Empowering Civil Society Organizations: Steps to Protect Data from Third-Party Cybersecurity Risks

Running a non-profit takes a certain amount of grit and gumption. Often organizations with a small staff and tight budget outsource functions like web hosting and IT equipment maintenance to third-party service providers to save on time and labor. These vendors provide the crucial services you need, but understanding how to vet and select them in the first place can be daunting. Sometimes, it is easier to just sign up for one that looks moderately reputable so that you can get back to the core work of your organization. 

Trusting a third-party service provider without verifying their security standards is a lot like sending your child to a daycare you have not ever visited. We wouldn't take that risk with our loved ones, so why do it with our data? Unfortunately, even the cybersecurity vendor you use can introduce inadvertent cyber risk to your organization if you don’t properly vet their data protection and cybersecurity standards before handing them access to your confidential information. 

Although this security gap for third-party software in use at nonprofits has been an issue for a long time, it is a bigger problem now than it ever has been before. Through participation in the Joint Cyber Defense Collaborative’s High-Risk Communities planning effort, GovRAMP, CISA, and a host of industry and civil society partners are taking steps to address the rise in targeted cyber threats against civil society organizations for their work to advance humanitarian and democratic causes.  

Whether you represent a think-tank, NGO, or grassroots volunteer organization, your data and ability to effectively accomplish your mission remains at risk. And as a non-profit, your organization likely does not have sufficient resources to manage every third-party vendor and software product you use. 

While the onus should be on vendors to build privacy and security into the design and manufacture of their products, the current reality is that you need to vet third-party service providers and products to avoid introducing unnecessary risk into your digital ecosystem. Below, we have boiled down a few easy, practical steps you can take to help your organization mitigate third-party risk. You’ll get back to your organization’s core work in no time.

Know Who is Who and What They Do 

At the very foundation of managing third party supplies is knowing who has access to your systems and data and what they do for your organization. While it sounds elementary, it is the most critical step you can take. Simply creating an inventory in a basic Excel spreadsheet can enhance your organization’s visibility and control over system and data access by providing answers to the following questions: 

• Do you rely on any external organizations to perform specific tasks or services? (e.g. Who hosts your website? Do you use apps or services for Stakeholder Relationship Management, maintaining sensitive employee data, or managing your payroll?)   
• Do you know how to get in touch with these service providers if something stops working correctly? 
• Do you know what types of data your third-party providers may be storing or transmitting on your behalf?  

Next, you should assess the risks associated with the data that your third-party vendors can transmit or store. Consider the following breakdown in criticality:  

• Low impact – Loss of the data would have limited adverse impact on your organization. 
• Moderate impact – Loss of the data would have a serious negative impact on your organization. 
• High impact – Loss of the data would have a catastrophic impact on your organization.

Get to Know Your Providers  

For third-party vendors that handle moderate and high-impact data for your organization, it’s crucial that you request information on their security practices. 

The saying, “A chain is only as strong as its weakest link,” aptly illustrates the risk of third-party cybersecurity. Despite having a strong cybersecurity program, your organization’s data could be compromised in a third-party vendor data breach. To mitigate this risk, here are some key questions you should ask your third-party vendors about their security practices and policies:  

• Has your third-party service provider completed a security audit? 
• Has your third-party service provider undergone a penetration test in the past 12 months? 
• Does your third-party service provider…
  • require phishing-resistant Multi-Factor Authentication for all administrative accounts or functions? 
  • routinely collect threat information and monitor their logs for suspicious cyber activity? 
  • have the capability to detect, contain and eradicate malicious software and intrusions?
  • have an Incident Response (IR) Plan? 
• Are your third-party provider’s products or services authorized by an independent organization like FedRAMP or GovRAMP?  
• Do you have an agreement with your provider such that they are obligated to notify you in the event of a breach? 

While not comprehensive, these initial questions will give you a sense of whether your third-party vendors are serious about security – theirs and yours.  

Use the Resources Around You 

The challenge with evaluating current and prospective vendors using the question set above is that they may not answer truthfully, and verifying their claims can be difficult. This brings us to the next step: using the resources around you to help.  

There are a few key things you can look for that will help you in validating the trustworthiness of third parties:

• Consult CISA’s Website: CISA is a resource that provides cybersecurity guidance on a variety of topics, including how small and medium-sized businesses can mitigate third-party cybersecurity risks. As a starting point, check out CISA’s ICT Supply Chain Risk Management Fact Sheet. As your organization becomes more advanced in managing third-party risk, CISA’s Internet of Things Security Acquisition Guidance and Operationalizing the Vendor Supply Chain Risk Management Template for Small and Medium-Sized Businesses are also helpful resources.  
• Use FedRAMP and GovRAMP product authorization lists to gauge a product’s security posture.  
• Join GovRAMP: GovRAMP's security validation framework empowers organizations to have confidence in potential vendors' dedication to delivering secure solutions. Collaborate with our Government Engagement Team to develop or enhance your third-party risk program. 

Learning about and understanding the security posture of the third-party providers handling your data is crucial. By identifying who has access to your data and systems, and gaining insight into their security approach, you are significantly enhancing your organization’s defense against threat actors' intent on disrupting your mission fulfilment.

Print out this simple checklist to begin your third-party risk management journey today!