Another notice about a 3rd party cybersecurity breach landed in my inbox. This time it was from Qantas.
The private information of 6 million frequent fliers, including mine, was taken by hackers.
Sigh…
We have to wonder what smaller organisations, such as charities and associations, can do when the largest companies struggle to keep their data safe.
Still, we must.
While Qantas and Optus might lose a few customers from their cybersecurity breaches, there aren’t really a lot of alternative suppliers.
For Not for Profits (NFPs), stakeholders like members and donors usually have more choices for how they spend their disposable income. And government agencies are not dependent on a single charitable provider to deliver their services.
If your organisation breaks their trust by failing to keep their data safe, could you survive the consequences?
Why SaaS providers are your biggest cybersecurity risk
There was a day when most organisations looked after their own software and data.
It wasn’t easy managing and maintaining servers in your buildings, and not everyone did it that well. But at least, you knew who was responsible for the cybersecurity of that box of information hidden in the closet.
Nowadays, most Not for Profits rely 100% on 3rd party cloud-based software (SaaS): Office apps, CRM, Finance, Payroll and others are managed by someone else in a faraway place that you have never seen.
Simply open your computer, connect to the internet, open your browser, and find the login page for that app. You immediately have access to anything you need.
Yet just because someone else is responsible for managing the software and servers now doesn’t mean they are doing it well.
And that information that’s stored there… It’s yours!
If it were compromised because someone in that other place didn’t do the right thing, your stakeholders really don’t care.
It’s your fault in their minds – the same way many of us feel about Qantas right now.
Other ways that 3rd parties create cybersecurity risks
3rd party providers don’t just live in the software world. They are also the service providers you share information with on a one-off or regular basis.
- They are the ones who email you a referral about a client’s case.
- They are the direct mail provider who sends out your fundraising campaigns every quarter.
- They are the event managers who manage your members’ registration for the annual conference.
- They are your outsourced payroll provider who manages the fortnightly pay run.
- They are your Managed Service Provider (MSP), trusted to keep your Microsoft accounts safe.
How do you know if these 3rd parties are keeping your organisation’s and stakeholders’ information safe?
Reality… you usually don’t know until there’s a problem… just like Qantas.
Some reports say they had a 3rd party call centre staff member in Manila, who apparently was too helpful when they fell for a hacker’s request to access the system.
What cybersecurity training did that call centre do with their staff to avoid incidents like this?
We’ll probably never know, but have you considered asking this question of your own providers?
Ways to reduce your 3rd party cybersecurity risks
So, how do you minimise your 3rd party cybersecurity risks?
Ideally, you should be vetting every one of them for cybersecurity risks before signing a contract. And then, do an annual review to update the assessment.
Some of the questions you should consider for software providers include:
- Where is the data located?
- Where is the backup stored? How often do you do a backup? When was the last time you tested the backup?
- Do you conduct background or police checks on your staff and contractors?
- Where are your developers located?
- When was the last time you did a penetration test? What were the results?
- If you have incorporated AI functions, what model are you using? How do you ensure data security and privacy with the model?
- What cybersecurity training do you provide your staff and contractors?
For service providers, some of the questions to consider are:
- What software do you use to store the data? What are their security measures to keep the data safe?
- Who has access to our data?
- Have you conducted Police Checks on these individuals?
- How do you securely transfer data? Is it encrypted at rest and in transit?
- How long will you keep our data? How do you dispose of it, and when will you notify us that this is done?
- And again… what cybersecurity training do you provide your staff and contractors?
While this is not a complete list, hopefully it will get you started in mitigating your cybersecurity risks with 3rd party providers.
And… If you haven’t done this already when you signed the contracts, you can still ask the vetting questions now. Just recognise that you may have to do some risk mitigations after the fact if you don’t like their answers.
Final Thoughts
Just because you have engaged a 3rd party to perform services for you, doesn’t alleviate you from the responsibility of keeping your and your stakeholders’ data safe.
And in this day of SaaS solutions and outsourced providers, these other providers are likely your biggest cybersecurity risk. So, make sure you vet them from the beginning and continue with annual assurance checks.
I have a Cyber Assurance Program that helps boards and executives have more confidence in their cybersecurity risk posture. Let me know if you need some help with this.
P.S. If you found this article helpful, you might want to read these too:
- If I were a non-technical manager in charge of cybersecurity
- How volunteers increase your Association’s cybersecurity risks
- Is your Not for Profit compliant with the Privacy Act changes?
Tammy Ven Dange is a former charity CEO, Association President, Not for Profit Board Member and IT Executive. Today, she helps NFPs with strategic IT decisions, especially around investments.