Who's watching your data? 6 questions to ask a potential vendor

image of this article's author, Mark Aquilio
Mark Aquilio
Director, information security & compliance

Data carries tremendous value, particularly in the holder’s reputation. So when it comes to choosing the organization who will be securing it, I use these 3 words of advice: Know. Your. Vendor.

In 2016, I wrote this advice story about securing data and questions companies can ask when selecting a benefits vendor. This fast-changing aspect of doing business is one you cannot afford to ignore. Benefits vendors such as EyeMed must collect data so we can serve our customers and clients, but when it comes to protecting that data, the most important people to know are those securing it.

This relationship could be among your most critical in 2018, so get to know how different vendors operate while still in the selection process. Learn what programs they use to see if they meet your company’s unique needs and structure. Know their key focal points to ensure they can identify gaps and potential shortcomings.

And ask questions. Here are 6 big ones.

Q: How do you store and encrypt the data?

Every day it seems new regulations emerge that require data encryption. It’s critical, for example, to confirm your data is encrypted while at rest (stored in databases, laptops, mobile devices) as well as when in transit. That being said, we could easily get preoccupied with how a vendor does this — it usually comes down to its processes and/or infrastructure — when what’s more important is ensuring good controls are in place. Where the vendor stores the data, how it stores it and who has access are as important, if not more so, than how it is encrypted.

Q: OK, then where do you store the data, and can the client assess its security?

Organizations should focus geographically on where the data will be held (inside or outside the U.S., for example) as well as how it is being stored. Is it in a physical data center or is it part of a cloud network? As for allowing client assessments, companies may want to discuss the possibilities of conducting an onsite audit. Even if you don't carry through with any, you want the assurance you can.

Q: Do you have 2-factor authentication?

Two-factor authentication is a must for ensuring only the necessary people can access datasets. It requires a user to present 2 different pieces of identification. Think of when you have to provide a password as well as a confirmation text code or a fingerprint to get into a private account. This is 2-factor authentication, and it helps keep your data safe.

Q: How do you test your employees' understanding of security policies?

The vendor should be able to prove its employees are educated in, and understand, data security. This includes sharing specifics about the kinds of security awareness it makes available to employees and how regularly it tests their knowledge and compliance.

Q: Do you have a dedicated internal team to handle security opportunities and identify disruptions?

We’re hearing a lot more about this — is one person watching millions of your records or is a group of specialized people doing so? In some cases, it may be an IT group well-educated in security control and parameters. Learn about the organization’s design. It may not have a dedicated security person, but instead a team regularly trained and updated on security control and features. So the question should be nuanced: How is your IT security team structured to manage and protect my data?

Q: What protection standards have you achieved?

Look for 3rd party assessments. At EyeMed, we contract out with several vendors to help assess our strengths and controls. We use an auditing firm that comes annually with a set of standards geared toward security to assess how well we are doing. These assessments will help you identify vulnerabilities. For example, you can pay someone to ethically hack your systems or run scams to locate and remedy weaknesses.

Big data is managed by a series of small decisions, but each one carries significant weight when it comes to security. Knowing your vendor is the best first decision you can make.

If you’re an employee benefits decision maker or benefit broker and want to learn more about EyeMed Vision Care, the fastest growing vision benefits company in the U.S., visit starthere.eyemed.com.