As cybersecurity threats continue to evolve, so do the terms and tactics associated with them. In reviewing industry guidelines on effective cybersecurity practices, we noticed a common challenge: many cybersecurity terms are frequently misunderstood. These misunderstandings can lead to confusion about what we actually do to protect our clients. One area that stood out was a glossary of commonly misused or misunderstood cybersecurity terms. Let’s dive into a few key terms to help clarify what they mean and why they’re essential for your business.

Common Cybersecurity Misunderstandings: What You Need to Know

1. Antivirus

Misunderstanding: Many people think antivirus software can protect against all types of cyber threats.

Clarification: While antivirus detects and removes malware, it doesn’t defend against threats like phishing or zero-day exploits. Comprehensive protection requires a layered approach, beyond just antivirus software.


2. Regulatory Compliance

Misunderstanding: Compliance with regulations automatically means a business is secure.

Clarification: Regulatory Compliance is about meeting baseline standards and guidance put forth by regulatory agencies.  Meeting regulatory compliance reduces regulatory risk and may reduce some real risk.  The cyber threat landscape evolves much more quickly than regulatory agency guidance and reducing real risk often requires going well beyond regulatory standards.


3. Firewall

Misunderstanding: Some believe a firewall blocks all threats and is the only layer of defense needed.

Clarification: A firewall monitors and controls traffic transversing your local network to the public Internet and sometimes between multiple company locations or cloud environments.  While necessary, a firewall only mitigates a portion of cyber risk and should be part of a multi-layered strategy to effectively protect your network, systems, data, and people.


4. Incident Response Plan

Misunderstanding: Some think an incident response plan only comes into play after a cyberattack.

Clarification: An effective incident response plan is proactive, established, and tested before an attack occurs. This ensures that everyone knows what to do when an incident happens, minimizing impact, accelerating recovery, and reducing risk.


5. Encryption

Misunderstanding: Encryption is often thought of as an unbreakable solution for data security.

Clarification: Encryption helps secure data by converting it to a coded form for data at rest and data in transit, but weak encryption methods, compromised keys, and human error can expose encrypted data to threat actors and thereby increase risk.   Regular review of cybersecurity controls, data storage and transit methods, and encryption key management and efficacy are critical to reduce risk on a constantly changing threat landscape. 

Why Understanding Cybersecurity Terminology Matters

At Go West IT, we often hear, “Aren’t you already doing that?” from clients who may not fully grasp the breadth of cybersecurity risk and mitigation tactics. The reality is, each term above represents a piece of a much larger puzzle. Without understanding the threat landscape and these terms, clients might assume they’re fully protected when, in fact, they’re only partially covered.

Going Beyond Basic Protection

Misunderstanding terms like “phishing,” “malware,” or “two-factor authentication” can lead to an underestimation of the risks and necessary protections. Cybersecurity isn’t just a checkbox; it’s an ongoing process that requires proactive measures and constant adaptation to new threats.

At Go West IT, we’re committed to comprehensive protection, addressing every layer of cybersecurity. From incident response planning to advanced threat intelligence, our goal is to keep you informed and secure, so you can focus on what you do best.If you’re unsure about your current cybersecurity posture, let’s talk about how we can protect you on your journey.


Imagine you’re the head of a growing company. You’ve invested time and resources into securing your digital environment: firewalls are in place, staff have undergone cybersecurity training, and every software update has been meticulously applied. You feel prepared—until a new kind of threat emerges, one that operates faster, smarter, and more unpredictably. Attackers are now using artificial intelligence, leveraging the same technology you depend on for protection.

AI has revolutionized cybersecurity, enabling faster detection and response to threats. But it’s also giving cybercriminals powerful new tools to enhance their attacks, probe for vulnerabilities, and bypass traditional defenses. Understanding how AI can both empower and endanger your business is critical in today’s evolving threat landscape.

