, and perform whatever security measures are necessary to keep your system secure. Because that provider will take on many other clients, it necessarily holds the keys to many other companies as well. This makes them a prime target for hackers who want to infiltrate an IT support provider’s network and compromise other networks, all while evading detection.
Despite the risk, you still need your technology managed, and outsourcing to an IT support provider is often the best solution for small to mid-sized businesses. Before you make your selection, it’s critical to thoroughly vet potential providers before you hand over your keys. Get references from the provider’s clients, check social media, and visit their offices — it’s amazing what you can find out on-site and in person. In addition, ask a prospective IT support provider these two basic questions.
- How do you handle client passwords?
Plenty of MSPs keep customer passwords in a neatly organized “secure” spreadsheet. Does it work? Absolutely. Is it secure? Not even close.
To find out the company’s own policy for how it controls access to your data, ask about not only when and how passwords are stored and who has access to them, but also how the company deals with staff turnover. That last one is crucial: Everyone has turnover, and learning how the company controls access after someone leaves speaks volumes about its security.
In your conversations with prospective providers, you should also listen for the term “two-factor authentication.” While no security method is absolutely impenetrable, two-factor authentication is the most practical way to keep things secure on the internet. IT support companies should be using two-factor authentication to control access to their internal systems and to your data.
- Are your employees trained to spot phishing?
If security training did not come up in your initial meetings about the IT provider’s service offerings, that should raise a red flag. Phishing is a universal security threat for all organizations, which is why you need to ask about it specifically. Phishing, or emails containing malware that appear legitimate, is inescapable given the average of 16 malicious emails users receive every month.
All it takes to compromise an IT support company — and therefore all of the client networks — is a single employee clicking on the wrong email. Even if you opt out of training for your own company, the IT support provider should absolutely be offering it. More important, the company needs to be practicing what it preaches. Conducting internal training on the latest threats for all of the provider’s own staff members is a crucial part of that.
In addition to the increasing rate of fraudulent emails, hackers are getting better at disguising them. Spear-phishing is a practice by which hackers closely imitate the email addresses or email signatures of a person you typically receive mail from. For example, the hackers might slightly modify your email address and send an email to your employees asking them to click on a link. If your normal email is “firstname.lastname@example.org,” and someone uses “email@example.com,” some of your employees might miss the one letter change that signals it didn’t come from you. That’s phishing. If employees aren’t trained to look carefully for these tiny red flags, they’ll almost certainly miss them. Don’t let an IT support provider train your personnel if it can’t — or won’t — bother to train its own.
The good news is that most IT support companies are doing things the right way. You just need to make sure you’re not picking one of the ones that don’t. That means doing your homework before turning over the keys to your business.