Five questions to determine if your vendor has your security interests in mind
Data security, as it pertains to both your company’s critical market research data and the personally identifiable information (PII) in your customer and prospect lists, is coming under increasing scrutiny. From general best practices, to government regulations surrounding GDPR, your vendors must be up to speed and rigorously diligent to protect the data with which they are entrusted.
It is important to be confident in your research vendor’s understanding of, and practices around, data security. You should feel empowered to ask them pointed questions about their security configuration. Third-party certifications, security questionnaires and site visits are all appropriate due diligence when deciding who to trust with your sensitive data.
We’ve compiled some questions about data security issues you can use to start these discussions.
Does your vendor talk security?
For decades, market research vendors have considered the collection, housing, and dissemination of research data a sacred trust. We’re constantly asked to sign NDAs regarding sensitive issues on product prototypes, service descriptions, and business practices. We’ve built entire systems to house and deliver information to those who pay for it, and to protect it from those who do not. With the wealth of PII now available through customer databases and big data sources, and security breaches becoming an increasing threat, research companies must be continually revaluating and refining their security processes.
If your vendors are skirting the issues of PII best practices and/or considering PII security as an afterthought, this should be a cause for concern (if not alarm). The penalties for incomplete security measures or breaches are severe, and only firms with proactive policies can keep your data safe.
In fact, the most basic test you can perform is to tell your vendor you’ll email them your sample. If they don’t balk at that and instead eagerly await its arrival, you’ve got a massive breach risk. Data should only be transferred via email if encrypted, and even then there are much more secure options.
Do your vendors point out potential security liabilities in your research design?
We now treat the security of any PII we receive with the same forethought and energy we put into overall research designs. Do we even need to collect PII from the client or should we have it scrubbed out before we receive the file? Can we use PIN identifiers to correlate data to PII data on the back end, rather than have it natively attached in the sample file?
Our clients are often cognizant of the basics (the hazards of testing branded marcom material, or having too much information included in in-group collateral) but may not be up to speed on moving targets such as encrypting a sample file before delivery, or encryption at-rest, or simply the use of two-factor authentication for data transfers.
At a minimum, these best practices may not require an overhaul of the research design, but might require adding room to the overall project timeline to account for them.
Do they perform regular penetration tests and other IT audits?
Third-party penetration tests and audits are expensive, time consuming, and basically a hassle for all involved, but they are essential to providing top-flight security assessments you can trust. As your vendor, we’re happy to provide our overall scores and talk about the areas in which we have initiatives to improve. You should demand the same of all vendors.
Do they outsource or offshore any aspects of data collection or analysis?
Like all security, data integrity is only as strong as the weakest link. We’ve chosen to conduct all work in-house under our overarching data security protocols, but if your vendor outsources any portion of the work (data collection, programming, coding, analysis) you’d best demand proof that their security practices are sufficient.
Do they have strong post-project data handling procedures?
Most of the issues discussed above focus on the initiation and execution of a market research project. But threats concerning data security don’t stop when the project is finished. Be sure your vendor handles cold storage and data backups with the same care as ongoing projects. Additionally, demand they provide data destruction certification when data (typically sample and PII) are to be destroyed after the project has finished.
Our client list includes Fortune 100 companies that have us under constant inspection for data security, and we regularly pass in-depth security audits. We’re proud of the effort we put into keeping your data safe; a significant portion of our annual IT budget is earmarked for further improvements. Make sure all your vendors are doing the same, and be leery of those who either a) don’t seem to fully understand potential security impacts, or b) appear to be lacking in any area.
David Caldwell — Director of IT, MDC Research
MDC RESEARCH – 8959 SW Barbur Blvd., Suite 204 Portland, OR 97219 – (800) 344-8725
Learn more at: www.mdcresearch.com Copyright 2017, MDC Research