How Attackers Use AI

Cybercriminals are deploying AI in innovative ways, creating threats that are harder to detect and even harder to defend against. Here are some of the tactics they use:


Vishing and Deepfakes: AI can create convincing audio and video impersonations, making attacks like vishing (voice phishing) and identity impersonation more believable than ever.
Behavior Analysis: By analyzing user behavior, AI allows attackers to make social engineering attempts feel personal and authentic, increasing the likelihood that a targe will fall for the scam.
Automated Scanning and Targeting: Criminals use AI to automatically scan for vulnerabilities in systems and deploy attacks with unprecedented speed, targeting weaknesses as soon as they’re identified.

Defending Against AI-Enabled Threats with AI

To counter these AI-enhanced attacks, companies must leverage AI-powered defenses that adapt and respond in real time. This is where tools like Go West IT’s Go Secured | Advanced Endpoint (Endpoint Detection & Response, or EDR) come into play. By utilizing AI, these tools offer:


Real-Time Detection and Response: Go Secured | Advanced Endpoint monitors systems 24/7, using AI to detect unusual activity and respond immediately, minimizing the impact of potential breaches.
Enhanced Threat Analysis: With AI, EDR solutions can analyze patterns and learn from emerging threats, providing proactive protection against sophisticated cyber tactics.

Why AI-Enabled Security Matters for Businesses

The stakes are high. Traditional defenses alone can’t keep up with the pace and precision of today’s AI-driven attacks. Incorporating AI into cybersecurity strategy isn’t just a benefit; it’s a necessity. Here’s how AI-enabled security can strengthen your defenses:

Improved Accuracy: AI can process vast amounts of data, detecting threats that human analysts might miss and reducing false positives.
Speed and Efficiency: AI tools react instantly, analyzing and responding to threats in real time—essential in a world where every second counts.

Proactive Security for a Safer Future

Keeping up with attackers requires continuous adaptation. AI-powered solutions like those from Go West IT offer businesses a critical advantage, enabling them to anticipate and counter threats more effectively.

Are you ready to secure your systems with AI’s help? Contact Go West IT to learn more about how AI can serve as both your strongest defense and your competitive edge against AI-enhanced threats.

Cyber threats are a known danger to businesses and individuals alike. Yet, even with training and cybersecurity awareness, people continue to fall victim to phishing scams and social engineering tactics. Why? It’s not just a matter of technical know-how; attackers are exploiting our natural human tendencies and psychological triggers to bypass our defenses.

Cybercriminals understand human behavior well enough to manipulate us into making quick, often uninformed decisions. They target our cognitive biases, utilizing tactics that can bypass rational thinking by tapping into emotions like fear, sympathy, or urgency. By recognizing these psychological triggers, we can begin to see the real reason behind our vulnerability to cyber attacks.

Why Do People Fall for Cyber Attacks?

Threat actors use psychological tactics to bypass our defenses. They play on cognitive biases, creating urgency, appealing to authority, or preying on our inclination to help others. Here’s how they do it:


• Misdirection: Criminals distract users to break down critical thinking, often with prompts like “We’ve detected suspicious activity on your account.
• Urgency: The classic “Act NOW” tactic pressures people into action without thinking.
• Sympathy Principle: Attackers pose as someone in need, appealing to our empathy.
• Authority Principle: Bad actors pose as figures of authority to gain trust, using logos or official language.

Why Systems Matter More Than Ever

Relying solely on human vigilance is risky; it only takes a single moment of distraction for criminals to succeed. That’s why having robust systems in place is essential to catch and block potential threats before they reach employees. Solutions like Go West IT’s Go Secured | Cloud 365 strengthen these defenses, helping detect unusual activity such as phishing attempts or suspicious logins. With proactive tools in place, businesses can better protect themselves and reduce the burden on individual users, creating a safer digital environment for everyone involved.

Stay Vigilant: A Layered Defense

While user education is crucial, it can only go so far in defending against sophisticated cyber threats. A layered approach that combines user awareness with robust technical safeguards is essential to protect against attacks. Comprehensive cybersecurity solutions, like those offered through Go West IT, integrate advanced phishing detection and email link scanning to catch threats before they reach employees. With these layers of defense in place, businesses can better
guard against evolving cyber risks, creating a more resilient security posture.

