How to Hire for an IT Security Assessment: A Small Business Guide

Posted on Tuesday, September 20, 2016

No matter how secure your organization is, getting an IT security assessment from a third party can provide insight into possible weak spots in your system, alert you to risks and provide recommendations for improvements.

While your organization likely takes IT security very seriously, you might not have an in-house security team. Even if you do have a full-time IT department, they may not be well-versed in the vast landscape of security products and services available. If this sounds like you, it might be time to consider bringing in an IT security consultant.

Why do I need an IT security assessment?

Ensuring your systems are secure, reliable and not open to malicious attacks, hacks or breaches is job one. In fact, many industries may require regular cyber-health checks to ensure their security and infrastructure is sound for compliance sake. Governments, financial institutions or industry regulatory bodies fall into this category, but other companies may be required to report on the security of their systems for any number of reasons. It might be necessary to appease investors, reassure partners or provide a discerning customer base with a sense of confidence.

While you should be conducting regular internal testing for vulnerabilities, you should occasionally bring in a fresh set of eyes to check your findings to see what, if anything, you might have missed. While your IT department may have your best interests at heart, they may not be current on new threats or new and improved IT security solutions coming into the market, and this is where a dedicated IT security specialist can really make a difference.

With the sheer volume of companies that offer IT security assessments, how do you choose? Experience and reputation are key, but there are several other things to take into consideration.

Here are some things you might want to consider when hiring an IT security consultant:

Ask what successes the consultant has had in the past

Credentials are good, but being able to put them to practical use is another thing altogether. A consultant will always play up his skills, but what you really need to know is the stories behind the skills. Find out what they have done for their previous clients, and ask that they put it into terms that anyone can understand. For instance, rather than being too heavily focused on algorithms, mathematics and jargon to explain how they prioritize risk, they should be able to describe in plain language how they were able to determine which risks presented the greatest potential threat to the business, and what they did to provide mitigation. Often, these analogies are better coming from the client themselves, so ask for contact information and do some diligence yourself.

Perform a risk assessment before you hire

Your IT security consultant shouldn’t be the one telling you what your biggest risks are – in fact, you are probably in a much better position to determine this. There is a tendency with some IT security firms to take a cookie-cutter approach to IT risk mitigation, but this sort of blanket solution might not be a good fit for you. IT security should take a risk-based approach, and your consultant should be able to provide you with policies and support procedures that make sense. A conscientious security consultant will ask you whether you have had a risk assessment, and design a comprehensive solution based on those results. For many companies, these risks could include loss or breach of financial information, denial of access to stored information or apps, or their site being down for any extended period of time. Once you have a clear picture of your core risks – those things that can potentially take your business to its knees – then you have a good chance of getting a more customized solution.

Find out who is going to be performing the actual work

It’s a pretty typical scenario: the big IT security company sends its top dog out to sell the service, but once the contract is fleshed out they send in junior technicians to do the work. While this is not always a complete disaster, you might think you’re getting something you’re not, based on the company’s sales practices. Above all, you don’t want to have to have the job done twice, so make sure the technician performing the task is who you think it is. Find out exactly who they are, do background checks, look at their social media profiles and ensure there are no red flags.

Communication is key

While you can’t expect IT techs to have the greatest social skills, they should at least be able to explain the work they are doing and how they are spending their time. While some companies tend to work shrouded in secrecy, you might end up wondering if you’re actually better off in the end or not. Ask your consultant to explain the work as well as what deliverables you can look forward to receiving along the way. Policies and procedures to be implemented should be thoroughly explained, and you should also have some expectation of what to expect at the end of the job as well as how to determine if progress is being made. You should be aware of any security breaches that are occurring, what is being done to mitigate those risks, what percentage they have been able to reduce your vulnerability by and if things are going to improve going forward. Progress should be measurable, and your consultant should be able to articulate this to you.

Find out what training is available for your employees after the fact

Your consultant is only there for a short time. Eventually, you will have to take back the reins, and this is important to establish from the start. Many consultants will be looking to get re-hired, so they may not be as forthcoming with information about what they’ve done and how to sustain it. Your ideal consultant will allow you to sit with them during critical testing phases and educate you on the tools they use and how they are using them. You and your employees need to be informed on how you are going to maintain and uphold the security protocols that will be put into place, but often this costs extra money that you might not be willing to part with. Think carefully about this proposition, as hackers often prefer to target the end user – in this case, your employees.

They may find it much easier to send malicious code through an email than to hack your system. Taken in this context, you should see how important it is for your workforce to be educated as well.

