For small and medium-sized enterprises (SMEs), digitalization opens up numerous opportunities but also brings new risks. One particularly important aspect is IT system security. Few SMEs in Switzerland operate their IT themselves, relying instead on external service suppliers. But how secure are your data and systems really? And how can you as a managing director ensure that you and your company are well protected – even if you are not a technology expert yourself?
The following five questions will help you to talk to your IT service supplier and set the right course for your company's security.
Who is responsible for technical IT security – and for which areas?
It is important to clarify who exactly takes care of which parts of your IT security. Many service suppliers take over the basic infrastructure, such as networks, servers and computer operating systems. Applications that you install yourself, however, such as accounting software or in-house developments, and the data stored in them often remain your responsibility. That is why you should ask precisely which areas the external service supplier covers and which areas they don't. Also clarify whether all the necessary security services, such as backups or access management, are included in the basic offer or whether you need to contract out and pay for additional services. Have the supplier explain to you whether your current protection is sufficient for your company or whether additional protective measures are recommended.
Example: firewalls at the company boundary
Firewalls protect your company network by fending off unauthorized access and blocking attacks. Nevertheless, vulnerabilities in firewall software are discovered time and again and these can be exploited by attackers. Fast action is required: Once it becomes known, the manufacturer must close the gap, and your IT service supplier must install the update quickly.
Firewalls also log attempted attacks and can trigger alarms. But who monitors these logs and responds to warnings? How quick is the reaction time? Clarify whether your IT service supplier will also take care of this or whether someone else needs to do this job for you.
How secure are your backups?
Backups are like life insurance for your data. They should be created regularly and reliably – and not just on individual computers but for all important devices and data areas. Have the service supplier explain to you how often backups are carried out, whether all relevant devices are covered, and how quickly everything can be restored in an emergency. Also ask how the backups themselves are protected so that they cannot be deleted or encrypted in the event of an attack. Backups that are stored outside the company network or are even completely disconnected from the network are particularly secure.
How are the customer networks separated from each other and from the supplier?
A common mistake is a lack of separation between customer networks. If your service supplier serves several customers, these environments should be shielded from each other. This prevents an attack on one customer from spreading to other companies. The network of the service suppliers itself should also be strictly separated from the networks of its customers. Ask specifically how this separation is implemented. This is the only way you can be sure that an attack on the service supplier will not automatically affect your company.
How is remote access to your systems secured?
Remote access to your company network or your data is practical but also a popular target for attackers. One particularly effective form of protection is multifactor authentication, which means that no one can access your systems from the Internet with a password alone. An additional step – for example, a code on a cell phone or a special app – should always be necessary. Ask your service supplier whether and how this additional protection is implemented for you and for them. Also clarify whether all employees who access your network remotely have to use this protection.
How does your service supplier recognize and react to attacks?
Even with the best precautions, an attack can still succeed. Then the crucial factor is how quickly the attack is recognized and reacted to. Ask your service supplier whether your systems are monitored so that suspicious activities are detected at an early stage. Clarify whether there is a dedicated team that can intervene quickly in an emergency – ideally around the clock. Find out whether there is an emergency plan and whether it has already been tested. Plus, can your service supplier help you to restore your systems quickly in the event of an attack, or do you need an external partner for this?
These are the five most important questions to ensure that your company is well protected. However, there are many other security aspects that have not been covered in detail here. They are comprehensively documented in recognized standards – for example in the Swiss ICT minimum standard of the Federal Office for Cybersecurity or in the IT baseline protection of the Federal Office for Information Security (BSI) in Germany. It is generally advisable for your IT service supplier to regularly undergo external audits and have a recognized security certification. This ensures that the basic protective measures will actually be implemented. Examples of such cyber certifications include the Swiss CyberSeal and international standards such as ISO 27001 or the SOC 2 security framework.
Conclusion
Even if IT security appears complex at first glance, the right questions will help you get to the heart of it. You don't have to be a technology expert to protect your company effectively. Talk to your IT service supplier, have everything explained to you clearly, and insist on transparent agreements. That is how you lay the groundwork for a secure, successful future at your company.
Transparency, cooperation and the will to improve are the basis for effective cybersecurity – and we are happy to help.
Cyrill Brunschwiler, Compass Security
Would you like better protection for your company against cyber risks?
These questions are an important step for assessing and actively improving your own level of security. But every company is unique – and the right solutions should be customized to your individual needs. Discover how Zurich can help give comprehensive protection to your company with customized cyber solutions so that you can concentrate on your core business.