Adopt a Security-First Mindset

Adopting a security-first mindset means understanding both the technological and psychological defenses needed in today’s cyber landscape. Ready to strengthen your defenses?

Contact Go West IT to explore how we can help protect your business against evolving threats.

Email is a critical tool in today’s business world, but it’s also a primary target for cybercriminals looking to break into corporate networks. By implementing strong email security practices, businesses can reduce risks and protect sensitive information. Here are 15 email security best practices to share with your employees to keep your organization secure.

  1. Train Employees on Email Security
    Regular training is the foundation of email security. Employees should be aware of potential threats like phishing and understand how to recognize suspicious emails. Security awareness programs are essential to staying updated on evolving threats.
  1. Use Strong, Unique Passwords
    Encourage employees to create long, unique passwords for their email accounts. Passphrases are a great option—easy to remember but hard to guess. A company-wide password policy should outline the importance of password strength.
  1. Don’t Reuse Passwords
    Password reuse across multiple accounts is a major security risk. Attackers can exploit one compromised account to gain access to others. Using unique passwords for each account is crucial for minimizing this risk.
  1. Implement Multi-Factor Authentication (MFA)
    MFA adds an extra layer of protection by requiring more than just a password to access email accounts. Even if an attacker steals a password, they’ll be unable to access the account without the additional authentication factor.
  1. Take Phishing Seriously
    Phishing attacks remain a major threat. Train employees to recognize phishing attempts and avoid clicking on suspicious links or downloading attachments from unknown senders. Include phishing awareness in regular security training.
  1. Be Wary of Attachments
    Attachments can contain malicious code, even from trusted sources. Make sure your email security posture includes safe sandbox detonation and scanning of email born links and attachments to prevent malware from infiltrating your organization through email.
  2. Don’t Click Email Links
    Links in emails can be deceptive, leading to malicious websites. Teach employees to hover over links and scrutinize URLs before clicking. 
  3. Don’t Use Business Email for Personal Use
    Mixing personal and business email usage increases the risk of security breaches. Employees should only use corporate email for work-related purposes and avoid logging into personal accounts using work devices.
  4. Use Corporate Email on Approved Devices Only
    Ensure that employees only access corporate email on company-approved devices with the necessary security controls in place. Unapproved devices might not have sufficient protection, making them a vulnerability.
  5. Encrypt Emails and Attachments
    Email encryption protects the content of emails from unauthorized access. Make sure employees understand how to use encryption tools to safeguard sensitive communications and attachments.
  6. Avoid Public Wi-Fi for Email
    Public Wi-Fi networks are notoriously insecure. Employees should avoid accessing corporate email while connected to public Wi-Fi unless they are using a secure VPN to encrypt their connection.
  7. Use Email Security Protocols
    Protocols like DKIM, SPF, and DMARC help prevent email spoofing and ensure that only legitimate messages reach employees’ inboxes. Businesses should ensure these protocols are in place for all corporate email accounts.
  8. Use Email Security Tools
    Implement email security tools such as spam filters, antivirus software, and email security gateways to protect against malware and phishing attacks. These tools provide an additional layer of defense.
  9. Log Out of Email When Not in Use
    Encourage employees to log out of their email accounts when they are not actively using them, especially on shared devices. Leaving accounts open increases the risk of unauthorized access.
  10. Regularly Monitor for Breaches
    Stay vigilant for any signs of data breaches that may affect email security. Tools like password managers can alert employees if their credentials are found in known data breaches, allowing them to take action quickly.

Stay Ahead of Email Security Threats with Go West IT

At Go West IT, we understand the importance of email security in protecting your organization from cyber threats. Our comprehensive managed services include tools and strategies to help you safeguard your business from email-related risks. Whether it’s deploying MFA, monitoring for breaches, or training employees on security best practices, we’ve got you covered.

Learn more about our managed services.

