Understand your risks
When you outsource your cyber security responsibilities to an IT service provider, you’re also outsourcing your security risks. That means you need to know:
- what your risks are
- which risks you can manage yourself, if any
- which risks you’d rather outsource to your provider.
As an example, you may decide you want your provider to help you manage your web server. Keeping the server and other software on it updated is an important security responsibility — you’d need to make sure they install any updates for it as soon as possible. That means asking:
- if that’s a service they generally provide
- how they’d keep track and understand what type of servers and software you use
- how they know when an update is available
- how soon they could install updates for you (from the moment they’re released).
Don’t make assumptions about what a provider will do. Talk to them to find out what services they provide, and how they provide them, before you commit to hiring them. You need to be able to hold them accountable if something goes wrong.