30 Questions to Ask Vendors to Reduce Cyber Risk

Deciding on any significant organizational change is difficult. There are multiple stakeholders to please, a budget to meet, and risks to manage. When the change involves choosing and implementing a new system, there are even more issues: establishing that it meets your organization’s security needs and expectations can be complicated. If you’re looking for a new system, here are 30 questions you may consider asking to determine if it’s the right option:

Data Questions

1. How and where is data stored?

A vendor may help you store data internally, or they may store it on their own system or in the cloud. If the system is cloud-based, determine where the servers are: data is not always hosted in the same country as the vendor, which can be an issue if your organization has strict confidentiality rules.

2. How is data encrypted?

If your organization has extensive confidential information, you need to know that it will be properly and fully encrypted to reduce the likelihood of it being accessed by unauthorized parties.

3. How is data transmitted?

When implementing a new system, data is moved from the current system to the new. Is there a secure method in place for this transfer? Going forward, how will new information be imported into the system or exported to share with other parties?

4. How is data protected?

What measures does the system vendor have in place to protect your data? This is a question that may have a lengthy answer — let them speak to their procedures, safeguards, and strategies.

5. How do you manage remote access to data?

One of the primary motivations for switching to a cloud-based system is to allow employees to work remotely, whether from home or a client’s site. However, it’s crucial that it’s secure and provides complete access without compromising data.

6. How are authorized users and confidential data managed?

Many organizations require various levels of users within their system. For example, a front-line employee may only be able to view information while an executive can modify and delete data. Similarly, confidential data belonging to one department may only be accessible by those with logins for that department. Ensure that the system monitors data changes so you can determine who made a change and when it occurred.

In addition, you need a system with strong password management, such as regular updates and character requirements.

7. Who owns the data?

Data ownership is the "legal rights and complete control over a single piece or set of data elements". Some vendors may become the owner of your data when you transfer it into their system, while others allow you to maintain ownership. This may not have much of an impact on some organizations but could be crucially important to others. Determine what your needs are and make sure that the system complies.

8. What happens to data if the partnership ends?

Suppose your contract runs out and you decide not to continue with the vendor. Will the data be returned to you, deleted, or remain in the vendor’s possession? This is a key concern that should be detailed in your contract.

9. When data is deleted, is it permanently erased?

When you delete a file, you must be confident that it's really gone. In some systems, deleting an item is more of an “archive” function — it is removed from sight but is still accessible, like a document in the Trash on your desktop. Depending on the situation, this could be a good or a bad thing, so make sure you understand how the system functions.

10. How is data recovered in the case of loss?

If the vendor hasn't prepared a solid data recovery plan, it's not a good sign. Without the knowledge of how to recover their own data, it’s unlikely they’ll be able to retrieve yours.

11. Will any third parties have access to my data?

You're outsourcing data management to a vendor, but they may have outsourcing agreements of their own. By entering into an agreement with one vendor, you may actually open up your data to several entities. Ensure that all relevant details are provided to you and that third parties won't present any additional risk. What level of access will these organizations have, and what methods does the vendor have in place to select and manage them to ensure security?

Security Questions

12. What are you actively doing to prevent breaches?

Similar to the data protection question above, this question ensures that there are multiple cyber security policies and practices in place. As long as the vendor is using reasonable strategies, this is an easy question to answer.

13. Do you have (x) security certification?

Your organization may require vendors to have a proven level of security compliance. The vendor should be able to provide all necessary documentation.

14. Do you have (x) security measure in place?

Your staff may require certain techniques that are necessary to keep your data secure. Ensure that the vendor is able to meet or exceed all of your security expectations and needs.

15. What cyber security best practices are being followed?

This question is best answered by formal documentation on internal procedures. It proves that cyber security is taken seriously within the organization and that employees have a standard rulebook they are expected to follow.

16. How often do you scan for vulnerabilities?

When vendors are trusted with large amounts of highly confidential data, they should scan for system vulnerabilities regularly. Perhaps more important is the number of issues typically identified from these scans and how quickly they are fixed to ensure customers are not negatively impacted.

17. How often is the system updated?

With the fast-moving pace of technology, systems need regular updates to fix new vulnerabilities and issues. Some of these updates may be automatically released on a regular basis, while others require system downtime.

18. Can you provide the results of your most recent external security audit?

A second-hand opinion on the effectiveness of the vendor’s security measures is both useful and telling. It can resolve (or confirm) any doubts you may have.

19. Do you have any physical data protection measures in place?

With such an intense focus on cyber security, it’s easy to forget that vendors can have physical protection in place too, such as secured entryways into areas that have data-hosting computers.

20. Have you had any breaches or security issues in the past?

Ask the vendor to describe any occurrences, including how they were resolved, how long the exposure lasted, and the impact on the affected organizations. Unfortunately, most vendors have likely experienced a security issue, whether it was a full-on breach or a slight loss. Don’t take this as an immediate sign that they shouldn’t be trusted — how the events were handled is much more important. If losses and recovery time were minimal, the vendor likely has an appropriate plan in place. But if incidents are frequent or they cannot speak to recovery procedures, it’s a definite red flag.

21. What system monitoring procedures are in place?

It’s not uncommon to hear about breaches that aren’t reported until months after the fact, sometimes because vendors weren't even aware there was a problem. If data becomes vulnerable or exposed, vendors should be notified immediately so they can take action.

22. How are incidents reported?

When a potentially dangerous person enters the system or an unauthorized change is made, the vendor must be notified as soon as possible. Do they receive urgent notifications like a phone call or alert, or will it simply be an email that could be missed? This can make a significant difference in providing a timely response.

23. How do you inform customers about security issues?

You need to be notified as soon as there is an occurrence too — determine the vendor's typical communication method and response times. You need confidence that you’re informed of any and all security issues to properly manage risk. Define your preferred communication method and a maximum acceptable time lapse, so the vendor will understand your expectations.

Security Team Questions

24. Who is responsible for cyber security?

Being able to provide details on key executives or contacts in charge of cyber security tells you there are dedicated team members ensuring secure data. It also clarifies who will be responsible for your concerns or questions in the future.

25. How often do you provide training to your security team?

Cyber risks are constantly evolving and as they change, so do best practices. Team members should receive regular training on the systems, policies, and procedures needed to protect data from the latest threats and hacker techniques.

26. How do you assess the knowledge of your security team?

Some information on the selection and monitoring progress will help you understand the depth of employees’ knowledge and reassure you that your data will be in good hands.

27. How do you receive information on cyber security?

Teams need regular information updates about evolving risks and threats. A system could be the most secure in the world today, but by tomorrow new vulnerabilities will have come to light. Serious vendors will regularly seek out resources on trends to ensure they are always prepared.