Consider the reputation of a company and its history of client data releases and security breaches. Larger companies will have more reporting when problems occur. Smaller companies are a bit more problematic. Reputation can be unknown, and data about them is a bit thin. You need to rely on the supporting evidence that is shared. How detailed it is and how often do they speak about it. Do they adapt to it over time and communicate their responsiveness to breaches and situations? How long have they been in business and how many clients have they serviced?
If you speak with existing or past clients, is there some difficulty because of security procedures in place? This can actually be a positive sign because it means they are paying attention to it and it’s a part of a more disciplined process. Do they allow you secure access to their network? That’s a bad sign. If you can gain access, then all their clients can as well, which is not a good security practice.
Don Wicklegren is Xilium's founder. He is a technologist by profession who started his career pre-internet in remote medical technology and learning. He has worked in both small and large corporations with world-wide remote staff and became a part of the team who developed the first commercial internet. As an entrepreneur, he started his first technology company in 2001. In Xilium, he focuses on innovating solutions for the US healthcare system.