4 Security Questions to Ask When Outsourcing IT Operations to Make Sure Your Business Isn't at Risk

Understanding the distinction between security and IT can save your business time and money

learn more about Paul Ihme

By Paul Ihme


Opinions expressed by Entrepreneur contributors are their own.

Outsourcing IT operations to managed IT services providers (MSP) is a common trend for a business looking to maintain its operational efficiency while cutting down on cost. In addition to assisting with IT infrastructure management, 38 percent of businesses that hire an MSP do so with the expectation that their business will have enhanced security and meet regulatory compliance requirements. However, it is critical to understand that "IT management" and "IT security" are not synonymous. Failing to understand the difference between the two can result in dangerous and expensive outcomes for your business.

IT shortcomings affect security.

"There's nothing you can do. Just pay it," a business owner was told by his MSP after his firm was hit with a $50,000 ransomware attack. It's not an answer any company wants to hear after falling victim to hackers, and it was not long after this conversation that our incident response team received a call wondering if something could be done besides "just paying it" or losing data.

Further conversations revealed important details about the firm's post-attack situation. The victim had no data backups or records of security events. Additionally, all files had been deleted from the affected laptop, and the phishing email that initiated the incident was destroyed by the MSP in a misguided attempt to respond to the incident. These combined factors turned what should have been an easily manageable ransomware situation into an unnecessarily complicated and costly incident. Furthermore, all actions taken after the attack were completely reactionary and no measures were taken to prevent the same attack from being successful again in the future.

Related: 4 Easy Ways to Protect Your Company From a Cyber Attack

Unfortunately, this scenario is not unique. Cases of incidents that could have been avoided by simple, low-cost IT configurations and user training are cropping up at our office with increasing frequency. In the past six months alone, we have seen the following issues while responding to security incidents:

  • Clients and MSPs with no incident response plan
  • Clients with no data backups or clients who did not fully understand how their data was being backed up
  • No tools in place to keep records of important, security-related actions that have taken place in the company network or these tools not being properly utilized
  • "24/7" IT service providers that were completely unresponsive during weekends
  • Corporate and guest WiFi networks that are not properly separated from one another and secured

Each of these shortcomings can make preventing, detecting and responding to security incidents much more difficult or even impossible.

Related: We Scored High on this Cybersecurity Quiz. How About You?

Questions to ask before choosing an MSP

Security issues, like the ones listed above, result from providers underperforming or misrepresenting their capabilities. However, others are due to the customer not understanding or requesting the services and solutions they need.

Most organizations that contract MSPs do so because they do not have the expertise to effectively handle these issues in-house. It is obvious to these businesses they need help to keep their IT resources running, but failing to consider security when choosing an MSP presents risk. With this in mind, business leaders searching for IT help should include the following considerations in their decision-making process:

1. Make sure you understand what security services you need and ask for them by name.
Ask specific questions to ensure that you understand what you are getting. For example, if you are purchasing data backup services, make sure that you know where the data is backed up, how long it is stored, how many versions of your data are kept and how long it takes for data to be restored from backups. If you are satisfied with the answer, make sure to get it in writing.

2. Ask about the MSP's own incident response plans and how they will help you handle potential security incidents.
What is their response time? Do they perform incident response services? Do they have a partner or recommended firm for these actions? A lack of an incident response plan for their own business security should be a major red flag.

Related: The Worst Hacks of 2017 -- So Far

3. Have a "technical translator."
Asking MSPs security-related questions is only valuable to your firm if you can understand the answers and determine what it means to your business. If your team does not have any security-minded people on staff to conduct interviews with MSPs, consider hiring a security consultant that can speak with service providers with you or on your behalf. Upon engaging an MSP, a third-party security consultant can work with you and potential service providers to ensure your IT infrastructure is designed with your business's best interests in mind.

4. Make sure your security measures are effectively implemented.
Once the systems and services are in place, have your security consultant perform an audit of their solutions and services to ensure that all security measures and processes are implemented in manner that allows your business to be operational without putting your business' security on the line.

It cannot be assumed that a MSP will fill the role of a trained security specialist. Being mindful of the differences between IT and security and understanding their roles and implications of your business is critical to having business operations that are both functional and secure. Being upfront with MSP candidates about your security concerns, asking pointed questions about your security needs and being prepared to interpret technical answers is critical for all businesses choosing an MSP.

Paul Ihme

President of Consulting Services at Soteria

Paul Ihme serves as president of consulting services at Soteria, a cyber security consulting firm based in Charleston, S.C. As a former hacker for the National Security Agency, Ihme leverages his expertise to keep businesses ahead of current and emerging security threats. His publications focus on providing businesses practical and actionable advice for improving their security and meeting their regulatory compliance requirements. 

Related Topics

Editor's Pick

This 61-Year-Old Grandma Who Made $35,000 in the Medical Field Now Earns 7 Figures in Retirement
A 'Quiet Promotion' Will Cost You a Lot — Use This Expert's 4-Step Strategy to Avoid It
3 Red Flags on Your LinkedIn Profile That Scare Clients Away
'Everyone Is Freaking Out.' What's Going On With Silicon Valley Bank? Federal Government Takes Control.

How to Detect a Liar in Seconds Using Nonverbal Communication

There are many ways to understand if someone is not honest with you. The following signs do not even require words and are all nonverbal queues.

Business News

A Retired Teacher and Her Daughter Were Scammed Out of $200,000 Over Email: 'I'm 69 Years Old and Now I'm Broke and Homeless'

The mother-daughter duo was in the process of buying a townhouse when their email chain with the title company was hacked.

Starting a Business

This Seasoned Exec's High-Tech Farming Company Has Upended the Status Quo. Here Are His Top 3 Success Tips.

This founder is on a mission to revolutionize the fresh food supply chain to embrace greater simplicity, safety and sustainability.

Business News

How to Give Feedback Without Hurting Anyone's Feelings

Constructive feedback can be an excellent way to boost morale, productivity and results.

Business News

New Starbucks CEO Steps in Early Amid Union Turmoil — Will He Accept an 'Olive Branch'?

The 55-year-old former CEO at Reckitt Benckiser Group PLC was expected to assume the role on April 1.

Business News

Carnival Cruise Wants Passengers to Have Fun in the Sun — But Do This, and You'll Get Burned With a New $500 Fee

The cruise line's updated contract follows a spate of unruly guest behavior across the tourism industry.