Society has changed in the last year, and the same goes for the way we work. This leads to new security challenges, or as hackers say, new opportunities. Even without this change, we know that security threats can be complicated. They are dynamic, and they demand the defensive line being alert at all times.
More and more companies are realizing that this is difficult, if not impossible, for the internal IT department. Therefore, they purchase security services from manufacturers or local IT vendors who sell it as a service. But have you remembered to check whether the supplier himself has the security in order? Or do you take it for granted that security capabilities and processes are in place?
From the public and larger private companies, we see that it has become more common to ask whether the supplier has a management system for information security, whether they are ISO27001 certified, or whether they have routines for incident handling and so on. But is this done to the same extent in smaller companies? Probably not.
A good place to start is at the Norwegian National Security Authority (NSM), or your country’s security authority. In their “Basic Principles for ICT Security”, they have compiled a list of ten basic controls that should be examined. You should carry out these checks regardless of what service the provider offers. Does your vendor:
The challenge for customers is to evaluate the answers as this requires expertise. But everyone can evaluate the way the supplier responds. If there is a quick and clear answer back to all questions, it indicates that the supplier has things in order, while evasive answers indicate the opposite. This is of course far too simple and only gives an indication. I therefore recommend getting a knowledgeable resource to evaluate the answers from the suppliers.
In addition to these requirements, it is of course also important to consider which type of supplier is right for your company. We recommend that you choose a supplier that matches the size of your business. This makes you important to your supplier and can lead to you being able to influence changes that make the service better suited for your company.
If your company is in the SMB segment, it is not certain that the largest security provider on the market has the opportunity or willingness to make such changes. Also, find out what is important to your potential supplier: can you be a reference, talk in a webinar, or the like? These are activities that can be important for a supplier.
Finally: if you are about to choose a security service, ask for a pilot or proof of concept! That way, you will find out if the supplier is right for you and if the service gives you the values you envisioned.
For more information, contact us!