As the world becomes more and more digitized, your identity is your security. As businesses and individuals, we’ve grown accustomed to thinking of firewalls and endpoint protection as the first line of defense. While these are essential, the real battleground has shifted. Identity is now the biggest attack surface. With user accounts being targeted more than ever, it’s crucial to treat your identity as a valuable asset rather than an afterthought.

Why Identity is Your Most Important Security Layer

We’ve seen an alarming rise in identity theft and account compromises, where bad actors use stolen credentials to infiltrate systems, steal information, or impersonate individuals. What makes this threat so dangerous is how often a single set of credentials—think usernames and passwords—can be reused across different platforms, creating a cascading vulnerability.

Now more than ever, identity is security. Whether you’re managing a business or your personal life, identity protection should be front and center. Consider identity as an asset that requires ongoing management. Just as businesses protect physical assets with alarms and surveillance, your digital identity deserves the same level of protection.

Key Steps to Safeguard Your Identity

Securing your identity starts with account management and practicing good identity hygiene.
Here are five key steps to treat your identity like the critical asset it is:
 

1. Use a Password Manager
Store your passwords in an enterprise-class password manager. This ensures that your credentials are encrypted, organized, and easy to manage. Password managers also reduce the risk of reusing credentials, which is one of the most common mistakes people make.
 

2. Create Long, Strong, and Unique Passwords
Gone are the days when a short, simple password could protect your accounts. Every account you have should have a unique, complex password—one that’s long and difficult to guess. Password managers can also generate these for you, removing the hassle of coming up with new combinations.
 

3. Implement Multi-Factor Authentication (MFA)
Enable MFA wherever possible, using apps for codes instead of less secure methods like texts or emails. MFA adds an extra layer of protection by requiring something you know (your password) and something you have (a code from your phone).
 

4. Stay Informed About Breaches
Be proactive when it comes to data breaches. If a company you’ve done business with is compromised, update your passwords immediately. A good password manager can alert you to any breaches or data leaks that may affect your accounts, giving you the opportunity to act before further damage is done.

 5. Eliminate Unnecessary Accounts
Over time, we accumulate dozens of online accounts. When was the last time you logged in to an old shopping site or social media platform? Deleting these dormant accounts reduces your overall attack surface and minimizes the chance of being targeted in a future breach.

Vigilance is Key to Identity Security

It’s not enough to think about identity security as a one-time task. In a world where cyber threats evolve rapidly, your approach must be one of constant vigilance. Regularly review your accounts, change passwords when necessary, and keep your digital footprint as secure as possible.

How Go West IT Can Help

This approach applies to both individuals and businesses. At Go West IT, we understand the importance of identity security and offer solutions tailored to protect your most valuable digital asset—your identity. For businesses, we provide enterprise-grade password management solutions that allow you to review and monitor employee password hygiene, reducing the risk of compromised credentials.

Our comprehensive managed services include identity protection as part of our security strategy, ensuring your team and your company are secure from evolving threats. Whether you need a stand-alone password management solution or full-scale IT security, Go West IT has the tools to keep you protected.

Take Control of Your Digital Identity Today
Click here to learn more about our managed services.

As a business owner, you might be tempted to entrust your website developer with managing your domain registration and DNS hosting. After all, they are experts in web development and can help you choose the right website host for your business. However, in my experience, this is not a good idea. In this blog post, I will explain why you should not let your website developer manage your domain registration and DNS hosting.

DNS is an attack surface for threat actors.

DNS is an essential component of your online presence. It is responsible for translating domain names into IP addresses, which allows users to access your website. However, it is also an attack surface for threat actors. Cybercriminals can use DNS to launch various attacks, such as DNS spoofing, DNS hijacking, and DNS amplification attacks.

In my experience, web development shops do not have adequate security controls around managing Registrar and DNS accounts. It is not uncommon for web developers to manage many domains for multiple customers in one account to which many people have access. This makes it easier for cybercriminals to compromise your DNS and launch attacks against your website.

Web developers typically do not fully understand DNS.

