Can You Trust Your IT Partner?

Two items made their way to me last week which made me wonder “who can be trusted”? The first was an article about Jack Texiera, the Air National Guardsman who’s been arrested for divulging military secrets on social media, and the second was a prospect who called us, looking for technology support.  At Ashton Solutions, we like to say that “technology is a black box”.  Everybody needs it but many people know little about it, other than the fact that they can’t do business without it. Unless you’re an expert, you need to find somebody who you can trust.  It’s no different than a doctor, an attorney, or even a mechanic.

A Matter of National Security

As the Wall Street Journal article stated, “It’s a challenging design problem- how to give enough access to fix all the computing systems without giving too much access to that can compromise secrets.”  Jack Texiera was given the access that, in theory, he needed to properly perform his job. We can also presume that Texiera went through numerous background checks before being given access to the wide variety of data that he then chose to leak to his gamer buddies. Unlike Edward Snowden, who thought he was trying to save the world, Texiera seemingly posted this data just to prove to his buddies how smart he was. Regardless, would all the background checks (and reviews of his social media) in the world have told the U.S. military that Texiera was a risk to national security?

A Partner to Count On

If you believe the data, 37% of small businesses outsource their IT services to somebody like Ashton Solutions. It may be because they don’t want to hire internal resources, or it may be because they don’t know anything about technology and don’t want to deal with it.  Whatever the case, though, I would imagine that all of those companies have done some sort of diligence and developed a level of trust with their chosen technology partner.  But have they really done any legwork to determine how trustworthy that new partner is?  Or what sort of measures they’ve put in place to protect their (the provider’s) and the clients’ data and networks?  All too often, the answer to that is ‘no’.

Picking a Technology Partner

So, back to that prospect (we’ll call them ‘Company X’) who called us, looking for a new provider.  Turns out that their existing managed services provider (we’ll refer to them as ‘MSP’) got hacked 10 days ago, with all data being encrypted.  While Company X is still able to run their business (most of their applications are cloud based), they have great concern over the data (client data including SSN, addresses, and financial records) held in MSP’s network.  MSP claims not to know whether there has been a data breach (they don’t have any reason to believe there was, but also don’t have any proof that there wasn’t), and don’t seem to have any of the data properly backed up and recoverable.  Additionally, MSP chose not to have a cyberliability policy in place because it cost too much.  Their hope is that they’ll be able to jointly file a claim (“ride the coattails”, so to speak) with a couple of their clients who do have the proper insurance in place.

Make Them Earn Your Trust

Company X has not divulged the name of MSP, but if I were a betting man, I’d say we will have one less competitor in the Cleveland managed services marketplace by the end of the year.  Even if no data was breached (that’s a big IF), there’s still the fact that MSP knowingly and willfully chose not to have proper measures in place in terms of cyber insurance and data backup solutions.  Those were important items even before Kaseya was hacked and MSPs became a huge target for hackers.  And now, they’re not even communicating with their clients to keep them up to date as to what’s going on.  Burying your head in the sand during a troubling time surely isn’t going to help matters.

And that takes us back to “who do you trust?”  As it is with cybersecurity, you can take every possible measure and still not be 100% safe. From background checks on your engineers and technicians to asking all the right questions of your provider, you still end up having to trust that your partner does the right thing. If you can’t access your data, you can’t do your job. Worse, if you experience a data breach and that data gets out into the world, you face huge repercussions.  As you choose a new technology partner, they’ll tell you how they’ll secure your network. But you should ask what steps they take to secure their network, as well.  Do they perform background checks on their staff?  Do they undergo outsourced penetration and vulnerability testing on a regular basis?  Do they have proper cyberliability insurance in place?  Is their (your) data properly backed up, secured, and recoverable?  If they can’t answer ‘yes’ to all of these questions, you need to consider finding a different provider- one you can actually trust.