12 Security Questions to Ask Your IT Company

Passwords, firewalls, and antivirus software should be just the tip of the iceberg for security, but some IT companies stop there and call it a day.

Most companies will experience a data breach at some point, and you might not be aware of it right away. Some breaches go unreported, and some IT providers don’t monitor security as well as they should.

It can be hard to tell if your managed services provider (MSP) is taking the right steps to keep you safe. Ask your IT team these questions to make sure they’re doing everything they can to protect your business.

1. What kind of password security do you have?

Your MSP should have prevention and monitoring standards for password security for your company’s accounts and programs.

Stricter password requirements include setting minimum character requirements, allowing or requiring uppercase and special characters, and preventing repeated characters.

You also want to know if a hacker is trying to get into your network. Login lockouts prevent hackers from trying lots of combinations to get into your account. Adding login logging sends an alert if someone’s trying a brute force attack.

2. Do you use the same admin passwords or account for all customers?

MSPs use administrator accounts to manage software and applications for customers. Using the same admin account to manage multiple customers is easier to manage but presents a bigger risk than creating individual accounts for each customer.

The risk increases exponentially with the size of the MSP; the bigger the MSP, the more clients and the more techs with access to customer accounts.

IT companies can mitigate that risk with a unique account or password per customer. That way a breach could only affect one business, not all of them.

3. How often do you update admin passwords?

The industry standard is to update admin passwords every 90 days or when someone who has access leaves the company.

Think about what happens when someone leaves the MSP. They could have access to the admin account for not just one company they worked on but all of the MSP’s clients.

It’s estimated that up to 87% of people take data when they leave a company. What if they take the master key to all of your company’s technology and data?

Admin passwords need to be changed more frequently than most user passwords, which might have a lifespan of 6 months.

4. Do you use multi-factor authentication?

Multi-factor authentication, 2-factor authentication, or two-step verification is a password system that’s more secure than a single password.

When you log in with your username and password, you can choose to send another code to your email or phone. Click the link or enter the code and you’re in.

It’s just like using your ATM card with your PIN to withdraw money from your checking account. You’re proving your identity to the bank with 2 pieces of information, so it’s more secure.

Multi-factor auth ensures it’s really you logging in and not someone who guessed or hacked your password.

2-factor auth programs like Duo make it easy to log in and confirm your identity for almost any program or device. 2-factor auth also acts as a monitoring tool that notifies you if someone’s trying to log in to your account without it.

This is especially important for IT admin accounts but can also be added to important customer programs that need an extra layer of security.

5. Do you offer proactive monitoring?

Preventing a breach is much easier than fixing one.

IT security is like going to the dentist. You brush your teeth every day to prevent cavities and gum disease. If you skipped brushing for a year, you might have to suffer with a filling or root canal at your next dentist visit.

Your IT team should be taking daily steps to protect and monitor your environment.

Proactive monitoring could include daily, on demand, or change monitoring. You might want a scan every day, after certain events, or only when something’s been changed.

Monitoring software can include:

  • Firewall traffic – alerts if someone tries a brute force or DDOS attack, can block IP ranges if it detects suspicious activity
  • Firewall configuration backups and logs – logs changes and settings to help detect mistakes, hackers, or breaches
  • Server monitoring and alerts – notifies when servers are down, such as if a hacker logged in and rebooted it
  • Antivirus updates and trends – see infected machines and repeat victims of viruses & threats
  • Backup monitoring – makes sure backups are working and correctly archiving
  • System bottlenecks – helps detect misuse of company resources based on changes in processor and RAM utilization

6. Do you do regular scans?

Annual or regular scanning is part of a comprehensive security prevention program. Your MSP should be scanning your network and sending reports about risks.

A scan might involve checking for risks with a penetration test, cyber threat assessment program (CTAP), Nessus vulnerability scan, etc.

Scanning can uncover open ports, unpatched software, or open public IPs that might compromise a server or be vulnerable to a virus or hack attempt.

There may be extra costs involved for network and security scans and any recommended fixes or patches found during the scans. Your MSP might need to consult with security experts if they’re not prepared for the level of protection you need.

7. Do you test your backups?

You might think your backups are working. Your MSP’s backup monitoring scans might even say they are. That’s no guarantee the monitoring isn’t giving a false positive.

Most companies test disaster recovery plans once a year. Could you afford to lose a year’s worth of information?

Backup testing is more involved than monitoring. Backup tests duplicate conditions where you’d need backup restores, including format, hardware, time frame, size, and speed.

If you have a lot of data, multiple office locations, or key files that need extra layers of protection, you might have multiple backups. You need to test all of your backups, not just the first level.

Bonus tip: while you’re testing backups, find out costs and timing for backups, from partial to bare metal restores. You’ll want to know the best option for different disaster scenarios and how much time and money each will cost.

8. Does every user have access to all files?

Say everyone in your company has access to the same files on a shared network drive.

Then someone gets hit with the Cryptolocker ransomware virus. Suddenly all of the files across the whole network are locked until you pay up.

If you have no backups, old backups, or no way to restore files, you can’t get them back unless you pay the ransom. Even then there’s no guarantee the hackers will unlock your data.

Your MSP should help secure your data with custom file permission rules. They can set up custom permissions for departments or teams while making it easy to make changes or get access for new users.

Smaller companies might not need a lot of file permissions, but it’s a good conversation to have to make sure your data’s protected and you know who has access to what.

9. Do you have secure remote application access?

If you log in to a remote VPN (virtual private network) to access company data, make sure it’s secure.

VNC (virtual network computing) connections are unsecured, unencrypted traffic that can be more easily hacked.

Remote desktop software (RDS) tools like RemoteApp are encrypted and easy to access from anywhere. You don’t need to bring your work computer to access programs and files, which is convenient for traveling and more secure than leaving your computer on and logging into it remotely. You can even use the same login.

10. What’s your procedure for when there’s a breach?

The quick version:

  • Shut down the server/access/breach location
  • Identify the problem and cause
  • Report the breach to customers who might be affected
  • Report the breach to groups like HIPAA if appropriate
  • Follow recommendations to prevent it and make sure it doesn’t happen again

The long answer will depend on many factors from the industry and affected clients to the specific situation and scope. The important things is for them to be prepared and for you to be aware of their procedure.

There is no guarantee they will follow this procedure in an actual breach or emergency. Ask if your IT team has a disaster recovery plan and if they can share the results of their business continuity testing, which they should be doing regularly.

11. Who handles help desk support?

When you call in for help or put in a ticket, who do you talk to?

Is their first line of tech support a team in India, or maybe an automated calling system? Maybe you’ll be greeted by an internal team without a lot of training, other than the ability to escalate issues or send you to a third party vendor at the first sign of trouble.

When someone does work on your tech problem, are they responsive and communicative, or do they keep you waiting for 2 weeks or close the issue without resolution?

Bad customer service isn’t something you have to put up with from your IT team. If you’re having issues or hearing about problems from within your company, speak up. Set up a meeting with your MSP to address the issues.

If your IT team isn’t willing to address your concerns, remember that you have options when it comes to who manages your technology. Subpar support for troubleshooting could indicate other issues with the company you’re not aware of.

12. Are you willing to address any of these security issues?

Not all of these questions will apply to your business or industry, but they’re a good starting point to determine risk and security standards.

If your MSP isn’t following all of these standards, see if they’re willing to work with you to become more secure.

Your IT team should be willing to work with you to improve your security. They should be transparent about the reasons for not following these standards, or discuss steps to becoming more secure.

What are some other warning signs of a bad IT company? Share in the comments.

Leave a Reply

Your email address will not be published. Required fields are marked *