If you partner with a third party that takes a lax approach to cybersecurity, it puts the data of your company, and your customers, at risk. Here are some questions you should ask every vendor to ensure that their security is robust enough to deserve your business. Always engage in a Service Level Agreement and contract with the vendor so all expectations are clearly articulated.

How will you protect my data?

The data of your company, employees, and customers is precious and should be treated like cash. Get specifics about how a vendor protects and stores data: 

• Would our company always retain ownership of its data? 

• Does the vendor have a written controls plan that contains the administrative, technical, and physical safeguards you use to collect, process, protect, store, transmit, dispose, or otherwise handle our data (usually called an Information Security Policy)? 

• Are encryption methods utilized for data in transit and data at rest? 

• Will the vendor provide multi-tenant controls for the separation of users and data? 

• Will the vendor provide access control mechanisms like unique user IDs, password standards, and role-based access?  

• Will third-party vendors (e.g., subcontractor, managed shared hosting) hired by the vendor be restricted from having access to my company's data?  

• Will the vendor provide written assurance of its and its third-party vendors' security and controls while customer data is being collected, processed, and retained? 

• What is the vendor's process for purging files and records and removing access upon completion of the service, task, or contract? 

Are your employees trained in cybersecurity?

Ask if the vendor has a pre-employment screening policy for employees and contractors. What is that process? What is the process for training staff in security? 

What certifications do you have?

Seek out vendors who have industry-standard security certifications like ISO 27001, SOC 2, or PCI DSS. These certifications demonstrate a commitment to maintaining high security standards. Ask for documentation.  

How often do you update your software?

Keeping software updated is one of the best ways to have bleeding-edge security. Specifically, ask if the vendor maintains up-to-date versions of their antivirus software and operating systems. How does the vendor ensure all of their systems are kept up to date? How often are systems scanned for out of date software and patches? Know that different systems have different software update cadences, and updates to software usually are tested before being deployed. You should seek out answers about timing – a vendor might apply critical updates within 48 hours, while scheduling out “high severity” updates to be applied within five business days. 

How do you secure your network infrastructure?

Ensure your vendor has robust network security measures in place. Ask about firewalls, intrusion detection systems, and other technologies they use to protect their networks from cyber threats. What does the vendor do to prevent security incidents or breaches? How often does it check for vulnerabilities? 

Do you have a business continuity plan?

Inquire about their business continuity and disaster recovery plans. This will help you understand how well-prepared they are to respond to unforeseen events and minimize downtime. Is the plan written down? Is it tested periodically? 

What is your incident response plan?

Preventing an incident is all well and good, but find out how a vendor plans to react to an incident. Does the company have an incident response plan, a written plan to promptly identify, report, and respond to security breaches? Can the vendor, and any relevant third party the vendor contracts with, send the results of its last security audit? Does the vendor hire an external audit firm to perform a compliance review of its operational controls? 

How will you help me comply with relevant data protection regulations?

Inquire whether your vendors comply with data protection regulations applicable to their industry and location. This is critically important if your business handles sensitive customer information. Are files and records reviewed, retained, and purged in accordance with legal requirements, contractual obligations, and service-level agreements? 

How can I get ahold of you? 

Ask about how to contact the vendor in case of an emergency, like a security incident. Remember, these can happen on weekends and holidays! 

As a business owner, securing sensitive data and protecting your operations from cyber threats needs to be a top priority. By asking your vendors these crucial security questions, you can be confident that you're maintaining a secure environment for your business. Importantly, cybersecurity is an ongoing effort, and working with vendors who prioritize it will help safeguard your business and your customers' trust in the long run. 

Additional Resources

FTC: Vendor Security Basics

Download PDF of Checklist