SMB Best Practices: Questions to Ask Before Contracting With a Security Services Provider

Getting ready to procure managed services to help support or augment your security team? You’re not alone: 62% of organizations said they plan to outsource some or all of their IT security functions in 2022, according to the Foundry 2021 Security Priorities Study.

Before going down that route, it’s wise to gather your requirements and think about the services you want from a managed security services provider (MSSP).

There are a several basic considerations when choosing your service provider, including: the MSSP’s experience, the types of support and services they offer, and how their service level agreements are structured. You’ll also want to know the MSSP’s specific domains of expertise and how they correlate with your needs.

In addition, small and midsize businesses (SMBs) in particular should pay attention to several factors when evaluating their potential partner. When you’ve got a small IT staff, you’ll need to trust the MSSP is adequately able to address:

• Business continuity: How well does the service provider protect you from different types of business interruptions? Servers, software, and cloud services are subject to outages, and humans make mistakes. Ask the MSSP if they have a disaster recovery site and a strategy for failures in their infrastructure or human errors. Also find out if they have insurance to cover potential liabilities.

• Self-protection: Third-party and vendor security is critical, especially in light of cyberattacks that affect an entire supply chain. How the MSSP protect itself and your data from being compromised, stolen or encrypted? Which best practices or solutions do they employ to protect their own infrastructure? Do they have storage-side and in-transfer data encryption mechanisms? How do they handle access control and multi-factor authentication?

• Data accessibility: You must be able to get your data quickly when you need it. Find out how access to your data is regulated and what level of control you will have over your data? Also ask if there are self-service capabilities that give you greater and faster control.

The steps SMBs must take to prepare internally

Data is the lifeblood of your organization, so in addition to accessibly, ensure you — and your MSSP — sufficiently plan for data protection.

“We recommend five vectors around data protection,” said Alex Ruslyakov, channel chief at Acronis. “The first is that organizations should always keep a copy of their data for recovery in case of a security incident.”

The other four:

• Data accessibility anywhere, anytime
• Data control with visibility into its location and use
• Data authenticity: proof that a copy is an exact replica of the original
• Multiple layers of security for air-tight data protection against bad actors

Although no vendor or service provider can claim 100% protection from cyberattacks, the right MSSP has a plan for when an incident does occur, Ruslyakov said. Ask about their recovery strategy and how they ensure that the data being recovered was not compromised/infected.

Finally, it’s important to have visibility into exactly what you’re paying for. What level of detail can you expect in your invoice? Can the MSSP validate usage for which you’re being charged?

A service provider’s proven track record and use of best-in-class technology goes a long way toward establishing confidence that the MSSP can fill your security needs. However, SMBs should also dig into the details to ensure their data and business are protected.

From applications to infrastructure, click here to see how Acronis can help your organization fill security gaps and protect your business.