Six Cyber Security Questions you should ask your Managed Service Provider
Cybercrime isn't an if it happens to me for companies; it's when. We continue to see high-profile data breaches and cyber attacks on businesses across England and Wales each week. Companies need to regularly contact their Managed Support Providers (MSPs) about cybersecurity concerns, and if you're not happy, engage with your local Cyber Resilience Centre.
Like every other aspect of your business, the defences you put in place can be hampered by the size of your budget and the trade-off between additional costs.
If you're paying a Managed Support Provider, you want to be assured that you're working with someone who understands your business's threats and caters to those needs.
Before signing your contract, ask your IT support provider about cybersecurity solutions relevant to your business. Whilst IT solutions look different for every business, the questions below will help you determine whether you need custom solutions.
What Cyber Security Questions Should You Ask Your Managed Service Provider?
Do you offer cybersecurity awareness training for our staff members? How often do staff need to be trained?
Many managed service providers (MSPs) offer security awareness training as part of their services for businesses. As cyber security threats evolve and become more sophisticated, MSPs should recognise the importance of educating businesses on best practices and raising awareness about potential cyber risks.
Before offering training, an MSP might assess a business's specific cybersecurity needs and vulnerabilities through a cyber risk assessment or security audit. A cyber risk exposure assessment helps to understand training requirements and the areas that need the most focus.
Depending on your industry, size, and regulatory requirements, staff should receive cybersecurity awareness training while working for your business. It is recommended to provide regular and ongoing training to ensure staff members are informed and vigilant against evolving cyber threats. Ensure staff are trained when they start a new role and every 6-12 months to keep atop any emerging cyber threats.
There are three main methods of delivery with Security Awareness; Online training courses, In-person delivery or webinars (often made available on-demand) Web-based training give you flexibility and convenience so employees can access the training materials at their own pace and from any location - very useful if you have several remote staff. Online training should remember to fully engage learners with interactive elements, quizzes, and assessments to ensure staff aren't completing the training as a box-ticking exercise.
With In-person workshops, you have much more direct interaction between trainers and employees, with more opportunities to encourage engagement, discussion, and real-time clarification of staff questions. Depending on the organisation's preferences and available budget, these can be conducted at a company's office or hired-out meeting space.
Webinars can combine the convenience of online training with the best parts of in-person workshops. They can often be the method that staff least engage. The best webinars need interactive presentations, demonstrations, and Q&A sessions. Webinars can be helpful when training a large, geographically dispersed workforce across the UK.
Not all MSP providers will offer training (specific to cyber security). If your MSP doesn't provide this, the North West Cyber Resilience Centre can offer your business a tailored security awareness training program. Talk to us today to get a quote for your business.
How can I reduce the number of phishing emails and other social engineering attacks on my business? And how do I train staff to detect phishing emails better?
A simulated phishing exercise helps to raise your staff's awareness of phishing emails and guards your business against the growing trend of social-engineering threats. Training your employees on what a phishing attack looks like makes them more likely to identify and report scams.
An MSP should provide comprehensive training programs and resources that help educate employees about phishing techniques and social engineering tactics. By raising awareness and promoting a security-conscious mindset, your businesses can reduce the chances of falling victim to phishing attacks.
MSPs should also employ security monitoring tools and proactive threat intelligence feeds to identify and respond to emerging phishing threats in your business.
Does your MSP conduct Simulated Phishing Campaigns to keep your staff alert and aware? The Cyber Resilience Centre offers a Simulated Phishing Exercise (often coupled with our Security Awareness Training). A Simulated Phishing Campaign helps to educate your staff about the latest phishing techniques and shows them the newest phishing email examples and what to look out for.
Do I need to perform a comprehensive cybersecurity risk assessment of my business before getting Security Awareness Training?
It is best practice to conduct regular cybersecurity risk assessments of your business. The assessment's complexity and the frequency with which they should be completed depend on a business's size and potential for future growth. For some, an annual assessment will suffice; however, for others who are growing significantly, it is advised to conduct assessments more frequently every 3 or 6 months.
Risk assessments will not only allow your company to track its hardware and software assets, update management, password policies/usage, security awareness training programs, and network topology (layout). But it will also provide you with a wealth of evidence and documentation which can be used to apply for and pass government-backed cyber security schemes such as Cyber Essentials.
We offer a Cyber Risk Exposure Assessment. Our assessment is closely linked to an industry-standard framework and methodology and assesses risks over three fundamental categories; Basic Controls, Foundational Controls, and Organisational Controls.
