If you want to outsource some of your IT needs to an external provider, you'll need to consider a number of different things, including security. You need to think about:
- cost — value for money, and how much your budget allows
- location — whether you want a provider who's local to you, or don't mind if they're based overseas
- legal and contracts — for example, what kind of contract would be in place between you and your preferred provider?
- security — if the provider can meet the expectations in your cyber security policy, or at a minimum, help you meet basic security controls.
- scope – what and how much you need them to do.
As the business's owner or operator, you'll need to weigh each of these considerations up against your IT requirements. Regardless of what you decide, here's what to think about from a security point of view.
Understand your risks
When you outsource your cyber security responsibilities to an IT service provider, you're also outsourcing your security risks. That means you need to know:
- what your risks are
- which risks you can manage yourself, if any
- which risks you'd rather outsource to your provider.
As an example, you may decide you want your provider to help you manage your web server. Keeping the server and other software on it updated is an important security responsibility — you'd need to make sure they install any updates for it as soon as possible. That means asking:
- if that's a service they generally provide
- how they'd keep track and understand what type of servers and software you use
- how they know when an update is available
- how soon they could install updates for you (from the moment they're released).
Don't make assumptions about what a provider will do. Talk to them to find out what services they provide, and how they provide them, before you commit to hiring them. You need to be able to hold them accountable if something goes wrong.
If you don't know what your risks are, consider doing a cyber security risk assessment for your business before you hire a provider. It will help you understand both the risks your business faces, and the systems and data it's important to secure.
As a business, you'll have defined rules for how your staff work, and what they can and can't do. When you hire an IT service provider, define rules for them too. Ideally, they should follow the same rules that you've set out for your staff — like those in your security policy or your password policy.
For example, set a rule that your staff and your IT service provider can only access your business network:
- with a strong and unique password
- using two-factor authentication (2FA).
Example: Your security policy may say that users can only access your network remotely through secure methods, like a virtual private network (VPN) with 2FA. But, your provider may want to use remote desktop protocol (RDP) instead. If so, make sure 2FA is required to log in using RDP as well.
In some cases, your provider may need to send data out of your network and into theirs — if they need to store copies of your business's backups, for example. Ask them to confirm how they will protect your business's data when it leaves your network. This means both the physical security of their devices (like laptops) and the data's security. They shouldn't send data to their network and then leave it exposed to attack.
Be clear with your provider about the scope of the services you want them to provide. Think about your data and systems you have, and the tasks you need to carry out to make sure they're secure. Which tasks can you manage internally, and which ones would you rather outsource to your provider?
The 'Top 11 cyber security tips for your business' page will help you work through these questions. It describes the most important things a business can do to prevent an online attack — talk to your provider about each one, and decide who will be responsible for each point. For example, you could ask them about:
- installing software updates — who will be responsible for applying updates across all the devices and software your business uses? If it's your service provider, how will they find out when updates are available, and how soon will they install them?
- backing up your data — who will be responsible for performing backups of data? If it's your provider, how often will they do them and where will they store the offline copies?
- setting up logs — who will be responsible for setting up logging on your important systems? If your provider does it for you, what will they review the logs for, and what will they do if they find something in them? Where will they store the log files?
- creating a plan for when things go wrong — will your provider help when there's a cyber security incident? If so, how will you notify them about it, and what will they help you do?