Cyber criminals have gotten wise to the fact that not-for-profits sit on a relative goldmine of sensitive data, including employee health information, Social Security numbers, donor information, and billing information.
Not-for-profits should treat their data as if it were that valuable in order to make sure it’s protected. Failing to do so could come with steep consequences. Breached donor information, for example, may damage future fundraising efforts because donors may lose faith in the organization’s ability to protect private information.
Board members play a vital role in their not-for-profit’s risk management strategy, and cybersecurity is no exception. The board can help their organization understand the importance of information security and the severity of problems that could accompany a breach. But board members need to know a few things about the threat from which they are trying to protect their organization.
The Not-For-Profit Data Landscape
First and foremost, not-for-profit boards and audit committees should have an idea of the types of information that could be at risk for cyber criminals and information security breaches. They ought to be able to answer three basic questions:
- What data does the not-for-profit store?
- Where is the data stored?
- Is the data stored securely?
From there, board members will have a better sense of whether the security measures and protocol in place are sufficient to protect the information in today’s risk environment.
One area board members should be monitoring with particular attention is the use of third-party providers. Not-for-profits may not know where the third party stores the data or what security measures the provider has in place to protect that data. Boards and not-for-profit management teams should work together to understand their service providers’ data security controls and whether those procedures provide the level of security the organization feels is appropriate for its data.
A Not-For-Profit’s Information Technology Vectors and Vulnerabilities
The surface threat for information security continues to increase. Twenty years ago, information security exposures and risks came almost exclusively at the point of internet connection. Today’s environment includes several potential entry points, including:
- Internet of Things (IoT) devices
- Connections for remote work arrangements and telecommuters
- Online transactions and information sharing
- “Monoculture” in certain software platforms like the Microsoft suite (which is one of the reasons why the Wannacry incident was so disruptive)
Boards should work with their not-for-profits to understand how the organization protects those different entry points into its information systems. For example, if employees can use their personal devices to access their email, is the application that they’re using to view their email secure?
The Backbone of the Not-For-Profit’s Information Security Strategy
Another important point board members will want to understand is how not-for-profits architected their information security protocol. Was a standard framework used? There are several that could be useful for a nonprofit or small organization, including the SANS Institute’s CIS 20 Critical Security Controls framework.
If an organization has not used a standard framework and it holds a significant amount of sensitive information, the board may want to recommend an information security assessment. Comparing the organization’s approach to a standard framework could indicate gaps in an organization’s approach where the organization has unaddressed vulnerabilities. Information security assessments can also ensure that cybersecurity strategies are aligned with the highest value information and can provide additional confidence in the organization’s information security and controls over its data.
Details About the Cybersecurity Incident Response Plan
The final point that board members should be aware of is how the not-for-profit reviews controls and communicates potential cybersecurity breaches. Board members should understand:
- Would the organization be able to detect a breach?
- How often does management review incidents and breaches?
- When was the last information security incident?
- When would the board find out about an information security incident?
Not-for-profit organizations should be able to provide this information not only for their internal information security protocols but also for any of the service providers they use to store or manage their sensitive data. Too often organizations do not have a full grasp on their service providers’ information security incidents, which puts the not-for-profit organization at risk of not meeting its notification obligations. When a breach happens, there are a variety of notification communications that may be required, depending on the state in which you operate and the type of data compromised.
When External Help May Be Needed
A board’s cybersecurity discussion with its not-for-profit organization may indicate that the not-for-profit needs additional support to get its information security protocols up-to-date. An external provider may be able to step in to “right size” an approach to the organization’s needs.
Information security is not a one-size-fits-all model, and a sound strategy will depend on many layers of governance and oversight. For more information, please contact us.
- A Cybersecurity Primer for Not-for-Profit Organizations
- Cybersecurity Check-In: 6 Questions Boards of Directors Should Ask About Cybersecurity
Ray Gandy is a Director and Leader of the IT Risk & Assurance Practice in New England. He can be reached at firstname.lastname@example.org or 617.671.0722.
Copyright © 2019 CBIZ & MHM (Mayer Hoffman McCann P.C.). All rights reserved. CBIZ and MHM are separate and independent legal entities that work together to serve clients. CBIZ is a leading provider of tax and consulting services. MHM is an independent CPA firm providing audit and other attest services. This article is protected by U.S. and international copyright laws and treaties. Use of the material contained herein without the express written consent of the firms is prohibited by law. Material contained in this alert is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their business.