3 min read

Nonprofit Risk Management: Understanding & Managing Cyber Risk

Apr 20, 2016 6:30:00 AM


Cyber.jpgThe reliance on data in our technologically-driven world comes with innumerable benefits for today’s nonprofits – significantly increasing speed and productivity, as well as improving communication and convenience. However, with these advantages come a series of risks.

Cyber risk can come in many forms.

You may be thinking, “We’re a nonprofit, hackers won’t bother us.” Unfortunately this is not the case. Hackers don’t look for a particular type of business; they scan the internet for vulnerabilities. They are also interested in sensitive information. Nonprofits, perhaps even more than other companies, can have both of these characteristics.

And because, nonprofits often rely heavily on their data—such as donor records, client data, and volunteer information—the damages from a breach could be significant. Consider the potential impact on your nonprofit: If your data were corrupted or lost, would you be able to recover it or would you have to rebuild it from the ground up? Either way, how much time and money would you spend to get your data back? Could you face fines for loss of credit card information or protected health care data? Would the breach hurt your reputation among potential clients and donors?

The potential for a breach, coupled with the severe impact should it occur, makes securing your system a priority.

The Only Truly Secure System…

“The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards.” – Gene Spafford, Professor of Computer Sciences at Purdue University.

Unfortunately, as Professor Spafford illustrates, there may be nothing you can do—short of discarding your computers—to completely secure your system against a cyber breach. But you can put things in place to mitigate the damages should a breach occur.

The first step in this process is a risk assessment to get a better understanding of what cyber risks your organization may be exposed to. As part of this assessment, ask yourself:

  • What sensitive data (such as names, addresses, social security numbers, and birthdates) does your organization store?
  • Is it stored in the cloud, on local servers, or on individual computers?
  • Is it backed up and if so, how often?
  • If you process credit cards, does your organization meet the PCI compliance standards?
  • If you maintain health care information, are your processes HIPAA compliant?

Consider using outside resources to help you assess your IT risks. For example, review our cyber security and privacy liability self-assessment. You could also consult with a risk advisor or an IT management firm.

Develop a Plan

Once you’ve assessed your risk, you should develop a plan to address deficiencies and prepare your organization to respond. The plan should include various risk management strategies to address mitigation, transfer, and insuring risk. While there are numerous such strategies, the following list provides some examples many organizations use to manage their cyber risk:

  • A data breach management plan addressing containment and recovery, identifying the response team, and setting out notification procedures.
  • A document retention policy requiring destruction of certain files after established time periods.
  • Institute callback or similar procedures for payment requests or change of banking information.
  • Conduct a network security audit using a third-party IT vendor.
  • Third-party credit card processing vendors.
  • Cloud storage for business documents.
  • Encryption software for emails and attachments containing sensitive information.
  • Data breach or cyber insurance.

Don’t leave your organization unprotected and unprepared. Conduct a risk assessment to understand the exposures you face, and then develop a plan on how to address those cyber risks and how to respond should a breach occur. Be proactive to help mitigate the potential damages of cyber risk!

 

Social Engineering Fraud Info Sheet

David Walters

Written by David Walters

David is Gibson's Commercial Risk Growth Officer, a principal, and part of the executive leadership team. As a member of the leadership team, David oversees the strategy and execution of Gibson’s client and employee experience. Read David's Full Bio