Low-Budget Steps Civil Society Organizations Should Take to Protect Data When Using Third-Party Service Providers

Let’s be honest – running a non-profit takes a certain amount of grit and gumption. With a small staff and tight budget, you’re probably outsourcing functions like web hosting and IT equipment maintenance to third-party service providers to save on time and labor. These vendors provide the crucial services you need, but understanding how to vet and select them in the first place can be daunting. Sometimes, it is easier to just sign up for one that looks moderately reputable so that you can get back to the core work of your organization.

The problem with making a selection in this way is that trusting a third-party service provider to protect your data without verifying their security standards is a lot like sending your child to a daycare you have not ever visited. When it comes to the people we care most about, we would never consider putting them at unnecessary risk. Yet when it comes to our personal data and cybersecurity, we often skirt the needed due diligence. Unfortunately, even the cybersecurity vendor you use can introduce inadvertent cyber risk to your organization if you don’t properly vet their data protection and cybersecurity standards before handing them access to your confidential information.

Although this security gap for third-party software in use at nonprofits has been an issue for a long time, it is a bigger problem now than it ever has been before. Through participation in the Joint Cyber Defense Collaborative’s High-Risk Communities planning effort, StateRAMP, CISA, and a host of industry and civil society partners are taking steps to address the rise in targeted cyber threats against civil society organizations for their work to advance humanitarian and democratic causes.

Whether you represent a think-tank, NGO, or grassroots volunteer organization, your data and ability to effectively accomplish your mission remains at risk. And as a non-profit, your organization likely does not have sufficient resources to manage every third-party vendor and software product you use.

While the onus should be on vendors to build privacy and security into the design and manufacture of their products, the current reality is that you need to vet third-party service providers and products to avoid introducing unnecessary risk into your digital ecosystem. Below, we’ve boiled down a few easy, practical steps you can take to help your organization mitigate third-party risk. You’ll get back to your organization’s core work in no time.

Know Who is Who and What They Do

While it sounds elementary, knowing who has access to your systems and data and what they do for your organization is the most critical step you can take. Even if it’s just creating an inventory in a simple Excel spreadsheet, equipping your organization with answers to the following questions will significantly improve your visibility and control over who has access to your systems and data:

Do you rely on any external organizations to perform specific tasks or services? (e.g. Who hosts your website? Do you use apps or services for Stakeholder Relationship Management, maintaining sensitive employee data, or managing your payroll?)
Do you know how to get in touch with these service providers if something stops working correctly?
Do you know what types of data your third-party providers may be storing or transmitting on your behalf?

Next, you should assess the risks associated with the data that your third-party vendors can transmit or store. Consider the following breakdown in criticality:

Low impact – Loss of the data would have limited adverse impact on your organization.
Moderate impact – Loss of the data would have a serious negative impact on your organization.
High impact – Loss of the data would have a catastrophic impact on your organization.

Get to Know Your Providers

For third-party vendors that handle moderate and high-impact data for your organization, it’s crucial that you request information on their security practices.

The saying, “A chain is only as strong as its weakest link,” is an apt descriptor for third-party cybersecurity risk. Even if your organization has a robust cybersecurity program, your data could still be compromised if your third-party vendor experiences a data breach. To mitigate that risk, here are some key questions you should ask your third-party vendors about their security practices and policies:

Has your third-party service provider completed a security audit?
Has your third-party service provider undergone a penetration test in the past 12 months?
Does your third-party service provider…
- require phishing-resistant Multi-Factor Authentication for all administrative accounts or functions?
- routinely collect threat information and monitor their logs for suspicious cyber activity?
- have the capability to detect, contain and eradicate malicious software and intrusions?
- Have an Incident Response (IR) Plan?
Are your third-party provider’s products or services authorized by an independent organization like FedRAMP or StateRAMP?
Do you have an agreement with your provider such that they are obligated to notify you in the event of a breach?

While not comprehensive, these initial questions will give you a sense of whether your third-party vendors are serious about security – theirs and yours.

Use the Resources Around You

The challenge with evaluating current and prospective vendors using the question set above is that they may not answer truthfully, and there isn’t always an easy way to validate whether your vendor’s claims are accurate. This brings us to the next step: using the resources around you to help.

There are a few key things you can look for that will help you in validating the trustworthiness of third parties:

Consult CISA’s Website! CISA is a resource that provides cybersecurity guidance on a variety of topics, including how small and medium-sized businesses can mitigate third-party cybersecurity risks. As a starting point, check out CISA’s ICT Supply Chain Risk Management Fact Sheet. As your organization becomes more advanced in managing third-party risk, CISA’s Internet of Things Security Acquisition Guidance and Operationalizing the Vendor Supply Chain Risk Management Template for Small and Medium-Sized Businesses are also helpful resources.
Use FedRAMP and StateRAMP product authorization lists to gauge a product’s security posture.

Learning about the security posture of the third-party providers you entrust with your data matters. By identifying who has access to your data and systems, and understanding more about their overall approach to security, you are taking a vital step towards protecting your organization from those threat actors who would keep you from fulfilling your organization’s mission.

Print out this simple checklist to begin your third-party risk management journey today!

The post Low-Budget Steps Civil Society Organizations Should Take to Protect Data When Using Third-Party Service Providers appeared first on StateRAMP.