By Karen Schuler, CFE, IGP
Cybersecurity has become a top-of-mind issue for organizations across both the nonprofit and for-profit sectors. From the 110 million Target customers whose credit and debit cards were compromised in 2013 to the more than 250 million Google and Yahoo! email usernames and passwords that were exposed by Russian hackers last month, we’re constantly bombarded by news of major companies being hacked and consumers’ data being stolen.
Nonprofit leaders might ask themselves, “Who would want to hack my organization?” but recent ransomware attacks on U.S. hospitals send a clear message that few organizations are exempt from hacking activity. According to the 2015 NetDiligence Cyber Claims Survey, nonprofits made up 4 percent of cyber claims, while hospitals, listed as a separate category, made up 21 percent of claims—the most affected sector among those surveyed.
In fact, nonprofits are particularly vulnerable, given that they often retain vast amounts of donor information, including financial information as well as staff employment and insurance data. Many philanthropic organizations are operating under tight resource constraints, and cybersecurity measures may not have historically been a top priority. If you have not paid attention to your organization’s cybersecurity policies, now is the time. Here are 10 steps that can help you better govern your information and assets.
- Identify the Program Champion
Prior to initiating a program that helps to better govern your information and assets, it is extremely important to obtain sponsorship from those charged with governance and senior management. Without this, programs tend to be less successful. The goal of the champion is to help you make the business case to promote better cyber governance throughout the organization. Your champion will help you identify key stakeholders (such as the board of directors, managers, auditors, etc.) as well as individuals that could contribute to a committee, and will help to map out initial rules and procedures for making decisions related to an organization’s data privacy and protection.
- Assess your risks
Risk management is a team effort and should include representatives from Information Technology, legal and compliance, Human Resources, accounting and finance and operations. The risk assessment team’s first project should be to inventory your organization’s systems and data, ranking data types and systems by levels of importance and sensitivity. Following your inventory and vital records ranking, it is important to determine if one of your assets failed, if data was lost or stolen and whether HIPAA privacy rules were violated. For each of these potential threats, list ways to avoid or mitigate the risk, as well as the cost of each mitigation strategy and a plan to respond to an incident. In order to keep pace with changing technology, it’s important that organizations review their risk management practices regularly.
- Analyze your data
To help minimize risk, detect fraud and limit unauthorized exposure of your assets, organizations should utilize analytics to help make reasonable assessments of risks and potential threats. Best practices are to take proactive measures periodically (or in reaction to non-specific compliance concerns) that involve the use of investigative techniques and limited legal and forensic accounting principles. A gap analysis can help you evaluate the efficacy of your organization’s policies, procedures and controls to help you enhance protection and deter and detect compliance failures. It can also help you determine whether the organization conforms to best practices for the industry and for organizations of a similar size. Further investigation, including forensic technology or due diligence, can follow if it appears there is a high risk of compliance failures. This in-depth analysis provides insight into your organization’s policy changes and, ultimately, when implemented, leads to improved controls.
- Form a committee to develop the program
Once an organization has a cybersecurity program in place, it should also select a committee that can consistently oversee its implementation and meet regularly to determine its effectiveness and adjust the program as needed. This committee should include representatives from all key areas of your organization. It is also important to select one owner of the program to ensure that the team follows through with its responsibilities. Additionally, it is critical to determine roles, responsibilities, supporting personnel and materials, and individuals that should be consulted and informed of the committee’s activities. Ultimately, this committee will build the organization’s overall governance strategy, framework, policies, teams and processes to establish a strong data protection and privacy program.
- Improve controls and governance strategy
Using the analytics and lessons learned, stringent internal controls need to be developed, implemented and monitored across the organization. Organizations should work with their technology, financial, operations and other teams to leverage analytics as they develop a data governance strategy, improve their compliance capabilities and deliver intelligence and consistent reporting throughout the organization. The committee should work across the different departments to build governance structures to distribute the roles and responsibilities of different participants in the organization.
- Enhance efficiency and balance your investment
Organizational efficiency doesn’t only result in long-term cost savings; it also reduces room for error, fraud and other cybersecurity issues. There are several steps an organization can take to increase its efficiency, including enhancing automation to reduce manual processes that are subject to mistakes and subjective evaluations. While implementing these processes involves an initial cost, in the long term, increased efficiency can help to limit expensive losses, improve consistency across the organization and reduce redundancies throughout operations, technology and file storage. Finally, we have found that automation and appropriate controls aid organizations in improving their data availability and quality to ensure that information sent to clients, donors and customers is accurate. Nonprofits may be intimidated by the potential financial commitment, but it’s essential for them to effectively balance their investment in different areas of data security. For example, if a nonprofit invests heavily in cyber insurance, but forgoes conducting appropriate assessments and implementing necessary controls, it may leave itself vulnerable.
- Incident response tabletop exercise
Once an incident response plan is developed, a best practice for an organization is to conduct a simulation to see how the plan works in action. Key steps to conducting an incident response exercise include:
- Determining if team members understand their roles and responsibilities as they relate to responding to an incident
- Generating awareness that incident response is important
- Ranking gaps, weaknesses and strengths throughout the organization
- Assessing current team members’ capabilities
- Identifying outside parties that will be required (e.g., outside counsel, forensic examiners, cyber investigators, notification companies)
- Identifying any additional mitigation and remediation strategies
In completing this simulation, you may find that your response plan needs to be adjusted to address new risks identified. Be sure to implement insights resulting from the exercise into a revised plan.
- Determine if cyber insurance is right for your organization
In the process of developing a cybersecurity program, nonprofits may want to consider cyber insurance. In order to determine if cyber insurance is a smart investment, be sure to:
- Evaluate marketplace cyber insurance providers, including product types and coverage limitations
- Understand areas of risk and vulnerabilities through scenario-based analyses
- Determine business interruption and recovery costs through incident simulations
- Develop and understand coverage adequacy thresholds
- Align expectations with coverage requirements
- Understand current coverage
- Determine policy options
- Develop a review frequency to maintain continuous coverage optimization
- Build a comprehensive program
Once all of the above steps are completed, organizations should put together a comprehensive cybersecurity plan, data protection plan and privacy program, outlining potential risks, policies, responsible parties and procedures. Organizations should be sure to consider business operations, legal, compliance, technology, security, data, information and records.
- Develop a communications strategy
For many organizations, effective communication is an aspect of cybersecurity that often falls by the wayside. A communications plan provides updates, as required or necessary, to your personnel, clients, board members and other stakeholders. Training your staff can help to remove certain threats within your organization. Ensure that your communications strategy includes a training component, which will help your teams better understand their requirements and responsibilities in protecting the organization. It’s essential to develop an overall communications and training strategy to deliver information in a consistent and meaningful way in the event of a cyberattack.
Cyber and financial crimes against nonprofits don’t often make the front page like hacks of major financial institutions and retailers, but threats are still looming. Organizations should act proactively to implement comprehensive cybersecurity programs now to avoid worries in the future.
This article originally appeared in BDO USA, LLP’s “Nonprofit Standard” newsletter (Summer 2016). Copyright © 2016 BDO USA, LLP. All rights reserved. www.bdo.com