A new White House administration, natural disasters, and sophisticated cyber-attacks affected organizations across the United States in 2017. Reducing your not-for-profit's risk exposure is essential to protecting your operations, but it can be difficult if you are overlooking your potential areas of vulnerability. Understanding the risk management lessons from major events in 2017 will help you plan to address the risks of tomorrow.
Lesson 1: You Can't Predict the Weather, But You Can Prepare for It.
The United States faced major catastrophes in 2017, from hurricanes Harvey and Irma to deadly wildfires in Tennessee and California. These events caused thousands of people to evacuate their homes and countless business disruptions across the country. Catastrophic events like these are impossible to predict, but unfortunately, most not-for-profit organizations do not consider planning for them until after one occurs and they face a major interruption.
In order to handle issues created by emergencies, not-for-profit organizations need to proactively develop a set of coordinated plans and procedures that ensure they have the ability to keep employees safe. Plans and procedures should also include how your not-for-profit plans to continue its meet community needs following an unplanned disruption. Your primary objective when creating your business continuity strategy is to identify your risks and create an actionable plan. The strategy should account for places, people, procedures, and communications, and the content should be general enough that it can be applied to multiple situations.
Lesson 2: Anyone Can Fall Victim to a Cyber-Attack – Even Companies that Specialize in Stopping Them.
In September, the largest accounting firm in the United States, Deloitte, confirmed that it was the victim of a cyber-attack that had compromised sensitive client data. While a cyber-attack on an $18 billion company is newsworthy, what makes this attack a particularly good case study is the fact that a leading cybersecurity consultant fell victim to a sophisticated email platform attack to gain access to its network. The cases of Target, Yahoo, and Equifax breaches have illustrated that companies of any size or industry can be targeted by cyber criminals, but the Deloitte breach shows that no one is immune from the efforts of cyber criminals.
Every organization – regardless of size, industry and specialty – can benefit from having a proactive, robust cybersecurity strategy in place. It is impossible to predict exactly how or when a cyber-attack could occur, but this should not discourage management from mapping out a plan for the day when that might occur. Creating and implementing an incident response strategy is a critical component of any cybersecurity program. Including recovery steps for all possible scenarios likely will result in a complex document that isn't practical when employees need to act quickly. The key to a strong incident response strategy is not to over-complicate the context. Your strategy should account for places, people, procedures and communications, and it should be able to work in multiple situations. Given the nature of the Deloitte attack, companies should make sure that their incident response strategies include steps to notify key stakeholders with details of the attack and important updates throughout the remediation timeline.
Lesson 3: Your Company's Perception in the Marketplace is Determined by the Actions of Every Employee.
In 2017 Uber Technologies Inc., a global transportation company headquartered in San Francisco, made headlines on multiple occasions for allegations of stolen intellectual property, sexual harassment, and data breaches. This type of attention from the media can often cause devastating reputational and ultimately financial consequences for organizations, especially if it involves multiple, differing incidents and accusations. In a survey conducted by cg42, 57 percent of respondents have a negative or neutral impression of the rideshare service after becoming aware of the scandals.
An organizations reputation is determined by the actions of every employee and the external perception of the way it conducts its operations. The reality is that every organization opens itself up to fraudulent activity, corruption schemes, or poor perception when it fails to implement the proper controls and reporting. Create company values, codes of conduct, and policies for intellectual property, and make sure that you properly communicate these items to every employee. Never award a single employee too much authorization power and implement procedures for other employees to review day-to-day activities. Consider hiring a third-party Certified Fraud Examiner (CFE) to conduct forensic analysis and look for any areas of misconduct. Create a policy for what happens when fraudulent or unethical activity does occur, and make sure that this is enforced with every individual regardless of title or tenure.
For More Information
Having a proactive, organization-wide risk management strategy that is clearly communicated across your organization is your best defense. If you have any specific questions, comments or concerns about your risk management strategy, please contact a CBIZ Risk & Advisory specialist.
Published on December 19, 2017