Organisations lives and die according to their data security protocols -- and with the average breach costing a staggering $3.86M, the consequences of substandard security practices can be catastrophic.
But it’s not just the financial consequences that businesses must be consider Reputational damage can be just as impactful, if not more so. So what’s the solution? In the first instance, a shift in approach, ensuring that data security underpins all digital processes. This is especially crucial when partnering with a digital self-service collections enterprise software provider.
Enterprise software of any kind can transform an organisation, helping it become more productive, more accurate, and more valuable to customers. However, when implementing new enterprise software, there’s one major question that should be on your organisation’s lips: is it secure?
So let’s explore 7 data security questions you should ask all prospective enterprise software vendors -- particularly digital self-service collections software vendors.
Why is data security so important?
No business or organisation is too large to suffer from a data breach. In fact, 68% of business leaders worryingly feel that their cybersecurity risks are increasing.
The European Parliament was the subject of a data breach in May 2020, with the European Central Bank suffering the same fate back in August 2019. A few years earlier, in 2016, an estimated 39 million Europeans were affected by the massive Yahoo data breach.
Needless to say, these types of breaches can irreparably damage your organisation. For starters, there’s the cost of the breach itself (it’s estimated that stolen personal records cost around $150 each). Then, businesses have to contend with the ensuing reputational damage. Research shows that businesses can expect to lose around half of their customers as a result of a security breach. If this stolen data is particularly sensitive in nature, this figure is only likely to increase.
So where does enterprise software come into this? Well, your organisation probably has its own tight-knit internal security protocols. They’re by no means infallible, but at least you’re in control of them. When enterprise software is introduced into the mix, however, you suddenly have to entrust your precious data with another vendor that has their own security practices (and risks).
As McKinsey states, “Applications running in the cloud and data stored there are not protected by a traditional corporate-security perimeter of firewalls and the like. As a result, security becomes essentially reliant on encryption and management of the keys that provide access to encrypted data.”
Organisations need to thoroughly scrutinise an enterprise software vendor’s security practices before implementing the tool within their own organisation. This is fundamental in ensuring that they’re put in as little risk as possible going forward.
7 data security questions to ask enterprise software vendors
1. What does your data security protocol look like?
This is perhaps the most obvious question. Data security protocols, defined as “the software and behavioural rules that guide how employees handle and access data”, provide clear guidelines that demonstrate an organisation’s approach to data security. This might include things like SSL certificates, virtual private networks (VPNs), multi-factor authentication (MFA), and more.
According to Audacix, “Publicly published security controls may not give you hard data about the efficacy of the security policies, but they represent a level of maturity.” You want to make sure that application security is a built-in consideration as opposed to a mere afterthought. You need to confirm that data security guides every single thing that they do.
If a vendor can’t explain their security protocols in detail, then it probably demonstrates that data security just isn’t a very important concern to them.
2. Have you achieved any recognised data protection standards?
There are a variety of data protection standards governing how organisations approach data security: ISO 27001, SSAE16, and Safe Harbor, among others. Your organisation may well adhere to one of these—but it’s even more important to ascertain if your vendors are also protected according to such standards.
Why are they so important? Principally, they provide companies with a clear blueprint that outlines how to safeguard their data going forward. ISO 27701, a relatively recent international standard in data privacy, is particularly noteworthy. It was designed with GDPR’s principle of privacy by design and by default in mind, so it’s fully compliant with modern data protection standards and expectations.
3. How do you assess your employees’ security understandings?
An estimated 90% of all UK data breaches in 2019 were caused by human error. While this figure probably doesn’t hold up globally, some of the most damaging data breaches in recent times have been down to plain old human error.
Just this year, the Hamburg data protection office announced that it would be conducting a thorough investigation into H&M. It was reported that managers at the Nuremberg outlet held “detailed and systematic” personal data (that bordered on spying) on a hard drive. Worse still, this was then shared with other employees who shouldn’t have been able to access such information.
