Cybersecurity Questions to Ask Your Vendor: Part 2

Strapped for time and resources, nonprofits often need vendors to get things done. But just because you outsource projects, it doesn’t mean your data is safe from cybersecurity threats. In part one of this series, “Employ These Corporate Cyber Security Safeguards Now," we examined critical initiatives you can employ to help protect your constituent data internally. In this part-two article, we propose cybersecurity questions to ask your vendor to protect your nonprofit data when it moves beyond your walls.

As mentioned in part one of this series, experts recommend that nonprofits hire a third-party security organization to conduct a yearly gap analysis to assess their IT capabilities and vulnerabilities. It’s also suggested that nonprofits extend this review to vendors as well. “Whether you use a vendor to conduct the audit or do it yourself, the first step is to look at your data,” said Lori Read, CEO of fundraising technology firm Aegis Premier Solutions. “How is it being shared—and with whom—along your constituent’s journey?”

Getting to Know You

So, what can you ask your vendors to help keep your nonprofit data safe? As a start, Aegis Solutions suggests you begin with these questions:

• Who are the key day-to-day and executive contacts in case of a cybersecurity issue?
• Do you have a natural and cyber disaster recovery plan?
• Do you have a business continuity plan?
• Do you have a breach notification plan?
• Are you knowledgeable of state notification requirements, if an issue occurs?
• What external audits are conducted (i.e. system and organization control, payment card industry [PCI], etc.)
• How often are these aforementioned plans and audits updated?
• Have you had any breaches? If so, when?
• Have you experienced internal theft?
• Are your employees bonded?
• How do you ensure data is exchanged in a secure manner?
• Do you use a third party to perform security assessments of your information systems?
• Do you perform security assessments of your suppliers, contractors and business partners?
• Do you have an information-security officer?

A Word on Credit Cards

Carding is the trafficking of stolen debit and credit card information, which is marketed on the dark web. Carders use stolen card information to make illegal purchases. As digital fundraising is on the rise, credit card fraud has become a great risk. In 2014, a breach of Goodwill Industries’ data resulted in more than 800 compromised credit cards.

Here are some questions to consider asking your merchant vendor or to ask yourself, if you process credit card donations internally.

• How is credit card data stored?
• Is credit card storage in compliance with PCI standards?
• What are the points of data access?
• Do you utilize tokenization for credit card data?

Storing credit and debit card information in an unsecure manner can result in costly fines. If a breach occurs, it may require you to provide credit-monitoring services for individuals impacted. Credit-monitoring costs and the cost associated with handling the issue can be catastrophic if not properly covered by cyber insurance.

Search for Answers and Be Prepared

Smithsonian Online Fundraising Associate Director Lara Koch suggests having systemized roadmaps and questionnaires in place to support your nonprofit’s cybersecurity efforts. “We know where, when and how data is stored and are aware of all access points,” said Koch. “We also have a list of questions for all new vendors. The good ones are ready for these questions and have answers ‘at the ready’ to provide us.”

To protect data, nonprofits should be as vigilant about external vendor processes as they are with internal ones. The questions provided above are just a start. Be safe out there!