Message

Send us a message
and we'll get back
to you shortly

EMAIL US

Five things to consider when working with a new IT supplier

Five things to consider when working with a new IT supplier

Picking a new IT supplier is sometimes as easy as signing up online. But with the increased importance and liability of handling certain information, it makes sense to ask suppliers to prove they can adequately protect the information they will access, process, handle or store for you.

Here are a few basic questions to ask new suppliers. It is also a good idea and ask these questions of your existing suppliers. If you don’t like the answers, it may be time to look elsewhere.

  1. What information will they need access to in order to provide the service? Think of it like this, the more sensitive the information, the more thought should go into the security measures employed by you and suppliers to protect it.
  2. What controls are in place to ensure the security of the information they will have access to, process or store?
  3. Is the supplier reliant on sub-contractors to deliver the service to you? If so, what contingency plans does the supplier have if a sub-contracted service is disrupted or no longer available?
  4. Do you have a contact name at the supplier, who you can contact with information security related issues?
  5. What screening requirements, if any, does the supplier have for personnel? You need to know that only properly vetted and qualified people are handling your information.

If you would like to learn more about a comprehensive information security program and discuss if your business should be looking beyond cyber security, feel free to reach out to us through one of the following methods:

Five things Cyber Security tools don’t do, and what you can do about it

Five things Cyber Security tools don’t do, and what you can do about it

As you may have noticed by now, we feel there needs to be a bigger conversation when it comes to securing your company’s information. Cyber tools, when properly deployed, can help protect against certain technically-related risks, but they don’t address the other areas where risks commonly present themselves, through the day-to-day operations of a business. These areas are just as important to address as cyber security.

We have prepared the list below which we hope you find helpful:

What Cyber tools will not do What to do about it
1. Determine if your suppliers are creating additional risks. Develop a method for assessing suppliers, both new and old. If you don’t get the answers you like, put pressure on them or it may be time to change suppliers.
2. Provide company specific guidance on what staff can and cannot do with company owned assets such as email, phones and laptops. Have everyone sign an acceptable use policy which clearly states acceptable and unacceptable use of company assets, responsibilities in protecting information, the consequences of failing to do so, and who to contact if they have questions.
3. Teach your staff the risks that they can help control. Identify staff awareness training resources. A mixture of generic e-learning and company specific quizzes, a couple of times per year, will help ensure continuity of awareness.
4. Help your business recover from a disaster. If you have a plan, review it and update it as required. If you don’t have a plan, you really should create one!
5. Prepare your business on how to respond to an Incident, such as ransomware. If you have an incident response procedure, review it and update it as needed. If you don’t have a plan, start making one.

 

If you would like to learn more about a comprehensive information security program and discuss if your business should be looking beyond cyber security, feel free to reach out to us through one of the following methods:

Is your IT provider giving you the whole picture of information security?

Is your IT provider giving you the whole picture of information security?

If you outsource your IT support, do you know their overall approach to protecting your business’s information?

Most IT support businesses will deploy and manage a number of cyber security tools to address the most common risks they think a business might experience. Because we, in the IT service provider industry, consider ourselves as experts in technology, the solutions our industry provides are typically focused on technology. We acquire cyber tools from a third party, install or deploy them, then manage them to make sure they continue to work as expected, stopping risks before they become an issue.

But this approach, while effective to a degree, fails to address the other two pillars of a comprehensive security program; people and processes. The risks in these two areas are just as important in an information security program. Some might even argue that the risks in these areas are more important because they exist on a daily basis and are more visible in the organisation. Some examples of these are:

  • People:
    • Hiring
    • Staff awareness
    • Training
  • Process:
    • Risks in management systems
    • Governance of information security
    • IT practices (vendor selection, access controls, security testing).

If you would like to learn more about a comprehensive information security program, and discuss if your business should be looking beyond cyber security, feel free to reach out to us through one of the following methods:

What is the difference between cyber security and information security?

What is the difference between cyber security and information security?

There is a lot in the press these days about cyber security, and for good reason. Hacks and ransomware attacks occur on a daily basis. But by limiting the conversations to IT, some of the largest risks never get attention.

For starters, cyber security only addresses the security of IT; things like viruses, spam and access controls. There are huge numbers of cyber tools with more being created every day, which is why you hear so much about it. Don’t get me wrong, these can be important tools when used as part of a larger information security program, but there are some risks that cyber tools just cannot address.

This is where information security comes into play. An information security program is about addressing ALL risks to ALL information, not just the technical. The objective is to protect the confidentiality, integrity and availability (a.k.a the C.I.A.) of information.

Following are some common areas typically excluded from the purview of cyber security:

  • Physical environment where your information may exist:
    • Access to office space
    • Visible information on desks
    • Information taken home or in transit
  • Hiring practices:
    • Vendor assessments
    • Business continuity plans
    • Incident response procedures

Each of these areas presents real risks and if not addressed, pose risks at least as great as a those dealt with by cyber security tools.

If you would like to learn more about a comprehensive information security program and discuss if your business should be looking beyond cyber security, feel free to reach out to us through one of the following methods:

Nine tips for an Incident Response Procedure

Nine tips for an Incident Response Procedure

Many companies have a Business Continuity Plan, but what about an Incident Response Procedure? What happens if your business is hacked, attacked by ransomware or someone loses a phone? A well thought-out and publicised plan will clarify what to do when an incident occurs, lessen its impact, and help prevent future incidents.

  1. Create an Incident Response Team (IRT). The size of the team will depend on the size of your organisation but it should at least be made up of a senior member of management, your technical lead, and someone who deals with information security, if that role exists in your business.
  2. Determine what law enforcement or regulatory bodies might need to be informed such as the police or the ICO (depending on the incident).
  3. Determine the process for reporting an incident. What form should be completed? Who should it be sent to or who should be emailed?
  4. Identify the type of breach. Common ones are:
    • Breach of physical security/unauthorised access to the building or office space
    • Loss or theft of property
    • Lost or incorrect data
    • Breach of information security
  5. Determine what information needs to be collected such as location, date and details of the incident and what actions have already been taken.
  6. In the event of an incident, collect and secure any relevant evidence.
  7. Discuss and document what measures can be put in place to avoid the incident re-occurring.
  8. Train staff on different types of incidents, what to do if they are involved in an incident (or observe one) and the location where the Incident Response Procedure can be found. It is a good idea to keep a soft copy in a location that can be accessed when outside the office, as well as a hard copy in the office.
  9. Review the plan at least annually or if there is a significant change to the business. Update any information if necessary, then re-print/re-publish.

If you would like to learn more about business continuity, a comprehensive information security program or discuss if your business should be looking beyond cyber security, feel free to reach out to us through one of the following methods: