For small businesses, outsourcing your IT can help to free up time, save money and put your data security in the hands of experts. But you also shouldn’t lose sight of one very important point – you are effectively renting space on someone else’s computer system. By giving your essential systems and data to an IT or cloud-service provider, you’re effectively entrusting your business to it – so it’s essential that the provider is worthy of that trust.

Here are some vital points you need to bear in mind.

You get what you pay for

I was brought in to help a small business that had suffered a data breach. It had outsourced its IT to a company because it offered what looked like a great deal, but the IT provider couldn’t help when its client needed it most. It wasn’t able to respond quickly to the attack, because it only had a couple of employees, none of whom were easily contactable out of office hours. Neither could it provide the detailed server-activity information we needed to help investigate and contain the attack. Worse, the IT provider didn’t even have control of its own email system – the hackers had infiltrated it and were using it to send malware long after the breach had been detected.

The moral of the story is, if you’re being offered a deal that looks too good to be true then it probably is.

You’re vulnerable – even if you’re not the target

If you use a third party provider’s IT infrastructure then a distributed denial-of-service (DDOS) attack on the website of another company sharing that same server could also force your company’s website down. Furthermore, hackers, having broken into one company’s systems on a shared server, can roam around and break into those of other businesses almost at will unless there are strong defences between them.

So, it’s important to find out from an IT outsourcer whether your data will be quarantined, or whether it will be kept together with that of other businesses. Also, whether there are defences to isolate and protect different companies’ systems on the same server.

Make sure your outsourcer can fulfill its promises

The set of promises an IT outsourcer makes in its ‘service level agreement’, or SLA, are both the main selling point for clients and the fallback if something goes wrong. Clients would take it as a given that the outsourcer would fulfill the commitments in its SLA, but we have sometimes found (as in the example above) that they cannot always live up to their promises.

It’s important to find a credible provider that can deliver on its promises. If it says it will respond to a problem within 30 minutes, then ask what out-of-hours services does it provide – is it a helpdesk staffed 24/7, or just the mobile number of one of its employees to be called in case of emergency?

You might think that money-back guarantees made by your outsourcer in the SLA mean that you won’t suffer financially if a problem occurs. But it’s your business that will suffer the disruption and potential long-term reputational damage if it grinds to a halt because of a hacker attack. Compensation offers from your IT provider won’t be able to cover the slump in business caused by your main clients no longer trusting you. That’s why it’s important to have another plan in case of emergency.

Recovery plan

If the worst happens, what would you do? If your systems have been compromised, you need to:

  • react quickly to find the problem
  • try to get your critical systems back up and running
  • reassure your customers
  • potentially deal with the press

For example, if your IT system goes down in the middle of the night, you can’t use your email, and your website has crashed then who are the people in your company that need to be notified? What should they do? And who should you speak to at your outsourcer to fix the problem quickly?

Once you’ve drawn up a plan then test it, with your IT or cloud provider, to ensure it all works smoothly, so there are no surprises when it is really needed. Remember to keep it up to date – you don’t want to discover when you’ve suffered a hacker attack that your crisis plan’s key coordinator left the company several months ago.

What’s the bottom line?

Outsourcing your IT is not a silver bullet. It reduces the risk of a hacker attack, because your outsourcer has bigger, better systems than your company could afford itself, but it doesn’t eliminate that risk completely, because you share that outsourcer’s systems with other companies, which makes you vulnerable to an attack in which your company might not even be the intended target.

That’s why you need a crisis-response plan. Many of you will probably already have one for other emergencies, such as a fire at your premises, but a hacker attack could do just as much damage to your business.

If you want expert advice, companies like ours can assess your outsourcer’s ability to deliver on its SLA, and help you to design and test a crisis plan.

If you’re still worried, then cyber insurance would provide a financial safety net and the services of experts to help you deal with a hacker attack.

Benjamin Donnachie is a cyber breach expert at Navigant.