4 Security Questions to Ask When Outsourcing IT Operations to Make Sure Your Business Isn't at Risk

Understanding the distinction between security and IT can save your business time and money

learn more about Paul Ihme

By Paul Ihme


Opinions expressed by Entrepreneur contributors are their own.

Outsourcing IT operations to managed IT services providers (MSP) is a common trend for a business looking to maintain its operational efficiency while cutting down on cost. In addition to assisting with IT infrastructure management, 38 percent of businesses that hire an MSP do so with the expectation that their business will have enhanced security and meet regulatory compliance requirements. However, it is critical to understand that "IT management" and "IT security" are not synonymous. Failing to understand the difference between the two can result in dangerous and expensive outcomes for your business.

IT shortcomings affect security.

"There's nothing you can do. Just pay it," a business owner was told by his MSP after his firm was hit with a $50,000 ransomware attack. It's not an answer any company wants to hear after falling victim to hackers, and it was not long after this conversation that our incident response team received a call wondering if something could be done besides "just paying it" or losing data.

Further conversations revealed important details about the firm's post-attack situation. The victim had no data backups or records of security events. Additionally, all files had been deleted from the affected laptop, and the phishing email that initiated the incident was destroyed by the MSP in a misguided attempt to respond to the incident. These combined factors turned what should have been an easily manageable ransomware situation into an unnecessarily complicated and costly incident. Furthermore, all actions taken after the attack were completely reactionary and no measures were taken to prevent the same attack from being successful again in the future.

Related: 4 Easy Ways to Protect Your Company From a Cyber Attack

Unfortunately, this scenario is not unique. Cases of incidents that could have been avoided by simple, low-cost IT configurations and user training are cropping up at our office with increasing frequency. In the past six months alone, we have seen the following issues while responding to security incidents:

  • Clients and MSPs with no incident response plan
  • Clients with no data backups or clients who did not fully understand how their data was being backed up
  • No tools in place to keep records of important, security-related actions that have taken place in the company network or these tools not being properly utilized
  • "24/7" IT service providers that were completely unresponsive during weekends
  • Corporate and guest WiFi networks that are not properly separated from one another and secured

Each of these shortcomings can make preventing, detecting and responding to security incidents much more difficult or even impossible.

Related: We Scored High on this Cybersecurity Quiz. How About You?

Questions to ask before choosing an MSP

Security issues, like the ones listed above, result from providers underperforming or misrepresenting their capabilities. However, others are due to the customer not understanding or requesting the services and solutions they need.

Most organizations that contract MSPs do so because they do not have the expertise to effectively handle these issues in-house. It is obvious to these businesses they need help to keep their IT resources running, but failing to consider security when choosing an MSP presents risk. With this in mind, business leaders searching for IT help should include the following considerations in their decision-making process:

1. Make sure you understand what security services you need and ask for them by name.
Ask specific questions to ensure that you understand what you are getting. For example, if you are purchasing data backup services, make sure that you know where the data is backed up, how long it is stored, how many versions of your data are kept and how long it takes for data to be restored from backups. If you are satisfied with the answer, make sure to get it in writing.

2. Ask about the MSP's own incident response plans and how they will help you handle potential security incidents.
What is their response time? Do they perform incident response services? Do they have a partner or recommended firm for these actions? A lack of an incident response plan for their own business security should be a major red flag.

Related: The Worst Hacks of 2017 -- So Far

3. Have a "technical translator."
Asking MSPs security-related questions is only valuable to your firm if you can understand the answers and determine what it means to your business. If your team does not have any security-minded people on staff to conduct interviews with MSPs, consider hiring a security consultant that can speak with service providers with you or on your behalf. Upon engaging an MSP, a third-party security consultant can work with you and potential service providers to ensure your IT infrastructure is designed with your business's best interests in mind.

4. Make sure your security measures are effectively implemented.
Once the systems and services are in place, have your security consultant perform an audit of their solutions and services to ensure that all security measures and processes are implemented in manner that allows your business to be operational without putting your business' security on the line.

It cannot be assumed that a MSP will fill the role of a trained security specialist. Being mindful of the differences between IT and security and understanding their roles and implications of your business is critical to having business operations that are both functional and secure. Being upfront with MSP candidates about your security concerns, asking pointed questions about your security needs and being prepared to interpret technical answers is critical for all businesses choosing an MSP.

Paul Ihme

President of Consulting Services at Soteria

Paul Ihme serves as president of consulting services at Soteria, a cyber security consulting firm based in Charleston, S.C. As a former hacker for the National Security Agency, Ihme leverages his expertise to keep businesses ahead of current and emerging security threats. His publications focus on providing businesses practical and actionable advice for improving their security and meeting their regulatory compliance requirements. 

Related Topics

Editor's Pick

Everyone Wants to Get Close to Their Favorite Artist. Here's the Technology Making It a Reality — But Better.
The Highest-Paid, Highest-Profile People in Every Field Know This Communication Strategy
After Early Rejection From Publishers, This Author Self-Published Her Book and Sold More Than 500,000 Copies. Here's How She Did It.
Having Trouble Speaking Up in Meetings? Try This Strategy.
He Names Brands for Amazon, Meta and Forever 21, and Says This Is the Big Blank Space in the Naming Game
Business News

These Are the Most and Least Affordable Places to Retire in The U.S.

The Northeast and West Coast are the least affordable, while areas in the Mountain State region tend to be ideal for retirees on a budget.

Business News

A Mississippi News Anchor Is Under Fire for Quoting Snoop Dogg

WLBT's Barbara Bassett used the rapper's "fo shizzle" phrase during a live broadcast, causing the station to let her go.


Thinking of a Career Change? Here Are 4 Steps You Can Take To Get There.

Author Joanne Lipman on what experience and science tell us about successful job pivots.

Thought Leaders

The Collapse of Credit Suisse: A Cautionary Tale of Resistance to Hybrid Work

This cautionary tale serves as a reminder for business leaders to adapt to the changing world of work and prioritize their workforce's needs and preferences.

Business Ideas

55 Small Business Ideas To Start Right Now

To start one of these home-based businesses, you don't need a lot of funding -- just energy, passion and the drive to succeed.