While web developers are experts in web development, they do not all fully understand DNS. Those who don’t understand the complexities of DNS may inadvertently make mistakes and misconfigurations that can affect your email, remote access, network connectivity, and overall IT security.

Web developers are rarely available evenings and weekends.

DNS changes may be required outside of regular business hours, such as during office moves or network infrastructure changes. Unfortunately, web developers are rarely available evenings and weekends. This can cause delays and disruptions to your business operations.

Your domain names are your assets,

Your domain names are your assets, and you should maintain control of these assets. By letting your website developer manage your domain registration and DNS hosting, you are relinquishing control of your domain names. This can lead to issues if you decide to switch website developers or if your website developer goes out of business.

In conclusion, you should not let your website developer manage your domain registration and DNS hosting. While they may be experts in web development, they may not have the necessary skills, knowledge, and experience to manage DNS effectively. Additionally, your domain names are your assets, and you should maintain control of these assets. By managing your domain registration and DNS hosting, you can protect your business from cyber threats and ensure that your website is always available to your customers.

Cybersecurity is one of the most critical concerns for small business owners today. A single cyber-attack can bring down a business, causing financial losses, reputational damage, and even legal liabilities. Business owners increasingly turn to cyber insurance policies to help mitigate cyber risk. These policies transfer some risk by providing resources, such as money and services, to deal with data breaches, network outages, and cyber extortion. However, cyber insurance is rarely sufficient to deal with the havoc that can ensue when a small business experiences an incident or breach.

Cyber insurance applications can teach small business owners a lot about effective cybersecurity risk management. Cyber insurance applications have grown from a few questions to many pages of questions as carriers seek to better assess risks based on the cybersecurity posture of their customers. This blog post will explore the key lessons that small business owners can learn from the questions asked on a cyber insurance application.

Current cyber insurance applications focus on the following topics:

  1. Endpoint Management
    Endpoint management refers to the management of laptops, desktops, servers, and mobile devices. Cyber insurance applications focus on endpoint management because endpoints are often the entry point for cyber attackers. Implementing endpoint management practices such as vulnerability scanning, patch management, and device encryption.
  2. Phishing Prevention
    Phishing is a type of cyber-attack where attackers use social engineering techniques to trick users into divulging sensitive information such as login credentials or credit card details. Phishing attacks are widespread and can be devastating for small businesses. Cyber insurance applications focus on phishing prevention because it is one of the most common types of cyber attacks. Small business owners can implement phishing prevention measures such as employee training, email filtering, and multi-factor authentication.
  3. Identity Management
    Identity management refers to managing user identities, access rights, and privileges. Identity management is critical for ensuring that only authorized users can access business data and networks. Cyber insurance applications focus on identity management because compromised user credentials are a common entry point for cyber attackers. Small business owners can learn from this and implement identity management practices such as password policies, enterprise password managers, user access control, and single sign-on (SSO).
  4. Data Backup Solutions
    Data backup solutions refer to the process of creating copies of business data and storing them in a secure location. Data backup solutions are critical for ensuring business continuity during a cyber-attack or other disaster. Cyber insurance applications focus on data backup solutions because they are critical for mitigating the impact of a cyber-attack. Application questions center around the segregation of backups because insurance companies know that cybercriminals will delete or encrypt backups if they can access systems. Small business owners can learn from this and implement data backup solutions such as cloud backup, offsite backup, and developing disaster recovery plans.
  5. Endpoint Detection & Response
    Endpoint detection & response refers to the process of detecting and responding to security incidents on endpoints through software and monitoring services. Endpoint detection & response is critical for detecting and responding to cyber-attacks before they cause significant damage. Cyber insurance applications focus on endpoint detection & response because it is a critical component of effective cybersecurity risk management. Small business owners can learn from this and implement endpoint detection & response measures such as threat hunting, incident response planning, and security monitoring.

The good news is that most IT-managed service providers and managed security service providers offer services to cover 100% of the risks cyber insurance companies focus on. If you cannot mitigate your cyber on your own, fast-track your risk mitigation and insurance readiness by contacting a managed security service provider like Go West IT.

