It's becoming more common for organizations to outsource their IT and security functions to 3rd party companies. In this article, we'll discuss some of the considerations you want to keep in mind when outsourcing.
Businesses should spend their energy focusing on their specific lines of business. For most companies, IT is an enabler, not the product. Given this, it makes sense that outsourcing complex IT decisions to the experts can be very advantageous for businesses.
One of the best examples of outsourcing is the use of a third-party mail service like Microsoft Office 365 or Google Suite. They are the mail experts and provide a quality of service beyond what most businesses can provide and at a fraction of the price. Similar comparisons can be made with website hosting, CRM platforms, and so on. Outsource the functions you don't absolutely need to keep in-house.
Another very common example is outsourcing the day-to-day computer operations in an organizations using an IT managed service provider (MSP). MSP's often manage networks, fix broken computers, and similar typical helpdesk style tasks. For smaller companies, outsourcing to MSPs can be a highly effective strategy and a big cost-saver over hiring a full time IT employee. However, there are very specific risks with MSPs we'll discuss next.
The security and stability of the data and services an organization chooses to outsource is still their own responsibility. It is not a safe assumption that the third-party being used is an expert in their particular service offering. In other words, you need to ask the hard security questions before outsourcing!
In the case of a software service, like email or web hosting, look for specific certifications such as a SOC-II. If you're in a regulated industry such as the medical industry, you'll want to look for specific audits that were performed to ensure that the third-party does not become your weak point in security or compliance.
In the case of an MSP, you'll want to ask similar questions. However, it's extremely important to understand that you are metaphorically handing the keys over to your MSP - they will have access to everything. Importantly, this means that if they are compromised, you will likely be compromised as well; this is a very real case that Coalition deals with often. MSPs are being targeted by criminal groups due to their access to a large number of clients. This is something to be very aware of.
We recommend outsourcing the tasks that you are not experts at - or those that you don't want to maintain. However, it's important to remember that third-parties are not all equal in capabilities or experience and its still up to you to determine if they are secure and stable enough to hold your data.
To help our insureds know what questions to ask, we developed a third party risk assessment questionnaire that you can send to your provider before considering their services. This is free for all our insureds - contact us for a copy of the document!
As always, please reach out for more information on this topic or any other!