I’m worried that too many IT vendors are still not meeting the most basic cybersecurity requirements.
This week, the US Federal Trade Commission ordered Blackbaud, the owner of popular fundraising CRM platform Raiser’s Edge, to change its cybersecurity practices significantly. This was after a massive cybersecurity breach in 2020 that compromised the donor data of 13,000 charities.
The orders include a change to their data retention policies, the implementation of Multi-Factor Authentication and the addition of data encryption.
You would think that such a large global company would have already had such practices in place. But I really can’t believe they still haven’t fixed these most basic cybersecurity requirements since the original breach in 2020.
Unfortunately, they aren’t the only IT vendor failing to take cybersecurity seriously.
IT Vendors are failing to meet the most basic cybersecurity requirements
In the last 12 months alone, I have interacted with multiple IT vendors that failed to meet the most basic cybersecurity requirements, such as:
- A strong password requirement
- Multi-factor Authentication capability
- An external penetration test done to their system
Even more worrying was that many didn’t think it was important when I asked because other clients didn’t seem to care.
In fact, just this week, I asked a vendor about cybersecurity, and they gave me a copy of a response they had just sent back to another client as part of a formal tender process. Nowhere in the lengthy questionnaire did it even ask for the most basic requirements I listed above.
Scary because this is YOUR data, not theirs!
How to know if your IT vendor is meeting the most basic cybersecurity requirements?
Here are the questions I regularly ask IT Vendors. You should add it to your own checklist when selecting and evaluating vendors:
- Do you have Single Sign-on for Azure (for Microsoft users)?
- What are the minimum password requirements? (longer and more complex is better)
- Do you have Multi-factor Authentication capability for all users?
- Are you ISO27001 certified?
- Are you SOC2/3 certified (for American companies especially)
- Where is data stored? (country?)
- What are the Administration Levels? (more is better)
- Is the data encrypted at rest?
- Is the data encrypted in transit?
- Has the product undergone external penetration testing? When? What were the results?
- Is the product PCI compliant (if it takes credit card information)?
While this is not a complete list of potential questions, it’s a really solid place to start if it’s a cloud-based product. If the system sits on a physical server rather than the cloud, I would have a lot more questions to add to this list.
Final thoughts
While too many IT vendors are not taking cybersecurity seriously, it doesn’t mean that your Not for Profit shouldn’t. After all, the data belongs to your organisation and stakeholders, not the IT vendor.
So, be sure to have cybersecurity requirements as part of your new IT system evaluation process. And say no to those who can’t meet the most basic cybersecurity requirements.
If you find out that an existing system in your organisation is not meeting these requirements, ask your vendor when it will be implemented. I would even recommend setting up a monthly calendar reminder to bug them frequently for an update.
And if they aren’t willing to prioritise cybersecurity, you should consider a vendor change. Your data is too important to let their lack of care impact your risks.
I regularly help Not for Profits with their IT investment decisions. Let me know if you need some help.
P.S. If you found this article helpful, you might want to read this one too:
- Is your Managed Service Provider effectively managing your cybersecurity?
- Why Business Continuity and Disaster Recovery Plans are a must in this cyber world
Tammy Ven Dange is a former charity CEO, Association President, Not for Profit Board Member and IT Executive. Today, she helps NFPs with strategic IT decisions, especially around investments.
