9 Questions to Ask New Vendors About Their Cybersecurity
Target lost $18.5 million in its 2013 data breach. Nissan North America had almost 18,000 customers’ data stolen. Nine million AT&T customers had their information leaked online.
Third-party vendors all caused these huge companies to lose this data and money.
How can you stop your business from joining the list of organizations with breached data due to third-party negligence?
When evaluating new vendors, going beyond the surface level and delving into their cybersecurity practices is essential. Asking the right questions can provide valuable insights into their approach to protecting data and mitigating potential risks.
Here at Intelligent Technical Solutions (ITS), as a managed IT service provider (MSP) with over 20 years of experience, we know how crucial it is for companies like yours to have the right tools to evaluate vendor partnerships.
So we’ve prepared this article to delve into the questions you should ask new vendors before partnering with them. By doing your due diligence and asking these questions, you’ll have the information to make informed decisions and establish a secure vendor ecosystem.
1. How is your data protected?
The first question to ask is about their data protection policies. Asking a vendor how their data is protected allows you to evaluate the risk associated with their services.
Vendors should be able to explain if their data is encrypted, if they provide Transport Layer Security (TLS), and what their data security protocol looks like. Some signs a company knows what they’re doing is:
- If they mention a cybersecurity framework
- If they have endpoint security and firewall implementation
- If they have dedicated cybersecurity personnel
Any company that cannot clearly explain its data security guidelines should be put at the bottom of the list of your considered partners.
2. Do you follow government cybersecurity guidelines?
After asking about their data protection policies, ask your future vendor if they follow any government cybersecurity guidelines. Some guidelines your vendors should follow are:
- HIPAA (if they work in healthcare)
- ISO 27701 (if they manage any sensitive customer information)
- PCI-Level 1 (if they store credit card data)
- SSAE 16 (if they work in the financial sector)
Each vendor may have unique regulations based on their field; while some vendors don’t have required government security policies, good vendors will still follow these rules.
3. How and where is data stored?
Next, ask your potential vendors how and where their data is stored. You can assess a vendor’s overall reliability by asking a vendor how and where their data is.
For example, companies that only store their data on-site are at risk of server outages. Companies with solely off-site data are at higher risk for security breaches - especially if they don’t have the proper security infrastructure.
Vendors who store data on and off-site are a much better bet.
4. Who will own this data if we stop using you as a vendor?
After asking about their data management, it’s time to ask about data ownership. Understanding who owns what data is crucial in making informed decisions about future data usage, transfer, or deletion.
Depending on your field and the type of data you store, you might also have intellectual property considerations when partnering with a vendor. If you clarify data ownership, you can sidestep future issues about proprietary and confidential information.
5. What is your backup procedure?
This question is a sneak peek at their preparedness in case of outages. It also helps you evaluate if your data will always be available.
The vendor should keep their physical and cloud storage separate, as this ensures critical data remains intact even if their hardware somehow gets corrupted. Having physical backup, on the other hand, can help restore their system as soon as possible in case of incidents like ransomware.
6. What are your incident, business, and disaster recovery plans?
Disaster recovery, business continuity, and incident response plans are all different programs your vendor should have.
A cybersecurity-prepared vendor will be able to explain each plan to you in detail, and their answers are vital for assessing their preparedness.
They should also mention implementing routine disaster recovery tests. If they have the foresight to run these plans before security incidents happen, then your data is probably in the hands of a good company.
7. Do you support multi-factor authentication (MFA)?
Multi-factor authentication (MFA) is an essential security measure all companies should have with their accounts. But you’d be surprised at the number of vendors that don’t have MFA enabled.
By asking this question, you can easily see if a company stays on top of even the small details of cybersecurity.
8. Is your platform externally audited?
No matter how thorough you are, it’s still possible to make mistakes. If you ask about external audits, and your vendor says they have external auditors, then you know they care enough to be thorough with their cybersecurity.
9. What are your partners’ security protocols?
Lastly, you need to ask about your vendor’s partners. Do their vendors have robust security protocols? Do their vendors have access to your data?
Vendors often rely on their network of third-party service providers, increasing the potential attack surface.
Understanding how they manage and assess the security risks associated with these third parties demonstrates their commitment to maintaining a secure ecosystem.
Ready to Improve Your Cybersecurity?
You are only as secure as your weakest link, and evaluating your vendors ensures your weakest links aren’t beyond your control.
Instead, you can focus on improving your internal cybersecurity.
But as a company involved in the security of hundreds of other businesses, ITS knows that’s easier said than done.
We’ve prepared other resources to help you on your journey to better cybersecurity:
- Kronos Ransomware Attack: Lessons on Third-Party Risk Management
- Outsourced or In-House Cybersecurity: What are the Pros and Cons?
- What Businesses Need to Know About Managed Cybersecurity Services
However, if you’re ready to utilize top-notch cybersecurity services to improve your company’s IT infrastructure, learn what cybersecurity services can do for you today.