Maksim Kabakou - Fotolia

Security Think Tank: Risk tolerance key to security outsourcing policy

What critical security controls can be outsourced, and how do organisations – SMEs in particular – maintain confidence that they are being managed effectively and appropriately?

Many small and medium-sized enterprises (SMEs) attempt to close the breaches in their defences in a cost-effective way by bringing in managed service providers (MSPs). Yet the irony is that outsourcing critical security controls in order to deal with the proliferation of threats can further increase the potential array of attack vectors that hackers can exploit.

So what steps can SMEs take to maintain confidence that MSPs are managing their cyber security effectively and appropriately? And, crucially, what security controls should be outsourced and which controls should be kept in-house?

Organisations first need to assess their “risk tolerance” level. If their risk tolerance is low, almost anything can be outsourced, from security scanning to compliance reports.

However, an SME supplying the Ministry of Defence (MoD) might have a far lower risk tolerance and should only use a government-approved MSP. If a company has suppliers, customers or partners in the national security realm, it may also be advisable to avoid working with cyber security firms based in hostile states. 

Critically it is important for companies to do an audit of all their internal data or systems to identify the “risk profile” of all their systems and data, and the particular sensitivities of each type of data. This will help decide what can be outsourced and to whom. 

For example, any vital financial or intellectual property data should never be handed to a company that has a poor security record or a contract without a strong service level agreement (SLA).

Security controls for any systems, servers, networks or data covered by laws such as the public sector information directive should only be outsourced to companies that specify they are compliant in their contracts.

All financial transactions data should be handled in-house, where possible. Then there are obviously considerations such as whether your security MSP houses its data in Europe, where it will be subject to the EU General Data Protection Regulation (GDPR).

How to audit your MSP

When outsourcing security controls, it is vital to analyse the security posture of the MSP. The smallest things can reveal their standard of security, such as whether they even use a company email or a personal email when contacting you about their services.

It’s important to ask for independent references or scan the media to check if the company has been breached. It’s also important to ascertain whether they comply with any data protection, cyber security or any other regulations relevant to your business.

Check the small print

Just as some apps collect vast amounts of personal data without our consent to personalise ads and services, your MSP might be collecting vast amounts of data without your knowledge or consent in order to do its job.

I worked with a company that outsourced its database security and administration to an MSP. They were completely unaware of the latent security vulnerabilities hidden in the contract until they discovered that the MSP was making digital copies of all six of their databases.

This was ostensibly so that it could mirror the business’s configuration on its own systems to “trial” new updates before implementing them on the real databases. However, it also meant all the information in those databases was now in the hands of a third party.

The key is to always check the small print in the contract to ensure the MSP is prohibited from accessing any sensitive data or systems in the performance of its duties.

Read more on Hackers and cybercrime prevention