12 Cybersecurity Questions You MUST Ask Your Third-Party Provider

Partnering with a third-party IT partner can reduce your overall operations costs and, if you choose the right provider, can improve your security and reduce the likelihood of a data breach. Before you choose a partner, conduct extensive due diligence, especially around security.

Before partnering with an IT provider, ask these 12 security-related questions:


Editor’s Note: Are you looking to improve the security posture of your organization? Download our FREE Cybersecurity Toolkit, which includes handy desk reference guides, posters and checklists that you can share with your teams.


What certifications or audits has your provider achieved?

Depending on what industry you’re in, your IT provider may be required to have achieved certain security certifications or audits. For instance, financial firms require partners to pass PCI compliance. Similarly, healthcare practices require partners to have achieved the SSAE 16  or SSAE 18 certification. Security certifications or audits prove that your IT provider has invested the time and money into testing and proving their competency in security.

What security liabilities will the IT provider accept?

Choose a provider that shares in the responsibility and liability of security. Your provider should be willing to sign a Business Associate Agreement (BAA) or similar agreement that transfers some of the security liability onto them.

Is the service delivered via a public, private or hybrid solution?

Sharing resources with other organizations can be an effective way to lower your costs, but it can also put your organization’s data at risk. Ensure you have dedicated resources for applications that hold sensitive data and are mission-critical. Shared resources may be appropriate for less critical applications like email, or for simple needs like document sharing or data backup.

What type of security training do they offer your staff?

Regular security training is one of the more effective ways to prevent data breaches caused by human error. Your IT provider should have an established security training program that they can offer to your staff regularly.

Does the provider offer role-based access?

Not everyone in your organization needs access to everything. As a matter of fact, it only increases your liability and opportunity for error if they do. Check with your IT provider on the level of granularity they offer role-based access to best protect your organization’s sensitive data.

What type of audit trails does your provider offer?

Audit trails help identify sources of error or wrong-doing in the event of a breach. Ask your provider if they can provide audit trails for sensitive data, showing who accessed it and when.

Does the IT provider have experience working with businesses in your industry?

Some industries, especially healthcare, financial services and legal, are highly regulated and require expert-level attention when it comes to securing its sensitive data. Ask your provider if they’ve provided services for organizations in your industry and then call their references.

How does the provider maintain availability in the event of a disaster?

Often referred to as a business continuity plan, request detailed processes for how your IT provider will keep your business operational in the event of a disaster.

How frequently does the provider conduct data backups (and test the integrity of the backups)?

In the event of a disaster and data loss, how many hours (or days) of productivity would your organization lose? At a minimum, IT providers should conduct daily backups. Superior providers will conduct hourly or even bi-hourly snapshots of your data. Further, challenge your IT provider on how often they test their backup process to ensure data is available and rescuable.

What type of security support is available and how often?

Your IT partner can provide additional value by serving as your outsourced security officer. Ask your provider how you can contact the Security Team (phone, email, chat) and what level of help you can receive for security-related questions. Further, inquire whether the provider’s security staff carry any industry-relevant security certifications.

Where are their assets physically located?

Though the cloud seems nebulous at times, your data resides on a server in a data center somewhere. Identify where your data physically resides and if it’s in an area that is prone to natural disasters. Further, identify if there are multiple fail-safe locations for the data to failover if needed.

What are my security responsibilities versus the provider’s?

This is possibly the most important question to ask your IT provider. Many organizations erroneously assume that all security responsibilities fall to their IT provider. It’s important to have an explicit understanding of your organization’s responsibilities and those of your provider.

Follow Us