10 Cloud security questions to ask your MSP

cloud security questions to ask your MSP

Cloud adoption rates are reaching all-time highs in Australia, and there are obvious reasons why. The cloud offers enterprise-grade, on-demand IT resources at prices small businesses can afford. It also gives users the freedom to work anytime, anywhere with an internet-enabled device. Yet despite these benefits, the decision to move to the cloud shouldn’t be rushed. 

Organisations must carefully consider cybersecurity before moving to the cloud. When you move your apps and data to the cloud, managed IT services providers (MSPs) host them in off-site data centres and look after them. However, MSPs are not created equal. Some may offer top-shelf cybersecurity, while others may not measure up to your requirements. To discern whether a potential MSP can ensure your business’s safety in the cloud, ask them these questions: 

1. Do you follow security best practices?

MSPs must demonstrate their ability to secure your cloud environment. A good way to measure this is if the MSP follows the Australian Cyber Security Centre’s (ACSC) Essential Eight mitigation strategies. This means they should have: 

  • Application whitelisting to control which programs are allowed to run on their network
  • Proactive patch management services that fix vulnerabilities in software apps
  • Regular server operating system updates to defend against the latest threats 
  • Access restrictions designed to prevent unauthorised access to data
  • Application hardening to defend against software tampering, reverse-engineering, and other hijacking attempts by cybercriminals 
  • Policies for blocking untrusted Microsoft Office-based macros that could potentially be carrying malicious programs
  • Multifactor authentication bolsters account security by adding temporary SMS codes or biometrics (e.g., fingerprint scanning) on top of password verification
  • Daily backups stored in multiple locations to ensure data redundancy and availability

2. Are you constantly monitoring for threats?

In addition to the Essential Eight, your MSP must have systems in place for detecting and preventing a wide range of cyberthreats. For starters, your provider must offer proactive monitoring services to prevent major cybersecurity incidents. You’ll also want to partner with an MSP that uses:

  • High-grade firewalls – keeps network intrusions and harmful programs at bay
  • Anti-malware – scans machines for malicious programs and removes them
  • Advanced threat prevention detects and responds to sophisticated attacks designed to circumvent traditional security systems 
  • Physical security and surveillance ensure that only authorised personnel are allowed to access cloud facilities 

3. What are your cloud security certifications?

When looking for an MSP, make sure they’re certified by the Australian Signals Directorate (ASD). This certification demonstrates that the MSP implements effective risk mitigation and end-to-end encryption systems to protect your data in the cloud.

4. How often do you conduct security assessments?

Vulnerability scans and penetration tests evaluate the effectiveness of security protocols against the latest threats. Find an MSP that performs these assessments quarterly and after any significant change to their network. Then, ask to see the reports to find out if their security is up to snuff. 

5. What is our role in cloud security?

Although MSPs manage the safety of your data in the cloud, your company also shares some responsibility. That’s why it’s important to sit down with an MSP and determine which party is in charge of certain security tasks. Generally, you’re expected to mitigate insider threats caused by weak passwords and access restrictions. MSPs will usually handle incident response and other technical tasks, and inform you if you need to do anything on your end.

6. Who has access to our data in the cloud?

Clarify your provider’s policies on data access. Cloud agreements should state that MSPs can only view data solely for the purposes of performing their services. It must also indicate the support engineers who are authorised to watch over your data.

If you’re opting for public cloud services, ask your provider how they keep your data separate from their other clients. Do they partition their servers to isolate your data? Are they using advanced encryption protocols to prevent data leakage? If the MSP answers yes to both, consider shortlisting them.

7. How prepared are you to address cybersecurity incidents?

Even the most secure systems can be breached, but a leading provider is prepared for such incidents. They have tools for detecting intrusions, policies for containing the breach, and multi-site data backups to recover from the attack. What’s more, they’ll promptly notify you of the breach and plan steps you should take to secure your data. If they don’t include these in their services, it may make more sense to look for alternatives.

8. What happens if you fail to uphold security obligations?

If the provider doesn’t meet your cloud security expectations, they should outline any remediation your company will receive. This could be in the form of financial penalties or service credits. Trustworthy providers will even include a transition clause and instructions in their contracts in case you’re not satisfied with their service. Meanwhile, providers who try to lock you into their services and make it impossible to back out of a partnership should be avoided. 

9. Have you served companies in my industry sector?

Ideally, you’ll want to work with an MSP that has years of experience working with companies that are in the same line of business as you. Specialised providers are more familiar with industry best practices and requirements, so they’re in a better position to serve your company. Ask for the provider’s client portfolio and case studies to see if they’re compatible with your organisation.   

10. What can you do for my business?

You should steer clear of providers that offer canned responses and one-size-fits-all security solutions. A unique provider learns your problems and customises their solutions to fit your needs and budget. They provide friendly and attentive customer support, and even have an archive of testimonials and reviews to back it up.

If you’re looking for a leading MSP in Australia, consider Empower IT Solutions. We utilise cutting-edge cloud security solutions to keep your most sensitive assets safe. Give us a call and ask us these questions to see if we’re the right fit for your company!