As a nonprofit, the digital security of your data is probably top of mind - and if it isn't, it should be! Just think about all the horror stories you see in the news about major corporations whose customer data gets hacked and leaked. The "cleanup" efforts are both costly and time-consuming, and just go to show that when it comes to protecting your data, it's better to be safe than sorry.
So when you're shopping for a donor management software vendor, it's critical that you take note of what type of data security they offer. We've got 5 questions you should ask any potential vendor before you agree to buy!
What is your approach to security?
First things first - you need to be sure that your prospective software vendor is taking security seriously. They ought to be able to provide a set of best practices that they follow in order to keep your data safe, including continually updating their antivirus programs and firewall, installing patches as needed, and offering data encryption.
Taking a multi-layered approach is the best way to avoid breaches from more than one location; this includes securing networks, applications, and data. For example, here at FrontStream we run the gamut when it comes to security: our application servers receive timely patching (along with antivirus and next-gen firewalls), we've got configuration and intrusion monitoring with alerts, and we monitor activity across all environments, so we can see unexpected access - or weird account activities. Your software vendor should be able to say the same!
Most importantly, in the unexpected case of a breach, our secure data encryption methodologies ensure that hackers end up with useless data. If you can reassure your donors that their sensitive financial data will be safe, it's an extra mark in favor of your nonprofit - plus it builds vital trust.
Are you PCI Level 1 compliant?
Level 1 is the highest level of data protection, and for good reason - a vendor that offers this level of compliance has taken out all the stops. They receive annual audits, verify that all 12 requirements (288 specific sub-requirements) and their controls are in place, perform daily log reviews and quarterly internal vulnerability scans, and more. Simply put, PCI Level 1 is the gold standard for data security, and when you're shopping for a vendor, you absolutely ought to be looking for this level of compliance.
If your vendor is only Level 3/4 compliant, that means they're lacking a bunch of vital approvals - like an annual audit by a Qualified Security Assessor (QSA) from PCI Council’s approved list, quarterly uploads to QSA for validation that PCI program is being maintained, and more. It's more likely that they simply take the provider’s word that the controls are in place. The last thing you want to hear when it comes to the security of your donor data is "trust me".
Are your developers trained on PCI compliance?
You don't want faulty software right out of the gate - you're going to want to know that you're paying for a program that's built the right way. When you're shopping for donor management software vendors, it's worth looking for vendors with development teams that have PCI compliance training - that way, they know what they're programming is ready to go and completely secure right out of the box.
To go even further, it's a big point in a vendor's favor if their software is hosted in a facility that's SSAE 18 compliant. Not only should the vendor have developers creating secure software, but they should also be housing it in a space that's locked down against cyber-intruders.
Do you perform regular audits?
Just because software works well at first doesn't mean it will forever - particularly when hackers and cyberattack threats are becoming more and more sophisticated every day. So it's super important that your chosen vendor does regular audits on how well the software is working, and if anything needs to be updated accordingly.
These audits are performed by industry-standard assessors from PCI's approved list, plus a good vendor also brings in third-party audits as well.
Do you perform regular tests?
Other than frequent auditing, a smart vendor attempts to get into the mind of a data hacker and performs penetration tests to see how well their software reacts. This is the best way to look for weakness or spots that need to be patched up. Plus, it provides a refresher into the latest and most nefarious hacking techniques, which could be more surprising than you think.
While PCI Level 1 requires penetration tests to be done quarterly, a vendor that tests monthly is ahead of the security game. Keep an eye out for vendors that are on the ball when it comes to performing tests above and beyond what's required.
Making sure your donor's data is absolutely secure is a huge part of your donor management software, so you ought to put data security front and center when you're shopping for new software. Vendors need to be able to demonstrate that their product fulfills all the requirements for security (and then some!) and will do so for years to come - no matter what cyber-threats might arise.