Nonprofits and Cybersecurity
BDO United States – Karen Schuler, 5/19/16
Cybersecurity has become a top-of-mind issue for organizations across both the nonprofit and for-profit sectors. From the 110 million Target customers whose credit and debit cards were compromised in 2013 to the more than 250 million Google and Yahoo! email usernames and passwords that were exposed by Russian hackers earlier this month, we’re constantly bombarded by news of major companies being hacked and consumers’ data being stolen.
Nonprofit leaders might ask themselves, “Who would want to hack my organization?” but recent ransomware attacks on U.S. hospitals send a clear message that few organizations are exempt from hacking activity. According to the 2015 NetDiligence Cyber Claims Survey, nonprofits made up 4 percent of cyber claims, while hospitals, listed as a separate category, made up 21 percent of claims – the most affected sector among those surveyed.
In fact, nonprofits are particularly vulnerable, given that they often retain vast amounts of donor information, including financial information as well as staff employment and insurance data. Many philanthropic organizations are operating under tight resource constraints, and cybersecurity measures may not have historically been a top priority. If you have not paid attention to your organization’s cybersecurity policies, now is the time. Here are 10 steps that can help you better govern your information and assets.
1. Identify the Program Champion – Prior to initiating a program that helps to better govern your information and assets, it is extremely important to obtain sponsorship from those charged with governance and senior management. Without this, programs tend to be less successful. The goal of the champion is to help you make the business case to promote better cyber governance throughout the organization. Your champion will help you identify key stakeholders (such as the board of directors, managers, auditors, etc.) as well as individuals that could contribute to a committee, and will help to map out initial rules and procedures for making decisions related to an organization’s data privacy and protection.
2. Assess your risks – Risk management is a team effort and should include representatives from IT, legal and compliance, HR, accounting and finance and operations. The risk assessment team’s first project should be to inventory your organization’s systems and data, ranking them by levels of importance and sensitivity. The team then needs to consider the implications of the following events: asset failure or loss; asset theft; or exposure to unauthorized entity, all of which could lead to exposure of personally identifiable information on employees as donors, as well as potentially violating HIPPA privacy rules. For each of these potential threats, list ways to avoid or mitigate the risk, as well as the cost of each mitigation strategy and a plan to respond to an incident. In order to keep pace with changing technology, it’s important that organizations review their risk management practices regularly.
3. Analyze your data – To help minimize risk, detect fraud and limit unauthorized exposure of your assets, organizations should utilize analytics to help make reasonable assessments of risks and potential threats. Best practices are to take proactive measures periodically (or in reaction to non-specific compliance concerns) that involve the use of investigative techniques and limited legal and forensic accounting principles. A gap analysis can help you evaluate the efficacy of your organization’s policies, procedures and controls to help you enhance protection and deter and detect compliance failures. It can also help you determine whether the organization conforms to best practices for the industry and for organizations of a similar size. Further investigation, including forensic technology or due diligence, can follow if it appears there is a high risk of compliance failures. This in-depth analysis will provide the organization with increased controls and an improved basis for decision-making and policy changes.
4. Form a committee to develop the program – Once an organization has a cybersecurity program in place, it should also select a committee that can consistently oversee its implementation and meet regularly to determine its effectiveness and adjust the program as needed. This committee should include representatives from all key areas of your organization. It is also important to select one owner of the program to ensure that the team follows through with its responsibilities. Additionally, it is critical to determine roles, responsibilities, supporting personnel and materials, and individuals that should be consulted and informed of the committee’s activities. Ultimately, this committee will build the organization’s overall governance strategy, framework, policies, teams and processes to establish a strong data protection and privacy program.
5. Improve controls and governance strategy – Using the analytics and lessons learned, stringent internal controls need to be developed, implemented and monitored across the organization. Organizations should work with their technology, financial, operations and other teams to leverage analytics as they develop a data governance strategy, improve their compliance capabilities and deliver intelligence and consistent reporting throughout the organization. The committee should work across the different departments to build governance structures to distribute the roles and responsibilities among different participants in the organization.
To view the full article and all 10 recommended steps please click here.