The headlines have taught us that it’s not enough to maintain the security of your own network and on-site servers, but you also have to ensure your partners and vendors are keeping their networks and systems—as well as your data—safe too. Just ask Home Depot and Target.
In their well-publicized data breaches, the hackers gained access to the retail giants’ networks through the systems of third-party vendors. I know what you’re thinking: Home Depot and Target are, well, huge targets for cybercriminals. Surely, your association isn’t as tempting.
Don’t be so sure. When hackers can purchase automated bots that troll the internet looking for security vulnerabilities, they don’t care how big or small you are as long as you have something they can sell on the dark web—the financial and personal information of your members, staff, customers, and donors.
Ensure your SaaS vendors are keeping your data safe.
Many associations use software-as-a-service (SaaS) systems that are hosted by the vendor, for example, association management systems (AMS), learning management systems (LMS), and content management systems (CMS). You’re not hosting the software so you have less to worry about, right? Well, the answer to that should be “yes” but instead I have to give the stereotypical consultant answer, “It depends.”
It depends on how diligent your vendor is when it comes to security. Most of them are. But, before you sign a contract, have a conversation with your vendor about their security policies and practices. SaaS vendors should be prepared for this conversation, and many of them enjoy talking about the intricacies of security. Who wouldn’t!
Any outwardly-facing web app, like an AMS, LMS, or CMS, is at risk of having its data breached if:
- The vendor’s security infrastructure isn’t up to snuff, or
- The web app code is poorly written and/or not updated frequently to provide protection against the latest hacks.
Have a conversation about security infrastructure.
Many vendors provide this information in system specs. If they don’t, you’ll want to find out:
- Who can physically and virtually access your data?
- How does the vendor use firewalls, intrusion prevention, and third-party security monitoring to protect your data?
- How often is penetration testing done, and by whom?
- How is data encrypted in storage and in transit, and who has access to the keys?
- Who manages the application on the back end, and what policies are in place to prevent insider breaches?
- What are your backup and recovery procedures?
- If the SaaS only offers multi-tenant hosting, how do they prevent data leaks?
- Who’s in charge of security? Who’s accountable for data security? Where does the buck stop?
There are many more questions you can ask, but the list may make your head spin. The best thing to do is to find a security expert who can join you for this conversation. We love this kind of talk!
Find someone who speaks the language of code.
Physical infrastructure isn’t the only security concern. Your vendor may have the best firewalls and intrusion prevention, but the easiest way for hackers to get in is through poorly written software code.
Finding out how securely their code is written requires asking some technical questions. You need someone on your side who understands database and web app security as well as app code, either an in-house developer who’s also a security wonk or a consultant if no one in-house has these skills. You want someone alongside you who speaks the same language as the vendor’s developers.
Your vendor should be able to assure you that they’re paying a great deal of attention to the security of your data and their app code, and putting resources in place to continually evolve their level of security. No one can be 100% sure of being completely secure, but they must have security measures and accountability in place. In today’s security environment, no one can remain complacent.
What does your overall security picture look like? Download our infographic, Is Your Organization Protected from Cyberattacks?, to see if your risk of a security incident is elevated.