I regularly work with my Not for Profit clients to select software vendors for their needs. However, in the last few months, we have rejected several “functionally fit” solutions due to their cybersecurity risks and deficiencies.
It’s frustrating!
Especially because of the lack of care or responsibility some of these vendors display:
“We’re not required to conform to such requirements because the payment gateway holds the credit card information, not us,” they’ve told us.
Wrong answer!
While many of these systems may not hold credit card information, they often hold Privacy Act data. This may include your donor, client, and/or member data. Therefore, if a vendor doesn’t treat your information as carefully as their own, your data is at risk.
The US government’s Cybersecurity and Infrastructure Security Agency (CISA) is pushing for software companies to have “Secure by Default” or “Secure by Design” requirements. This is proving to be even more important given the increased cybersecurity threats and related costs for any entity.
If this policy is successfully passed, other countries will probably follow their lead. Until then…
Here are some basic questions to ask your prospective vendors before you sign the contract:
- Do you have multi-factor authentication capability?
- Do you have Single Sign On capability?
- What are your minimum password requirements? Believe it or not, but a recent vendor told us, “NONE.”
- How often do you release new security patches?
- Can you provide us with proof that you are PCI compliant?
- Can we see your security standards document?
If they can’t suitably answer the above questions, DO NOT proceed, especially if it is hosting or has access to your sensitive data. Otherwise, you’re just adding cybersecurity risks to your organisation, and it’s just not worth the functional benefit.
What to do instead?
- Find a better vendor that takes cybersecurity more seriously.
- If you really like this vendor and can’t find a substitute, ask about their development Roadmap and when these cybersecurity features will be rolled out. Wait until they implement them.
While such decisions could set your project back in schedule, think of the potential consequences if there is a cybersecurity breach. For a vendor that doesn’t have these most basic mitigations in place will likely have other cybersecurity risks in their software solution too.
So, be safe rather than sorry when it comes to cybersecurity risks.
Tammy Ven Dange is a former charity CEO, Not for Profit Board Member and IT Executive. Today she helps NFPs with strategic IT and data decisions.