Once completed, the assessment findings are compiled into an easy-to-read report detailing your business's strengths and weaknesses, along with remediation steps and strategies that could be implemented to improve defences.
How do you protect our network from unauthorised access and ensure that our data is encrypted during transmission?
Remember that security is an ongoing process in your business, and it's essential to regularly assess and update your security measures as new threats emerge. Engaging with your MSP and staying updated with industry best practices can also help enhance your ability to protect your networks.
An MSP can help protect your network by protecting against unauthorised access, ensuring data is encrypted during transmission, and fortifying the overall security posture of your business network.
An MSP can assist with the following key measures to protect a business network: Network Security, Encryption, Data Protection, Access Controls and Authentication.
MSPs should be working to ensure firewalls are implemented, intrusion prevention systems (IPS), and network segmentation to establish substantial barriers against unauthorised access.
MSPs should ensure that data transmitted over your company network is encrypted using protocols like Transport Layer Security (TLS) or Secure Sockets Layer (SSL). They can set up virtual private networks (VPNs) to create secure connections for remote employees and the business network. Additionally, MSPs should be looking to ensure businesses have data backups and disaster recovery plans to safeguard critical information.
MSPs should ensure that your business enforces robust authentication mechanisms, such as two-factor authentication (2FA), to prevent unauthorised access. They should also implement strict access controls, limiting user privileges and ensuring that only authorised personnel can access sensitive data and systems.
We can offer your business a Network Vulnerability Assessment; this can be remote or internal. A Remote Network Vulnerability Assessment remotely reviews how your business is connected to the internet like an attacker. An Internal Network Vulnerability Assessment requires access to your internal network and systems. You are simulating someone who has gained access to the internet or is an insider threat.
Can you provide us with regular reports on how secure our business is online & how this can be improved over time? Do you monitor how many cyber incidents our business faces each month?
MSPs should provide your company with regular reporting of the security of your business; this could include changes in assets (laptops, computers, phones, servers, software, etc.), a history of updates to devices, and a history of antivirus scans, a history of network scans to detect potential vulnerabilities.
These reports should ideally be done every month, however also, consider asking your MSP to inform you any time a significant change happens; e.g. if you received a regular report a week ago, but your MSP has to push out an urgent security update to devices you should ask them to send an additional report covering all related details.
Ideally, your MSP will be able to provide you with reports that cover the following:
Keep a tab on all your unpatched/outdated machines
Record the status of vulnerable patches
Track missing patches
Track systems requiring restarting/rebooting
Mobile Device Management (MDM) Reports
Apps used by company-owned devices
Denylisted apps (apps that your staff are banned from using on company devices) and devices using such apps
Jail-broken devices (devices where the Operating System manufactures processes that have been bypassed, commonly used to add extra functionality that is not possible using the default configuration)
Devices by model and with/without specific apps
Computers/laptops tracked by Operating System used
Computers/laptops tracked by Manufacturer
Computers/laptops with or without specific software
Software installed and tracked by the Manufacturer
Tracking user log-in and log-out times to track and report suspicious account activity
For power management activities and reduce overheads expenses
To detect and investigate suspicious user activity
To decrease the cost of compliance
How can you help with a cyber incident response plan for my business? How can we minimise any damage and recover from a cybersecurity incident?
A Cyber Incident Response Plan is a documented framework that outlines the steps an organisation should follow when responding to and managing a cyber incident or breach. It's a proactive way to handle cybersecurity incidents effectively and minimise their impact on your systems, data, and operations.
Some MSPs will have dedicated cybersecurity teams with extensive knowledge and experience in incident response. Leveraging this expertise can help you develop a comprehensive and effective Cyber Incident Response Plan. Many MSPs can also assist with simulated incident response scenarios to help you test and validate your incident plan. Testing your plan will help you identify areas for improvement, highlight gaps in any procedures, and ensure that your incident response team is prepared to handle real-world incidents effectively.
The Cyber Resilience Centre offers a free Cyber Incident Plan Template for all businesses; download it here. Our plan contains documents that help your company respond to a cyber incident. They have been designed to complement any existing plans or assist you in creating your first Cyber Incident Plan.
We hope you found these Six Cyber Security Questions you should ask your Managed Service Provider useful. Contact us today to discuss your cyber resilience or learn more about how our affordable memberships and security services can complement the great work that your Managed Service Provider is already doing.