Back to blog

5 Security questions you should ask your software vendor

 

3DE0D7AF-E58A-4B27-836D-47D36F094EEB_1_201_aSearching for a software vendor for any aspect of your business can be very time-consuming, whether it's a product that you know a lot about or an entirely new solution your organization is exploring. You may ask yourself, what is our #1 priority here? The most important consideration should be your client's security.

In today's world, data is arguably the most valuable currency. In fact, selling personal data is a multi-billion dollar industry. If you leave your wallet or purse at the store, you can just turn around and go back. Those items are physical. However, entering your personal data/documents into a technology vendor's servers is entirely different, and there's generally no way to get that data back.

It's time to consider the vendor you're willing to trust, and how much that trust could cost you, your organization and most importantly - your clients. We are now able to sign and notarize documents digitally, which is a tremendous achievement in this unprecedented time we are living in. It's time to consider what is happening with that data. Documents needing to be signed or notarized hold some of the most personal and sensitive pieces of information, and it's important to consider where these documents are stored and for how long.

How can I get this information from a potential vendor?

This is surprisingly simple - just ask for it! Most powerhouse companies, such as larger law firms and healthcare providers, will always conduct a full security review and ask for what's called a Due Diligence package. This allows them to get an inside look at where the data is being stored, how often the security protocols are being reviewed (quarterly/yearly/etc.), previous security breaches and the process for mitigating the impact if there is a breach in the future.

5 key security questions to ask:

1. Will you share your information security practices and policies with me?

Ideal answer: Yes. We will happily send that documentation for you to review. If you get anything but a "yes" here, avoid this vendor with a 10-foot pole.

Likelihood of getting this answer: 30%

2. Do you have protocols and tools in place to prevent access to client data?

Ideal answer: Yes. Routine access to client data is logged. Static security scans are performed on the source code. Automated and manual dynamic security scans are performed on the running system. An intrusion detection system monitors the network and performs network security scans.

Likelihood of getting this answer: 60%

3. Do you outsource any of your information security responsibilities? If so, how do you manage their compliance?

Ideal answer: All vendor relationships must be supported by a written contract that has been approved by senior management and, for more significant contracts, legal counsel. The relationship manager should review contract terms for all third-party arrangements in sufficient detail as required by the service performed and the level of risk.

Likelihood of getting this answer: 60%

4. Do third parties conduct security assessments on your products?

Ideal answer: Yes. We have multiple 3rd party companies that conduct regular assessments.

Likelihood of getting this answer: 20%

5. Is the data being passed back and forth encrypted at all times?

Ideal answer: Yes. Documents are encrypted in transit and at rest with 256-bit encryption and are only visible to the sender as well as the party receiving it in that particular session or transaction.

Likelihood of getting this answer: 90%

In my experience, most companies will start off asking the software vendor questions about pricing or functionality. Security comes up most of the time, but it is usually one of the final steps in making a decision. Your clients and their data are the lifeline of your organization, so why wait to bring up such a paramount concern? The best vendors are the ones who relish the opportunity to answer these questions and concerns, because they understand how important your client's data is. If a vendor avoids these questions, you should find an alternative.