Ask if they have ever disabled a network during testing

While this happens occasionally, it can potentially cause a great deal of harm to a business, especially one that depends on their web systems being online 24/7 in order to complete business transactions. The question itself is a test of their honesty as much as it is a statement of their experience. Everyone talks about their triumphs, but the true test of merit is in how one recovers from a disaster.

IT Security Certifications are Great. Experience is better.

While certifications are good proof that your consultant has some background in what they do, many IT professionals carry credentials that they don’t necessarily use. It’s all well and good to have taken a bunch of classes, but if they haven’t got the practical experience to back it up, they might not be the right choice for you. A talented IT security consultant should be able to recognize your vulnerabilities, and proof of their talent will come in the form of experience and proven success. The exception to this comment would exist for those who had advanced or specialized certifications beyond the basics, as some are extremely difficult to achieve.

What You Can Expect

If this is your first IT security assessment, you might be wondering what it will cost, how long it will take and what the whole ordeal is going to do for you in the long run. Partnering with the right company is key; being able to work with somebody who can work with your budget and get the job done is just as important as getting it done quickly.

The fees you pay should be based on what you feel is fair and reasonable, considering the job at hand. Many firms will quote a flat rate based on the report they will deliver, detailing their findings and final recommendations. Others will charge based on how many days they estimate it will take to complete the job. For more complex companies with many departments it may be more cost-effective to accept a flat rate. Bottom line, you should agree that the pricing is fair, and know exactly what you are getting for your money.

Finding the right fit is crucial. Your IT security consultant should be transparent about how they plan to proceed with your audit, how they can achieve your objectives and what you can expect in the end. A good auditor will work with you, accept your input and freely discuss their methods.

What You Can Do

You can and should expect that before and after your security assessment, you will need to establish some protocols to help maintain a certain level of IT security. The better prepared you are when your consultant comes in, the easier it will be to implement tasks that he (or she) recommends, based on your results.

Whether or not you are well versed in technology, there are plenty of things you can do to shore up your defenses before and after your IT security assessment. Here’s a checklist, highlighting areas of focus that might help support you in establishing your new protocol:

  1. User Accounts
    1. Training: all employees need training on policies and procedures, but also in specific do’s and don’ts related to their company user accounts. Training should be done immediately upon hiring, and reinforced periodically to allow for updates and changes in protocols along the way.
    2. No account sharing: it is imperative that each employee has their own unique account, and that their login information isn’t shared with other users – ever!
    3. Separate admin accounts from regular user accounts. Employees with admin credentials should only use them when performing an admin function to avoid other users from accidentally clicking on or running something they shouldn’t.
    4. Disable or delete old accounts: as important for enterprise as it is for SMB’s, run a scheduled task to report on and disable accounts that have not been active for a period of time.
  2. Create policies. It’s virtually impossible to implement a network security protocol without having some policies in place. Even if employees know that they shouldn’t be doing something, it’s best to back it up with a firm policy so you can hold them accountable in case anything goes wrong. Here’s a quick list of policies you might consider implementing:
    1. Acceptable use
    2. Internet access
    3. Communications
    4. Remote access
    5. BYOD
    6. Network security
    7. Privacy
  3. Backups
    1. Backup regularly
    2. Never repurpose backups that contain highly sensitive material
    3. Store copies of physical backups offsite in a secure location
    4. Encrypt data that is being stored offsite to ensure security
    5. Restrict access to backups and consider using two-factor authentication
  4. Email
    1. You need an inbound and outbound filtering solution that protects your users as well as your customers.
    2. Deploy network edge security to identify good and bad traffic
    3. Deploy a filtering solution that will protect from the range of possible email threats, such as spam, malware, virus and phishing attacks
    4. Educate your employees about malicious attacks and how not to be lured in by social engineering practices
  5. Internet Access: ensure a secure connection for all of your users by implementing an internet monitoring solution.
    1. Use filter lists that parallel your acceptable use policy
    2. Scan all content, downloads, scripts and streaming media for malware
    3. Restrict bandwidth so that your user’s internet activities do not negatively impact your company’s critical functions
    4. Employ a port blocking protocol so that users will not be tempted (or able) to circumvent your acceptable use policy.
Your IT Security Specialists

If you are considering hiring for an IT security assessment, consider Mustard IT. Our only focus is to bring you peace of mind in your IT security audit, providing you with insight and recommendations that you can count on. We will work with you to develop programs and protocols that you can live with, both practically and financially, explaining our processes in plain English so that you can understand exactly what we are doing every step of the way.

Call today to get started, or drop us a line to find out more about an IT security assessment for your company.