How to Know if You are at Risk for a Data Breach
From Quest Diagnostics to Facebook, 2019 was a banner year for third party data breaches. But it wasn't just big name corporations bearing the brunt. The Ponemon Institute found that over half of SMBs have experienced a third party breach since 2018. These security events cost on average $7.5 million to remediate - from data recovery to regulatory fines to reputational damage. Even if your company works with a modest number of third parties, the most important one is also the most frequently overlooked - your Managed Services Provider. As IT solutions providers, MSPs are assumed to have the security high ground. But many are cutting corners. And if they're doing that with their own IT infrastructure, you can imagine how they're treating your's.
Here are three indicators your current MSP is putting you at undue risk for a data breach:
Third Party Security Is Not Your MSP's Priority
Before anything else, you need to have a thorough understanding of how your MSP operates. During the hiring process you probably reviewed their Service Level Agreements (SLAs). Now's the time to take another look. Have their SLAs changed over the course of your working relationship, perhaps to accommodate new regulations or best-practices? What steps are they taking to ensure your infrastructure is geo-redundant in the event of downtime? Is their cybersecurity practice one you'd want to emulate within your own organization? After reviewing their SLAs and related documentation, you should have a clear view into their:
- Regulatory Compliance: contractual requirement to maintain data protection and privacy regulations in accordance with applicable state, federal, and international regulations
- Addressing Non-Compliance: clearly outlined actions, penalties, and remediation for third parties that fail to meet predetermined security requirements
- Vetting Third-Party Practice: maintain processes for evaluating the security capabilities of business partners, vendors, etc.
- Liability Mitigation: review third parties' insurance policies to assess adequacy of coverage
- Breach Response Procedures: develop formal incident response plans including testing and allocation of responsibility to key stakeholders
Ad Hoc System Updates and Network Patching
Phasing resources into or out of your infrastructure takes careful planning. You don't want to leave gaps in coverage or compromise your existing application stack. And you certainly don't want to deprive employees the tools they need. The value of strategic planning returned to the spotlight recently, as Microsoft's Windows 7 operating system reached official end-of-life. As of January 14th, Microsoft stopped sending automatic security patches to the OS (unless users purchased additional "extended security updates"). In spite of the danger posed by unpatched systems, 47% of SMBs are still running on the OS. This suggests that for many in the 47%, their MSPs likely didn't inform them of the dangers of running unpatched Windows 7, failed to establish a timely migration roadmap, or assumed they would pay for extended updates. That's not the type of IT service your company should be relying on. You need an MSP that's proactive when it comes to system overhauls - from updates to new opportunities for employee betterment to a better ROI on cloud resources.
You Haven't Discussed Disaster Recovery... Recently
If you've grown your workforce, implemented a new tech tool, incorporated mobile devices into your network, or experienced a new industry regulation - you need to have updated your Business Continuity and Disaster Recovery plan. Workplace changes, even those perceived as minor, play a huge role in the health of your network. Your MSP should be actively looking for ways to strengthen and secure your content - through cloud-based back-ups, next generation firewalls, and more. Your technical policies should be treated as living documents, that you and your MSP routinely improve. If Disaster Recovery and Business Continuity hasn't been a recent topic of discussion, your MSP may be stuck in a reactive rather than proactive mode. This will only hinder your business, depriving you the long-term benefits of strategic IT choices.
If you're concerned your current MSP is putting you at risk for a data breach, it might be time for an objective analysis. From network assessments to penetration tests, our experts can give you a 360° view of your IT infrastructure. For more information about these services, and securing your business-critical data, reach out to iCorps for a free IT consultation.