Go West IT turns 13 today, and as we reflect on how far we have come, we want to thank our talented team, supportive vendors, and amazing customers for joining us on this incredible journey.

In these 13 years, Go West has gone from a small 4-person IT company to a robust 40+ person cybersecurity obsessed Managed Service Provider. While every step along the journey is significant to who we are and where we are going, we have laid out some of the stand-out moments.

May 15, 2010 – Go West IT was founded with four employees and a handful of great customers.

2011 – Go West IT makes a concerted shift from supporting and recommending on-premises server infrastructure to exploring a cloud infrastructure alternative.

2012 – Go West experiences significant growth in its customer base, including a concentration of customers in the financial services space.

2015 – Go West IT moves into new office space to accommodate a growing staff and to meet the support and cybersecurity needs of the company’s growing customer base.

2015 – Go West IT completes an extensive infrastructure “lift and shift” from a private data center to a public cloud (Azure) for a new customer.

2015 – After identifying and calling out a supply chain security weakness, Go West IT becomes a Microsoft Direct Cloud Solution Provider (CSP), a status normally available only to much larger organizations.

2016 – Go West IT engages an audit firm to prepare its first SOC 1 Type II audit.

2016 – Go West IT hires the company’s first full-time technical account manager(s), MSP Administrator, and adds multiple technical manager roles.

2017 – Go West IT completes the company’s first SOC 1, Type II, and SOC 2, Type II audits

2017 – Go West IT was recognized as Microsoft SMB West Region Azure Partner of the Year at Microsoft’s annual partner convention.

2017 – Go West IT adds additional office space as staff and customer base continue to grow.

2017 – Go West IT starts shifting from a traditional Value-Added Reseller and “Break-Fix” IT support provider to an IT Managed Service Provider.

2018 – Go West IT doubles down on cybersecurity focus and begins implementing cyber-specific managed service offerings to combat a growing threat.

2019 – Go West IT has another significant growth spurt and builds a leadership team to guide the company through the next phase of growth and development

2020 – Go West IT executes a new lease for expanded office space in January 2020, and the CEO moves into the new space, designed for 50, in May 2020 while most other employees work from home.

2020 –Go West IT’s customer base is particularly well-positioned to deal with the pandemic because they have moved to cloud-centric platforms or previously built solid and secure remote access solutions.

2021 – Go West IT experiences modest growth through the pandemic while maintaining the exceptional staff built in the prior decade with no layoffs and no disruption to operations.

2022 – Go West IT completes the sixth straight successful SOC2, Type II audit and sees another surge in customer and revenue growth.

2022 – Go West IT promotes Tom Hynek to the role of President, the first time this role has been held by someone other than the Founder.

2023 – Go West IT is the MSP of choice in the Denver market with customers across the United States and beyond. Go West IT has a staff of 43 with two open positions at the time of this re-cap.

At Go West IT constant improvement is one of our core values, so we know that this journey is just beginning. We are looking forward to continuing our mission of helping companies benefit from technology by guiding them to opportunities and protecting them from harm.

Join us in celebrating 13 years of Go West IT!

Microsoft Teams is a collaboration platform that provides users with a wide range of tools to communicate and work together effectively. One of the key features of Microsoft Teams is the ability to integrate and manage Microsoft SharePoint storage. Here are some reasons why Microsoft Teams is a great tool to manage Microsoft SharePoint storage:

