If you have a cyber or a managed security provider, a general IT firm, or your brother in-law handling your cyber security you need to ask them some questions. Or maybe you don’t have one yet but are considering hiring someone. Regardless of where you are at today, as 2020 approaches you need to take a hard look at your positioning and who you are working with.

Believe it or not, just because a firm does IT work, cyber security work, or says that they provide security services does not officially verify them as secure. We have tested a lot of organizations and I can assure you that not everyone passes our tests!  For one example, it is a known statistic that 82% of IT people will fail a phishing test.

Regardless of who you work with, us or anyone else, I wanted to arm you with some necessary questions you need to ask anyone touching your network. Here are 10 great questions you should ask and some comments to think about.

1. When was your last security assessment from an outside firm? Can I get a copy of the executive summary?

Every organization needs an assessment from an outside firm. It is impossible to self-analyze accurately.

2. What type of multi-factor authentication do you use on your devices and line of business applications?

If they don’t use MFA your information is not secure.

3. How many people inside the organization have or will have access to my system? How do you encrypt my passwords? How do you control access to my information internally?

Unfortunately, not everyone is honest. Your security provider should limit access to your system, encrypt it, and revoke it if an employee leaves the company.

4. How often do you conduct Phishing Testing?

Spear-phishing tests are necessary at any organization and you want to make sure that your security provider is conducting proper and frequent tests. It could be your information they are after.

5. How often are your employees required to attend training?

Training by an outside company is especially important for technicians and testers to make sure they are up-to-date with the current trends. They also should also be attending regular conferences. We require all employees who are actively testing to do this.

6. Are all technicians and sales reps certified on the equipment they support or sell?

Regular training and testing is required by most partnerships. But, in most cases, not every employee is required to do this. You need to make sure that those on your system are qualified and not fumbling around.

7. Are all of your employees background checked?

Seems straight forward but not common in IT.

8. What are 5 trends that will affect technology in my specific industry in the next 2 years?

If they cannot answer this, then they should not be selling to you.

9. What is DPI?

Throw them with a specific question. Just so you know, Deep Packet Inspection, commonly referred to as DPI, is how you inspect SSL/HTTPS traffic. DPI is basically how you access anything secure on the internet. 80% of all traffic on the internet is sent securely, and by default your network is incapable of scanning this traffic. There are ways to scan for this threat and people who know security can easily accomplish this. If you are not scanning this traffic you are missing any array of risks. Furthermore, if your provider does not know how to do this or what it is, don’t work with them.

10. Can I meet or have a call with someone from your executive team?

If you get a no, walk away. If you get a yes, ask them all of these questions again to make sure you get the same answers. Many top employees are exempted from security requirements putting you at great risk. You also want to make sure you have a relationship with someone who is responsible for the business success.