"Is your MSP SOC 2® compliant?"
This is one of the top questions you should ask any potential managed service provider (MSP), because typically, your MSP controls access to your most important technical assets - your data, systems, and cloud platforms. Can you imagine how serious a risk to your business that could pose without the right security practices?
Look, many companies are technically SOC 2 compliant in that they do have superior security practices, but they haven't yet undergone the rigorous SOC 2 examination to prove that compliance. Hey, at one point, Ripple was one of these companies. But when an MSP is able to show that they are, in fact, SOC 2 compliant - baby, you're golden. Or in our case, purple and pink.
We are sure you have heard about countless data breaches in recent years; in fact, you may have been part of one. As a person on the internet (Lolcats remain unfazed and unaffected by data leaks), you want to protect your information from ending up in the next breach. Anywhere that has access to your Personal Identifiable Information (PII) should have controls in place to prevent hackers from stealing your identity.
Does SOC 2 compliance guarantee your MSP will never be the victim of a breach? No. But it does mean that an independent auditor has performed a rigorous examination of and validated a company's security using the industry's best practices. Basically, your data is the best hands to prevent an attack and/or to take the quickest action to safeguard your data in the event of an attack.
Plus, when you work with a SOC 2 compliant MSP, you can be sure that they have operational maturity, capability, and expertise. To understand what that means and why it matters to you, consider the three from Ripple's standpoint:
The Jargon:
According to the AICPA, a SOC 2® examination is an "examination engagement to report on whether (a) the description of the service organization’s system is in accordance with the description criteria, (b) the controls were suitably designed to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria, and (c) in a type 2 report, the controls operated effectively to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria. The SOC 2® examination is performed in accordance with the attestation standards and the AICPA Guide SOC 2® Reporting on an Examination of Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy."
The Jargon Translator:
An unbiased 3rd party makes sure that you aren't full of sh*t. If you say someone's data is safe with you, you better be ready to prove it. Furthermore, the level of security you promise better meet the standard of the organization giving you the exam. Once you (successfully) complete the exam, you get a report that proves your security is on point. Woo!
Make no mistake - this is not a quick, easy exam that you can study for and hopefully get a good grade on. Getting approval from the AICPA requires much more than a study guide and using multi-factor authentication. We are talking months of working with independent, 3rd-party auditors who methodologically inspect and test multiple aspects of a company's security practices. These auditors are making sure that you are properly credentialed and that all data is protected exactly how it needs to be protected.
If your information is handled responsibly as promised in the privacy policy
Considering the frequency of data leaks and malicious hacks, you are well aware of how important proper security is. But remember, securing your data goes beyond an MSP (or any other company you may share your data with) having a strong firewall, encrypted networks, MFA, or other critical features.
You also want to consider how your data is shared within the company that supports you. Sure, your data is safe from outside forces - but is it sitting in a Dropbox that every person within the company can access? Make your MSP prove their security measures to you. It can be an exhausting chore to determine if an MSP's security meets your standard, but if they are SOC 2 compliant, you can be certain that they actually do.
Hopefully, you can see why we recommend choosing services that have completed their SOC 2 examination. It's simply the best way to prove demonstration of methodical, tested, and credentialed security practices.