  1. Permissions Management: SharePoint fails often come down to folder structure and permission management mistakes. Teams makes SharePoint file structure and user permissions a snap for less technical users. Simple add or remove users from a “Team” to grant or remove their ability to access the files for that Team.
  2. Seamless Integration: Microsoft Teams integrates seamlessly with SharePoint, making it easy to access, store, and share files. Users can access and collaborate on SharePoint files directly within Teams, without having to switch between different applications.
  3. Easy Sharing: Microsoft Teams makes it easy to share SharePoint files with other users within an organization. Users can easily share files and folders with others, collaborate on projects, and track changes to documents in real-time. For users who prefer the “old school” approach of accessing files using Explorer, simply “sync” a SharePoint folder to your Explorer using OneDrive (Microsoft’s built-in personal storage and sync tool).
  4. Centralized Storage: SharePoint provides a centralized location for storing files, which can be accessed from anywhere within an organization. Microsoft Teams provides a convenient and user-friendly interface for accessing and managing SharePoint storage, making it easier for users to find the information they need.
  5. Improved Collaboration: Microsoft Teams makes it easier for teams to collaborate on projects and share information. Users can use Teams to have real-time conversations, make comments on files, and share updates on projects. This can help improve collaboration and increase the productivity of teams.
  6. Secure Storage: SharePoint provides secure storage for files, which helps to protect sensitive information. Microsoft Teams adds an additional layer of security to SharePoint by providing a secure platform for communication and collaboration. A Microsoft 365 backup solution added by your Managed Service Provider provides peace of mind that your data is protected in the event of inadvertent or malicious deletion.

The seamless integration between Teams and SharePoint, combined with the ease of permissions management, file structure design, sharing, centralized storage, improved collaboration, and secure storage, make Teams a valuable tool for organizations looking to manage their SharePoint storage effectively. Contact Go West IT to help you leverage your Teams solution.

Choosing a Managed Service Provider (MSP) can be a critical decision for a business. MSPs provide essential IT services to help businesses manage their information systems and data effectively, and to provide protection from harm found in the digital frontier. To ensure that a business selects the right MSP, it is important to consider the MSP’s security posture, SOC 2 Type II audit, service offerings, and end user support capabilities. 

Here are 4 factors to consider when choosing an MSP: 

  1. Security Posture: A business should look for an MSP with a strong security posture. This means that the MSP has robust security protocols, systems, and processes in place to protect their own systems and their customers. A business can assess an MSP’s security posture by asking some simple questions.
    • First, ask if they use all the products and services they recommend to their customers. 
    • Second, ask them to describe how they manage security of their systems and look for indications that they have a process in place for continual review & improvement (i.e., assessments, policy review and updates).
    • Third, ask about how they are prepared to deal with a potential breach of their systems or a breach of a customer’s environment. If they can talk through the answers clearly with substantive examples, chances are, they spend time working on it internally. If the MSP stumbles and cannot provide substantive answers, ask to speak with someone further up the chain of command and if you can’t get good answers, look elsewhere. 
  2. SOC 2 Type II Audit: An MSP’s SOC 2 Type II audit provides assurance that the MSP has the necessary security controls and processes in place to secure the data and systems of their clients. This audit is conducted by an independent auditing firm and provides a thorough assessment of the MSP’s security posture. Not every MSP will have a SOC 2, Type II audit. Those that do have made significant investments in controls and are audited annually on the adequacy of their controls and how well they adhere to the controls throughout the one-year audit period. 
  3. Service Offerings: A business should consider the services offered by an MSP to determine if they meet the business’s needs. For example, the MSP should offer device patching, endpoint monitoring and management, and data backup and recovery services. Talk about what labor is “in-scope” and what labor is “out of scope”. Figure out if the bundle of service an MSP offers fits with the needs of the business. Can the MSP articulate what is included, or does the MSP struggle to justify the value of their services. An MSP with a higher price per device or higher price per person might have a more robust service offering (bundle) that includes things other MSPs might tack on after the sale.   
  4. End User Support Capabilities: A business should look for an MSP with strong end-user support capabilities. This means that the MSP should be able to provide fast, efficient, and effective support to the business’s employees. The MSP should also be able to effectively provide remote support to resolve issues quickly. Ask about how the deal with calls outside of normal business hours.  

By considering the MSP’s security posture, SOC 2 Type II audit, service offerings, and end-user support capabilities, a business can ensure that it selects an MSP that meets its needs and provides essential IT services, including security, to help manage its information systems and data effectively.