Almost every activity of an MSP is under scrutiny these days, with clients and the news media clinging to every sign of a potential problem and putting emphasis on even the smallest accident or simple error. While bad business practices and poor ethical decisions do occur, the typical solution provider is apt to be honorable and focused intently on doing everything possible to protect clients and their data. The same goes for the vendors and outsource partners, but that doesn’t mean MSPs shouldn’t do their homework to ensure their business and customers are protected. That’s not just a best customer practice, but the responsibility of every organization.
That’s why MSPs have to ensure the companies they partner with perform the same due diligence when it comes to securing client information and other sensitive data. Preventing a breach isn’t easy, with a thriving community of skilled hackers, spyware developers, and other criminal elements hoping to steal banking and credit card numbers, as well as other personal details. That doesn’t mean you shouldn’t make every effort to secure your clients’ information, and select outsource partners only after completing a thorough review of their security procedures and related qualifications, such as certifications and other standards.
MSPs must ensure proper measures are put in place for their contractors, including help desk services that manage any part of your business’ or clients’ data. Attempt to identify potential breach issues from all outsource partners and include specific measures to address them in your company’s security policies and actions. Implementing breach precautions is not a single step; it requires frequent review and revisions in order to keep up with the latest cyber criminal schemes, and the methods required to avert their success (and your pain).
The way to protect your data is to avoid or minimize the sensitive client data you provide to outsource partners. Without that information, there is little exposure if a breach occurs. Ensure your helpdesk partners keep only the data required to perform their duties, and no more. Resist the temptation to keep extra information that you believe could be mined for ‘marketing related’ activities, such as financial or employee details.
E-commerce is a frequent collection point for potentially sensitive data, and the area of expertise for MSPs or a dedicated partner that specializes in the management and security of financial transactions. By keeping that information secure on your end, it makes it better for all parties involved (including your clients).
Evaluate Your Helpdesk Security
MSPs who rely on outsource partners to deliver particular services must consider how those companies secure their own business networks and data, and its potential impact on partners and their clients. One of the first things to do when assessing the protections your help desk and other service suppliers have in place is to review their procedures and ask for a copy of their security policies.
One way to assure your outsourced partners are serious about security is if their company follows the SAS 70 compliance standards. Created by the American Institute of Certified Public Accountants, this is a third-party validation of the internal controls service organizations put in place. Though not a “checklist” audit, it evaluates the written policies that document an MSP’s information security and other measures that protect their clients. These protections are clear differentiators for companies that provide help desk and other outsource services, clearly demonstrating their commitment to reduce the risk of a serious data breach. As mentioned earlier, you can’t eliminate all security threats, but contracting with a SAS 70 compliant provider will help reduce the possibility of your data being compromised.
Here are a few questions to ask potential Outsourced Live Help Desk Partners to evaluate their security:
- What information do they collect from an MSP and their clients?
- How is that data secured and where do they keep copies (backup included)?
- Do they complete background verification checks on all candidates?
- How do they screen contractors who could gain access to their networks and files?
- What is the frequency of security audits performed on their systems and does that include?
- Does the company meet SaaS 70 service compliance?
Occasionally You Lose the Battle
As I mentioned previously, prevention is critical. But despite every measure put in place, cyber criminals continue to advance their skills and the attacks are becoming more creative. Don’t take this the wrong way, as no one wants to see a company have their client data compromised. But what happens when they overcome all the measures your outsource partners put in place to thwart security breaches?
While bad things do happen to good companies, even if they don’t intend on harming their partners, responsibility falls heavy on those who have not properly prepared. When it comes to information security, too little too late is not what your customers want to hear. Even if you discover how the situation happened and took immediate action to resolve the issue, if a help desk provider does not anticipate and prepare for potential problems, the company must accept the blame for not properly protecting its clients. That’s why it’s so important to compare the security measures employed by potential outsourcing partners before selecting the one that is right for your business.
Understanding that process is just as important as the preventive measures your business partners have in place. Solution providers need to know how and when their outsource partners will address a security breach, providing the specific steps will take if this situation does occur. For example, if your data is compromised, will you and your clients be contacted within 24 hours or less so proactive measures can be taken to minimize any damage? This is critical to not only for their business reputation and client relationships, but yours as well. Businesses are judged more often by how they respond to a problem than on the breach that took place.
Liability and information security are interconnected. Remember that your company may bear a degree of responsibility for any outsource partner breaches, especially if you haven’t done your due diligence to ensure their data protection procedures are satisfactory. But with a little research and continual security discussions, you can minimize that risk to you and your customers.