Your organization's IT team, in-house or contracted, serves as one of its front-line defenses against cybercriminals. As cybersecurity attacks become more common in the affordable housing industry, there's no better time to evaluate your IT team's ability to:
- maintain your computer network;
- train employees on various systems;
- provide technical support;
- assess potential threats; and
- ensure things continue to run smoothly.
If a cybercriminal breaches your organization, chances are your IT team will be the first to notice, setting off a chain of time-sensitive events to pinpoint and remediate the incident.
Not all housing organizations are alike. Some have an in-house IT team, while others rely on consultants or a hybrid model—there’s no wrong approach. If you’re leaving your organization’s cybersecurity efforts in the hands of a consultant, it’s essential that you properly vet qualifications and understand the firm’s scope of services.
Richard Moore, HAI Group’s virtual information security officer and CEO of CyberSix, a Connecticut-based cybersecurity firm, takes us through the factors your organization should consider when assessing an IT consultant.
IT consultant qualifications
Aside from asking the questions below, “references are always a great way to validate a consultant’s good standing,” Moore said.
What are the certifications of people working on my account? In terms of cybersecurity certifications, Moore said, organizations should seek firms with CISSP (Certified Information Systems Security Professional) certified staff. Certifications should also align around the platform and network tools your organization utilizes. For example, if your organization uses Microsoft Office 365, the firm you select should ideally have someone on staff with MS 500 or AZ 500 Microsoft certifications, Moore said.
How long have employees of the firm been in the industry and doing this type of work? New certifications and those new to the industry should raise questions, Moore noted.
Has the firm ever had a security breach or been subject to a contractual breach? This would be a major red flag.
Does the firm have a written information security policy (ISP)? An ISP outlines how an organization manages, protects, and distributes information.
An IT firm with experience in the housing industry is a plus, but not necessarily a requirement, Moore said. General IT and cybersecurity certifications are sufficient.
A firm with an understanding of the specific privacy concerns within the affordable housing industry is ideal. Government experience is also helpful, Moore added, especially for housing authorities.
What should an IT consultant help with?
Leverage your IT consulting firm to provide a security audit, Moore said. The firm should patch your system whenever software updates become available. A patch is a software update that repairs a flaw or vulnerability.
The firm should actively monitor your network environment and provide quarterly reports on the status of threats and security updates.
Housing organizations should also seek an IT consultant with experience moving on-premise equipment to a cloud computing service. Moore said on-premise IT equipment such as servers could cause serious cybersecurity problems “because no one is really taking care of this equipment, updates, and security.”
An IT consultant with Microsoft Office 365 experience is beneficial for organizations looking to ramp up cybersecurity on a budget, Moore said. The platform provides conditional access, multi-factor access, and an asset repository “right out of the box,” he said. A consultant can manage it through Microsoft’s cloud computing service, Azure, meaning less on-site maintenance of physical equipment.
“Additionally, the platform by default begins to remove the biggest threat to small companies like phishing, business email compromises, and spam,” Moore said. “Just by moving to Office 365 email reduces the organization’s attack surface.”
If your organization does migrate to Microsoft Office 365, it’s essential that the proper licenses (Enterprise Mobility + Security E3/E5) are in place, Moore added. These licenses provide additional security features. An IT consultant with cybersecurity expertise can help ensure your setup is optimized for security.
Housing organizations should ask their IT consultant to assess their security posture and potentially get a second opinion.
“Ask questions about the tools the consultant is providing,” Moore said. “Ask about monitoring for security events and how they correlate that information into data that the organization can use to make better cybersecurity decisions.”
It’s also important to ask who has access to your organization’s systems and their qualifications. Check if the firm is ISO 27000 certified (or equivalent). This certification covers information security management systems.
Finally, ask the firm how often their services are audited. Request a copy of their most recent SSAE 16 SOC II audit. This voluntary audit evaluates a firm’s security, availability, processing, integrity, and privacy operations. A firm with no recent audits or a recent “unclean” audit should raise red flags.
The ideal IT consultant should have some cybersecurity expertise and help promote awareness amongst an organization’s employees, Moore said.
“However, most IT consultants do not have the right expertise or in-house help” with regards to employee training, he said. “Having a subject matter expert or platform that can support education is what all companies should be doing to educate their employees.”
Contact our Risk Control and Consulting team for more resources and answers to your housing organization’s risk-related questions.
Interested in Working With HAI Group? Our Account Services team is ready to assist you.
Includes copyrighted material from a company under the HAI Group family, with its permission. This post is for informational purposes only and is not intended to provide legal advice, and shall not be relied on as such. We strongly recommend consulting with legal counsel or an appropriate subject matter expert.
