How can an SME be sure that an IT supplier is ‘secure’? This is a question that many SMEs should be asking, especially if the supplier has no kitemark, etc.
There is no magic formula for SMEs to ensure that there IT suppliers are secure but there are some golden rules which, if followed, should see SMEs on pretty safe ground. These are my top six tips:
1. Know your service provider
This applies to all SME service providers (whether that’s the cleaning contractor you use or the company that comes in to water the plants). However, since IT functionality is increasingly central to most SME businesses, knowing your IT service provider inside out is absolutely essential. All of the other protections you can get (like contractual protections) are nowhere near as important as this essential first step. In practice, it means doing your research. Who is the provider? What is their reputation and track record? What industry certifications do they have? Do they meet any industry standards (like ISO standards)? All of this information should be available online or on request from the service provider.
2. Ask a lot of questions
If you’ve got a shortlist of providers, you need to be ready to ask them a lot of questions about cybersecurity. The kinds of things I would usually ask are:
• Where is the service provider based and where will they be storing data? If it’s outside of the EU, then you need to ask them what measures they have in place to comply with data protection laws. The problem with the Cloud is that often you won’t know where your data is going, but a good service provider will be able to tell you.
• How do they make sure data is kept secure? This is a real risk factor for SMEs. Ideally the service provider will be able to confirm what industry standards they meet (for example, ISO standards). Most SMEs won’t have the budget or inclination to audit the service provider’s standards but most good service providers are independently audited, and they should be able to share with you the results of those audits.
• What is their track record? Can they provide any evidence to back up their sales and marketing claims? Are they happy for you to contact any of their existing clients?
• Ask to see a copy of their Business Continuity Plan. This will explain what will happen if there is a serious IT issue. If they don’t have one, that would be a serious concern.
• How will they keep you informed when things go wrong? Ideally you would get regular reports from the service provider as to current status. Of course, if anything goes wrong, you want to be the first to know.
Don’t be afraid to ask questions. It’s the job of the service provider to have the answers. If they can’t answer these questions, you probably need to look somewhere else.
3. Pick a provider with a good customer service function
Like any service, there’s a good chance that things will go wrong. It’s how problems are dealt with that separates a good provider from an average one. Ideally, you would have some kind of 24/7 dedicated support number with a real person on the other end of the line. If your business is 24/7, then it’s no use if the help desk goes home at 5pm on Friday evening.
4. Get the right contract in place
A key way to control your risk is to have a good contract in place. If the worst happens, you will be able to fall back on the contract for some protection. If you have the budget, get a law firm to support you on this. Otherwise, a good tip is to look at the service provider’s marketing materials and ask them to point you to the relevant sections of their terms and conditions that cover their marketing claims. If they’re not willing to stand behind the claims contractually, what they do offer may well be a lot of hot air.
5. Be particularly careful if you’re operating in a regulated sector
SMEs in regulated sectors (banking, insurance, law, etc.) need to be especially careful because they are subject to a whole extra level of obligations. In other words, if a company in one of these sectors suffers a cybersecurity issue, the implications are potentially even more serious because their regulator will come down on them like a ton of hot bricks. Speak to your regulator (e.g. ask the Law Society if you are a small law firm or ICAEW/ACCA if you are an accounting firm) and see if they have any tips or guidance.
6. Plan for exit
Breaking up is hard to do. A mistake that happens time and time again is that SMEs start using a supplier and become increasingly dependent on them over time, to the extent that the possibility of ending the relationship is unthinkable. The supplier becomes entrenched, and that’s dangerous territory because it can lead to complacency, slipping standards and, ultimately, you paying more than the standard market price.
Believe it or not, the best time to plan for exit is right at the start of the arrangement. Don’t worry about asking the supplier how they assist companies at the end of the relationship. For example, ask them how they transfer all of the data back to the SME (or to the SME’s new provider)? You want to be sure that they won’t just switch the service off and disappear.
See my other Blogs on this subject:
- 10 January 2014: Cybersecurity Essentials for Small Businesses
- 8 January 2014: It’s time for professional firms to step up and tackle “the cybersecurity problem”