How seriously does your IT provider take their own security?
Have you ever asked? Does the question make you nervous?
It's ok if it does but if so its probably a good time to schedule a review of their internal security processes. Here is a quick rundown of questions to ask:
What if any compliance standards are they adhering to? Can they prove it?
Do they participate in regular 3rd-party independent audits? Will they share the latest results with you?
Do they have disaster recovery/business continuity plans that they are willing to share with you? This should cover things like internet/power/natural disasters preventing normal access to IT systems. How do they cope?
Would they be willing to share with you the systems that they are utilizing to protect their own infrastructure? Security providers, SOC services, backup systems etc...
Who is the Errors and Omissions and Cyber Liability Policy underwritten by? Are they willing to share coverage details with you?
This is a soft start but a simple way to gauge readiness.
