Why SOC 2 Matters to Your Security-Conscious Business
The Economist said it best when talking about the new data economy:
“The world’s most valuable resource is no longer oil, but data.”
Just as the world economy could not survive without oil, it also could not survive without data. Unfortunately, any time something of value exists there will always be criminals who try to steal it, hold it hostage, or otherwise monetize it through illegal means.
The question: How secure are your valuable data assets?
The modern threat landscape
62% of businesses experienced phishing or social engineering attack in 2018 and phrases like “hacking,” “social engineering,” and “ransomware” are seen throughout the news on a daily basis. These are just some of the more visible signs of a widespread world of sophisticated cybercriminals doing everything they can to access and monetize your data.
Once obtained, they can monetize almost any of it including login credentials, bank account information, pin numbers, intellectual property, and your client/customer information. And, even if your data is not valuable to someone else, it is extremely valuable to you. The most damaging attacks now come in the form of ransomware, where criminals encrypt all your data, rendering your business inoperable until you pay them a ransom for the decryption key.
A critical business decision
Most small and mid-size businesses rely on managed IT providers to design and manage their network and data security in a way that enables them to keep their data accessible for valid business use while also being safe from criminals.
In the context of the current dangerous cyber threat landscape, choosing your managed IT provider is a vitally important business decision. Let’s consider how you make other critical decisions. You wouldn’t get surgery from a surgeon who wasn’t board certified or give your money to a financial provider who wasn’t credentialed by an independent financial certifying authority, would you?
IT, and especially IT security, is another highly specialized field and the IT partner you choose could be the difference between business success or severe loss or even business failure. Think of the consequences if something did happen to your data:
- Could you survive if all your data was stolen, lost or destroyed?
- If you did survive, how would it damage your reputation?
- How many of your clients might leave if they knew data they entrusted to you was stolen?
- What would be the dollar cost of hours, days or even weeks of downtime as well as the cost to remediate?
- Are you willing to pay a data ransom, which on average costs $84,116?
- Would a breach expose your business to lawsuits?
Given such dire consequences, you need to know that your IT provider is qualified to keep your business and data safe. You need to choose an IT provider that can demonstrate objective confirmation they possess the level of competence required in these areas.
Put your IT provider’s competence to the test
Fortunately, there is a quick and established method to determine your IT provider’s competence in how they securely manage data. It’s called the System and Organization Controls (SOC 2) certification.
To obtain this certification, an IT provider who has made the required technical, operational and training investments engages an independent 3rd party auditor to certify its competence and expertise to achieve SOC 2 compliance. This is a very expensive endeavor that, in addition to the cost of the audit, requires a high degree of operational excellence, knowledge and process reengineering.
Why do MSPs do this? Because SOC 2 is the best way to show their clients they meet stringent industry standards on securing their own data as well as any client data they host on their network. And more importantly, it objectively demonstrates the IT provider’s competence to provide similar technical and process-driven security and cyber protection to their clients.
The certification requires that:
- Their systems are protected from unauthorized access
- The systems they manage are available for operation, as agreed in your contract
- The services they provide are complete, accurate, timely and authorized
- All their confidential information, as well as any client information contained in their network, is protected
- Any personal information they gather is handled and destroyed as agreed in their privacy notice
To put it simply, today’s cybersecurity environment means you need a SOC 2 certified IT provider.
What SOC 2 really means for you
When someone purchases a service (managed IT included), they’re often purchasing on-paper promises of what it will deliver. When you buy the 500 MB/s download speed internet, you expect to get 500 MB/s download speed. If you only get 100, you feel like you were tricked.
The same concept follows with IT service delivery. You’re signing on for many services that are highly technical. For example, you need business continuity solutions, but the finer, more tech-savvy points of those solutions may be lost on you. So how do you know you’re really getting the solution you were promised?
An objective seal of assurance is one of the best ways to answer this question. By having a third party with the knowledge and expertise to test what your provider says they are delivering, you can rest assured you are getting what you paid for – an IT provider who can guide you step-by-step in the development and maintenance of an IT infrastructure that keeps your data safe yet available and useful.
Plus, given the cyber threat landscape continues to evolve at unprecedented levels, it is highly likely that your customers and clients already have, or will soon ask you to provide assurance that you’re handling their data safely. This will necessitate not only that you prove your systems are secure, but also that your key vendors (with your IT vendor being the main one in question here) do so as well. Your MSP’s SOC 2 certification is a seal of assurance you can provide to your clients to satisfy their own auditing requirements.
Get rid of the uncertainty
Data security isn’t something any business can risk. That’s why we recommend you find an IT partner that you know delivers what they promise and can competently advise you on how to build and maintain an IT infrastructure that best protects your data and systems. Your business, clients, and reputation are too important for anything less.
Ask your current provider if they are SOC 2 Certified, or begin looking for a managed service provider who is.