Talking With Your IT Managed Service Provider About Security

Our organization works primarily with nonprofits to help them improve their cyber security and resilience against cyber attacks. One of the trends we see is that our nonprofit partners often don’t have a clear idea of how their IT Managed Service Provider, or MSP, is working to protect them against threats. This puts nonprofits in an awkward spot and leaves many with questions like:

  • How do I know if the MSP is doing the right things to keep my org safe?

  • What MSP and internal stakeholders are responsible for ensuring the security of my organization?

  • How can I be sure I’m doing everything I can to protect my organization, staff, donors, and beneficiaries?

To help you kick off a conversation with your MSP about how they are (or are not) protecting your organization, we’ve put together a list of questions you should bring to your next meeting with your MSP. Use these questions to help understand how they are implementing security best practices, where there’s opportunities to improve security, and to make sure you’re comfortable with their security practices.

Like any good interview or vendor evaluation - ask follow-up questions so you understand their responses and their context. In an ideal world, the MSP has solid feedback for each of these questions along with policies and documentation to back up their claims. Don’t be afraid to ask for more information, clarification, or documentation if they don’t seem like they have solid answers for you. Please keep in mind that this list of questions could be much longer than it is - I’m intentionally trying to keep things focused so that you can use this as a starting point in your conversations about security with your MSP.

If you don’t yet have an IT MSP but are considering bringing one on to support your organization, consider adding these questions to your interviews to form an evaluation rubric.

  • How often is my organization’s critical data backed up?

  • Note: before you ask this question, you should define what your critical data is and where it is stored (e.g. SharePoint, Google Drive, Salesforce, QuickBooks, etc). Use this information to help guide your discussion for this question.

  • How is the data backed up? To a third-party service? On a physical drive? Are the backups encrypted?

  • In the event of an emergency, what are the procedures for restoring data? How long is this expected to take?

  • What is your vulnerability patching process? What are the timelines for patching critical vulnerabilities?

  • Do you perform vulnerability scanning or penetration testing on our IT environment? How often?

  • How are my organization's devices protected against malware?

  • What protections are in place to protect against phishing?

  • How are you monitoring for security-related alerts?

  • What is your organization’s incident response and management process? Can you share your documented policies and processes with me?

  • What measures have been taken to secure my software?

  • This includes the Software as a Service (SaaS) software your org is using but also the software installed on your devices.

  • Does your company have any dedicated security staff that focus on security? If not, do you work with or partner with an organization focused on security? If so, who and how do they support your MSP?

  • Does your staff undergo regular training that’s focused on security?

  • What responsibilities do our two organizations have with regards to keeping my org safe? Which responsibilities are yours, which are ours, and which do we share?

  • Does your company have any information security certifications like ISO 27001 or SOC2?

  • What are things that we can do to improve the security of our organization?

Questions? Get in touch with us here.