Just for a moment, think back to your high school days, and the one sentence you dreaded hearing the teacher say at the start of class. For most of us, it had nothing to do with an assignment, another tedious lecture, or test results that were about to be handed out. Instead, it was something like this:
“Please pull out a sheet of paper and pen, it’s time for a pop quiz.”
While hearing that command may have caused the class’s collective stomach to drop, it certainly kept everyone on their toes. But this idea of a pop quiz can also be used in today’s world of selecting a vendor for your company. Rather than require potential candidates to complete a long-form questionnaire or RFP in advance, why not schedule a call and give them a Security Pop Quiz, forcing them to be on their toes?
This approach can save you the time and effort it typically takes to evaluate a new vendor, which can begin with a period of information-gathering and can include RFPs and security audits. Get to the point more efficiently by gathering your team together, and be ready to ask the questions that are important to your organization.
This way, in an hour or less, your organization can determine whether the vendor will meet your organization’s minimum security standards. The following are some of the questions you can ask during your call to get a sense of the vendor’s security standards:
Does the vendor encrypt data both in transit and at rest?
In late 2018, a major health insurer suffered a data breach when a laptop containing over 40,000 SSNs, DOBs, and other sensitive health information was stolen from an employee’s vehicle. The actual hard drive was not encrypted, even though the laptop was password-protected and had other security features.
The lesson? Not all devices are encrypted at every level, so be sure to ask the vendor if all corporate laptops, tablets, and mobile devices will be encrypted. While mistakes happen, it is imperative to make sure the vendors you work with aren’t susceptible to security incidents, which could turn into breaches, simply because they failed to encrypt data at all times.
Does the entire company use Multi-Factor Authentication (MFA)? If so, do they remove SMS as an alternative?
This is a must, because with the prevalence of socially engineered phishing, it’s critical for all vendor employees to have MFA in order to access company networks.
Does the vendor offer Single Sign-On (SSO) for their SaaS solution?
They should, because in most cases, it’s better for employees to have SSO, which reduces the chances for using similar personal and professional passwords and allows your IT team to terminate access to SaaS solutions quickly.
How complex are employee passwords and do they have systems in place to prevent breached passwords from being used?
At a bare minimum, a password should contain a minimum of eight characters and three of the four character types: uppercase, lowercase, numbers, and special characters. There should be a solution that prevents employees from using passwords containing their name, company name, DOB, etc.
Does the vendor have a full-time data security officer?
Many newer companies may have employees working in dual roles. However, having a data security officer who also serves a sales, leadership, or other non-IT/compliance role, can often blur the lines of what responsibilities belong to whom, which can wind up being problematic for you.
Have you had any security incidents within the last five years?
If some of the biggest companies on the planet can fall victim to an incident, then virtually every company is also vulnerable (if they haven’t already had a security incident of some sort). If the vendor says they have not had a security incident, push further. Can it be that no one in their organization has ever lost a phone or laptop?
How do you track and/or report security incidents?
Your proposed vendor should be systematically tracking security incidents in some type of log and classifying the level of threat. If they are not tracking even relatively minor incidents, such as lost employee phones, could it be that they have not given sufficient thought to an incident response plan for a more significant issue, such as a breach?
Are development, production, and test environments separated from each other or are they co-mingled?
If these different environments are comingled, performance and service-level agreements may be impacted and the user experience may be affected. Setting up a wall between these environments also minimizes the risk of customer data being comingled with development and test data.
If you have multiple servers in various locations, how are the different systems patched and how long does it take to push a patch across the enterprise?
The vendor should have written policies and procedures for pushing both critical and non-critical patches across the organization. You should be able to review these policies in order to help make your decision.
Only you and your organization can determine if unfavorable answers are acceptable, no matter the size of the vendor or contract. A “No” answer to one or two questions might be acceptable, however, multiple insufficient responses could cause you to determine that a vendor’s security standards do not meet your own. This may be especially true if said vendor holds critical customer data, such as PMI, PII, or sensitive payment information.
If there are any other standard questions you ask of prospective vendors, please feel free to share them with me at Helena.firstname.lastname@example.org. In closing, thanks to John Bates, formerly General Counsel and Chief Information Security Officer at Clarity Insights for inspiring this article.