Employees are people, so they make mistakes. However, you need to make sure that if human error occurs within your software vendor’s organisation, these mistakes are:
A) As infrequent and minor as possible.
B) The result of an accident, rather than sheer ignorance.
In an ideal world, your proposed vendor will explain that they conduct regular data protection training. They’ll have a dedicated data protection officer and employees will be actively tested on their knowledge. Even better, it might be a part of the onboarding process for all new employees. Some vendors also hand out printed materials for future reference, though this isn’t all that common.
4. Do you separate customer data from the main infrastructure?
If your vendor’s main infrastructure is hacked, you want to know that your data is safe—ideally in a cloud-based environment. This might be single-tenant or multi-tenant -- with single-tenant being the more secure choice. However, more importantly, you need to ensure that even if the company is the target of a data breach, you won’t be affected.
And if they are kept separate, it’s worth also enquiring as to their internal access controls. The 2019 Risk Report from Varonis found that in 53% of surveyed companies, every single employee could access over 1,000 sensitive documents. In total, the average employee could access an enormous 17 million records.
Cloud computing can be highly secure, so long as the right access controls are in place and that customer data is kept separate from the main infrastructure.
5. Do you work with other third parties to deliver your SaaS solution? If so (and if they have access to your data) then what do their security protocols look like?
Your vendor themselves might be incredibly secure. That said, it matters for less if they have multiple partners who are rather more lax in their own protocols. You’d be surprised at how common it is for SaaS vendors to rely upon third parties. In fact, research suggests that as many as 60% of SaaS vendors use third parties as their primary delivery application method.
This isn’t in and of itself necessarily a cause for concern. If you do learn that a proposed vendor works with a variety of third parties, then enquire as to their data protection policies and standards.
If they can’t provide any detail, the information seems vague, or the answer appears to be substandard, then you should definitely opt against buying that particular vendor’s solution.
6. What are your disaster recovery plans?
A vendor might have wonderful internal protocols, put a premium on educating employees, and have incredibly security-conscious partners. However, if they don’t have a disaster recovery measures in place, then this might all be for nothing.
No matter how tight their security, there’s always the chance that your vendors will suffer from a breach. In this event, they need to have a rock-solid plan in place. Not only will this help protect your data, but it’ll also mean that they can get back up and running as soon as possible.
Of course, there’s no one-size-fits-all approach to disaster recovery planning. Depending on the vendor’s own IT infrastructure, they might have geo-redundant, cloud-based, virtualisation, or network disaster recovery plans.
By confirming that they have a plan in place when disaster strikes, you’ll know that even the most unexpected of breaches will be swiftly and seamlessly handled.
7. Do you perform routine disaster recovery tests?
Needless to say, a plan is only as good as its execution. It’s all well and good having a plan, but you need to be certain that when the time comes, you can put it into action. Your vendor might have a fantastic plan in place. However, if their team are frantically scrabbling about trying to remember their roles and responsibilities, then the plan will count for little.
Routine tests prove that security is a top priority. They make sure that everyone knows what’s expected from them when the time comes. In short, they ensure the plan is completed as smoothly and painlessly as possible.
To plan is human; to test, divine.
Defend your data at all costs
Data is the lifeblood of your organisation, so it should be protected at all costs. You can take 5 free information security and compliance resources to identify potential areas for improvement within your own organisation. Remember: never go ahead and purchase an enterprise software solution—more specifically, a collections management software—without first asking the 7 questions listed above.
The best vendors will relish the opportunity to answer these questions, showcasing their high data security standards in the process. But what about those that are hesitant or downright refuse to answer? If this happens, it may be prudent so seek alterntive vendors, to avoid putting your data at risk. And remember: it’s not really your data in the first place. Instead, it’s sensitive financial information belonging to your clients. Don’t destroy the hard-earned trust they’ve placed in you.
To find out more about what our CTO’s Thoughts on Compliance, Privacy and Data Security are, check out this page.