According to a recent RSM report, 40% of midsized companies outsource IT services to obtain cost-effective expertise and keep current with rapidly changing technology and threats. The critical issue these companies face is determining which IT outsourcing company to trust, since the report also found that many mid-market companies are worried about a cyberattack on a supplier. As an industry veteran, we recommend asking the following questions to ensure you are working with an IT security company you can depend on.
1. Are you SSAE 18 SOC 2 certified each year?
Service organizations like IT outsourcing companies use Statement on Standards for Attestation Engagements 18 (SSAE 18), a set of standards for privacy and security controls, to identify and manage security risks involved in handling customer data. To prove their compliance with these standards, they hire a CPA to audit and report on their controls using a framework called System and Organization Controls 2 (SOC 2). A satisfactory audit allows companies to earn a SSAE 18 SOC 2 certification. This regular certification not only proves the company’s controls are strong, but also that they are willing and able to invest in maintaining their certification as well as keep current with rapidly changing technology and threats.
2. Do you perform all IT services in-house?
Some IT service providers use third parties to expand the types of support they offer. While this doesn’t necessarily count as a red flag, it can reduce the quality of services and it makes it harder for you to understand who has access to your systems – which increases your risk of a data breach. If the third-party is not based in the US, it can further reduce service quality and increase your security risk.
3. Do you undergo an in-depth, third-party penetration test each year?
A penetration test identifies how a cybercriminal might get into a company’s network and systems in order to steal data and compromise operations. Be sure to work with an IT service provider that not only performs an annual penetration test to proactively identify and remedy vulnerabilities in their systems that could leave your network and systems open to attack, but also invests in a thorough test performed by a reputable third-party.
Many penetration testers will charge a few thousand dollars to perform automated scans of the outside of a computer network and report which areas are vulnerable to attack. While this information is necessary, it doesn’t go far enough in identifying network vulnerabilities. An in-depth test is performed by a human being who emulates cyberattackers by trying multiple methods of getting into your systems from inside as well as outside of your network.
4. Do you offer a cybersecurity guarantee?
You pay your IT security company to prevent cybercriminals from harming your business. If an attack slips past their cybersecurity defenses, it doesn’t seem fair for you to pay them to fix a problem they were supposed to prevent.
At Xantrion, our cybersecurity expertise is some of the best in the business – we are one of the top 200 Managed Service Security Providers (MSSPs) in the United States. We can also provide positive answers to the questions above and more! Contact us if you’re worried about the answers you received to any of the questions above, or download our checklist on how to find the right IT provider for you.