4 Questions To Ask When Looking For CRE Data Security Vendors
For commercial real estate firms exploring the benefits of platforms and tools hosted in the cloud, information security is top of mind. It’s important to be completely confident the platform you partner with a) has the proper systems and processes in place, and b) these systems are working properly to keep your data protected. While this due diligence process may be common for larger CRE firms with in-house security resources, it’s likely that smaller firms (for which security is not a core competency) won’t be as certain how to approach data protection.
We put together a list of four key questions to ask potential vendors as you evaluate the level of security they provide for your firm.
1) What are your third-party certifications, reviews and testimonials?
What’s the first thing a customer does when deciding to try out a new restaurant?
Zagat ratings, Yelp reviews, the number of Michelin stars. It’s the same concept for third-party leasing and asset data storage and management. What verifications and reviews have the applications gone through? It’s easy enough for a company to put a favorable spin on the company’s particular way of storing and managing data.
But trustworthy independent sources will give you the real story.
"It's important to have a third party or application test or audit the business before the customer. This takes things to the next level," says VTS director of IT and security Robert Lowry. Third-party security audits specifically of the application—such as an SOC 2—are a great example of this.
Building a rapport between the customer and the cybersecurity team is essential, and establishing positive feedback from other customers is part of that. If a security firm has worked with (and been well-reviewed by) big names in CRE, potential clients can better trust the company is appreciably thorough.
2) How many full-time security staff does your company have?
Maintaining data security is a full-time job, but that doesn't necessarily mean CRE firms must hire their own security personnel. However, the third-party tech vendor you partner with must be completely focused on security, with full-time employees solely dedicated to this function. The more people who work on security full-time, the safer your data is likely to be, and not having them on staff is a red flag.
“If a technology vendor is serious about information security, full-time security staff is a must," Robert says.
3) How is your data flow structured?
Clients typically focus on specific technologies when evaluating a vendor’s security. An arguably more important part of your security due diligence is grasping how your information will flow between your internal system and the vendor’s.
How will your data be protected? Who will have access? Where—and how—will the data itself be stored?
“Considering how important data flow is, it’s amazing that it doesn’t come up more often. 70% of due diligence questions don't focus on this,” says Robert (above, left, speaking with a client). “There are some pretty old-school security questionnaires still floating around, such as 'Do you have a pandemic plan?' I applaud vendors who do, but does this really mean they have the right approach to keeping your data safe?”
At the end of the day, data is what a company cares about the most—and sharing confidential data with a third party can be new territory. Understanding what happens with that data is truly the spirit of due diligence. Everything else can be considered “good to know,” but is not critical to the decision-making process.
4) Can you send me some info about your security measures?
A question this simple can be useful when it comes to reviewing a tech vendor. The more concrete, documented details they provide about their systems, processes and protections, the more likely it is that they know what they’re doing.
Also a good sign? When the organization brings up security before you do.
If a vendor you’re considering has integration partners (and most do), CRE firms should request to see the questions the vendor asks when conducting its own security due diligence.
“The more diligence a vendor puts their partners through, and the more detailed their initial screening process, the more likely they themselves are to understand best practices and be doing things right,” Robert says.
To learn more about Bisnow partner VTS, click here.