5 Cybersecurity Questions to Ask Vendors Before Buying New Software

The pandemic has pushed businesses to make a sudden digital transformation. Prepared or not, your business has to follow suit to keep pace with competitors and not lose out on your customer base. This means new software purchases and fast implementation in a short time. 

But as you focus on catching up with the new normal and maintaining your business productivity, make sure you don’t compromise on information security. Don’t rush into technological investments without asking software vendors the right questions that can help you avoid data security breaches and other forms of cybersecurity threats.

According to our survey, 45% of small and midsize businesses fell victim to cyberattacks recently (in March, April, and May 2020). The types of cyberattacks that businesses experienced included data breach, ransomware attack, malware infection, DDoS attack, phishing attack, and business email compromise. 

Despite these facts, we see businesses are not asking enough security-related questions before choosing new software. The fraction of businesses we surveyed inquiring about access controls is less than 50%, only 19% ask about regulatory compliance, and 12% of SMBs don’t ask any question pertaining to security measures!

A lack of awareness about what cybersecurity questions to ask the vendor—and when in the purchase process to ask them—could be the reason behind this negligence. Regardless, this puts a business at cyber risk, with serious implications on finances, reputation, and overall existence. 

To help you avoid such implications and vet a new tool from the cybersecurity standpoint, we’ve compiled a list of questions you should ask a vendor before making the buying decision:

The software you choose must have a security alert system that notifies you as soon as any abnormal activity is detected on your computer systems (used by your employees). Such activities could include any unauthorized change in the network or system settings or a new unknown sign-in. 

It must also send regular alerts for security patching. In other words, the software updates must be regular so that the system is always protected against the latest cybersecurity vulnerabilities and threats.

It’s important that your IT administrators have the controls to authorize and authenticate the use of any software in the business. They should be able to allow or restrict application access (based on user roles, projects, and geographies) and control access to data on certain devices to prevent data breach as data travels between various devices. 

To that end, check if you can add multi-factor authentication and biometric authentication for additional security. Also, ask the vendor if the software identifies threats in real time and offers access control rule automation to deal with real-time risks. 

Whether you’re trying a free trial or buying an advanced version of cloud-based software, know that your data will be stored on servers that may or may not be in the same geographical location where the vendor is, or where you are. So, be sure that the data is safely stored, separate from other customers’ data using adequate controls. 

Some vendors become the owners of data when the data is transferred to their systems, so do check the data ownership policy before signing any contract. 

Additionally, check for data back-up and privacy policies and know the provisions for retrieving lost data in case it happens. Ask what happens to your data when your partnership ends. 

At any given time, your data is either resting in cloud storage or being transmitted from one system to another. In both cases, the software must mask or encrypt your business data to prevent any unauthorized data access. 

Think of encryption as scrambling an understandable piece of information (let’s say the word “you”) into a seemingly meaningless form (“wms”) that can only be understood by using the logic behind the scramble (in other words, the encryption key).

Now, depending on the nature of the key, there are two types of encryption: symmetric encryption and asymmetric encryption. 

To learn more about encryption, see this article. We have broken down this topic into simple terms. 

It’s crucial that the vendor you choose complies with the regulatory requirements applicable to your industry, geographic location, and software usage. Some of the regulations include PCI (in case you accept online payments), HIPAA (in case it’s a healthcare/medical organization), and WCAG (in case you have a website).

Get your legal advisor or compliance officer to help you with evaluating the certifications. The vendor must be able to provide you with proof of regulatory compliance.

You might wonder if this is all that you need to ensure cybersecurity for your business. Please remember that this checklist is a starting point. 

In addition to these must-ask questions, make sure your business has a few best practices in place to ensure cybersecurity. 

Here are a few points to help you with that:

• Check with the vendor if they do regular assessments for malware vulnerabilities and penetration tests of their products. Ask them about their security testing processes to make sure that the software is adequately protected.

• Inquire if the software provider has a dedicated team responding to reported security vulnerabilities. Ascertaining this would mean that software security is a priority for the vendor. 

• Find out if the vendor has any contractual agreement for sharing data with a third party for cloud-storage or automated code reviewing. Discuss the due diligence carried out before signing these contracts to know that your data is safe from breaches.

• Ask if and how the vendor informs customers about security vulnerabilities (if found or reported by other customers). Know if they provide any technical guidance to mitigate these for first-time users. 

• Know if the vendor offers any cyber liability insurance (or cyber insurance)—i.e., if they cover the financial responsibility for data loss in the event of a cyber attack or any other cybersecurity risk. This would help prevent any kind of financial strain on your business during a cybersecurity crisis.