3 Questions to Ask Technology Vendors to Make Sure Data Security is Top of Mind
For commercial real estate firms exploring the benefits of platforms and tools hosted in the cloud, information security is top of mind. It’s important to be completely confident the platform you partner with a) has the proper systems and processes in place, and b) these systems are working properly to keep your data protected. While this due diligence process may be common for larger CRE firms with in-house security resources, it’s likely that smaller firms (for which security is not a core competency) won’t be as certain how to approach data protection.
We put together a list of four key questions to ask potential vendors as you evaluate the level of security they provide for your firm.
1. What are your third-party certifications, reviews and testimonials?
What’s the first thing a customer does when deciding to try out a new restaurant?
Read reviews. Zagat ratings, Yelp reviews, the number of Michelin stars.
It’s the same concept for third-party leasing and asset data storage and management. What verifications and reviews have the applications gone through? It’s easy enough for a company to put a favorable spin on the company’s particular way of storing and managing data.
But trustworthy independent sources will give you the real story.
“It’s important to have a third party or application test or audit the business before the customer. This takes things to the next level,” says VTS director of IT and security Robert Lowry. Third-party security audits specifically of the application—such as an SOC 2—are a great example of this.
Building a rapport between the customer and the cybersecurity team is essential, and establishing positive feedback from other customers is part of that. If a security firm has worked with (and been well-reviewed by) big names in CRE, potential clients can better trust the company is appreciably thorough.
2. How many full-time security staff does your company have?
Maintaining data security is a full-time job, but that doesn’t necessarily mean CRE firms must hire their own security personnel. However, the third-party tech vendor you partner with must be completely focused on security, with full-time employees solely dedicated to this function. The more people who work on security full-time, the safer your data is likely to be, and not having them on staff is a red flag.
“If a technology vendor is serious about information security, full-time security staff is a must,” Robert says.
3. How is your data flow structured?
Clients typically focus on specific technologies when evaluating a vendor’s security. An arguably more important part of your security due diligence is grasping how your information will flow between your internal system and the vendor’s.
How will your data be protected? Who will have access? Where—and how—will the data itself be stored?
“Considering how important data flow is, it’s amazing that it doesn’t come up more often. 70% of due diligence questions don’t focus on this,” says Robert (above, left, speaking with a client). “There are some pretty old-school security questionnaires still floating around, such as ‘Do you have a pandemic plan?’ I applaud vendors who do, but does this really mean they have the right approach to keeping your data safe?”
At the end of the day, data is what a company cares about the most—and sharing confidential data with a third party can be new territory. Understanding what happens with that data is truly the spirit of due diligence. Everything else can be considered “good to know,” but is not critical to the decision-making process.