From large organizations to small local associations, cybersecurity is a concern for everyone in the not-for-profit sphere. Yet, because it can often feel like a foreign subject, many organizations aren't comfortable even describing what cybersecurity is and what it means for their day-to-day operations, which typically means organizations may not be doing what they need to mitigate the associated risks.
The most common cybersecurity issue that affects not-for-profit organizations is lost or stolen personally identifiable information, finance and accounting data, intellectual property, or proprietary information. This risk could be additionally harmful if the data is damaged or unavailable for long periods of time. Not-for-profit organizations may collect a wide range of personal data, including sensitive data such as Social Security numbers or credit card information, from various types of people associated with the organization such as employees, board members, donors and volunteers. Organizations that don't take steps to monitor and protect this data may not even know if it has left the organization until it's too late to remedy the problem.
A cybersecurity breach is not only time-consuming, but can also have a negative financial impact on a not-for-profit organization when internal and external resources are needed to fix a breach. Additional costs could also arise from purchasing spot-fix tools or hardware. Additionally, the reputational harm associated with a known breach could result in a loss of donors who may no longer trust providing the organization with sensitive information, regardless of a worthy cause. The organization may also be put at risk of regulatory scrutiny that could subject it to fines.
No one is immune from cybersecurity threats that, unfortunately, are all too common. According to Breach Level Index, an organization that tracks business breaches, security incidents are getting faster and larger in scope. They found 2.6 billion records stolen in 2017, a whopping 82 records every second. Over half of the companies behind those breaches couldn't provide the exact number of records that were stolen – because they didn't know or couldn't track how many were recovered. Even the loss of one record could have lasting implications if that data is sold and bought on the dark web.
It takes a conscious act to sit down with leadership, board members, and your IT department to identify your organization's critical and sensitive information and consider what cybersecurity issues may affect you and your stakeholders. But it's crucial. Consider the following topics as you assess your cybersecurity risk.
Unfortunately, it could be easy for you or your employees to inadvertently expose your organization to a breach by sending personal data via email, losing or misplacing a flash drive, or giving access to a hacker by accidentally downloading malicious software from the internet. Buying the top-rated anti-virus and firewall protection or encrypting computer hard drives and flash drives should not be your only solution. It takes a holistic, fundamental approach to make sure everyone involved in protecting critical data is aligned.
It's important for organizations to conduct a proper threat and risk audit to understand how and why critical information can be leaked. Some holistic solutions and best practices for a successful enterprise security program include:
- Know your threat vectors and cause of failure – Who or what would contribute to tampering or destruction of critical data? Who and what are the human (disgruntled employees or hackers) and non-human threats (floods or fire) to your company? What is the motivation behind taking your organization's data?
- Ensure an effective management and governance process – Identify the security stakeholders within your organization, formalize and centralize policies and procedures surrounding security, adopt controls for consistent monitoring, and work with your board to include security – including regular risk and threat assessments – into the organization's enterprise strategy.
- Foster a safe culture in the organization – Build security into the fabric and culture of the entire enterprise by making cybersecurity a leadership initiative and ensuring policies are not only fully understood, but adhered to. Provide ongoing education and training to employees, vendors, consultants, and partners.
- Know your technology stack – Inventory the devices that support your business, understand their strengths and weaknesses, and maintain or update them as needed.
- Understand your suppliers and vendors – You should be able to identify which vendors support your critical data and evaluate their security practices to ensure they align with yours. Consider coming up with a risk threshold checklist to evaluate existing and new vendors.
- Have a formalized disaster recovery plan – What steps will you take to protect or reobtain your data if you are hacked or subjected to a virus? Do you have a backup server if your primary server is flooded? Ask these questions of your vendors, too.
Protecting your organization's critical data is best done sooner rather than later, but it's never too late. Use this information to empower your organization's leadership, board members, and IT Department to make cybersecurity a priority and protect yourself from risk. And, as a best practice, make sure to revisit this information on a regular basis as cybersecurity risks are constantly evolving.
For More Information
If you have any comments, questions, or concerns about your organization's cybersecurity, contact us.
Published on June 20, 2018
© Copyright CBIZ, Inc. and MHM. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ). MHM (Mayer Hoffman McCann P.C.) is an independent CPA firm that provides audit, review and attest services, and works closely with CBIZ, a business consulting, tax and financial services provider. CBIZ and MHM are members of Kreston International Limited, a global network of independent accounting firms. This publication is protected by U.S. and international copyright laws and treaties. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.