By Karen Schuler
From the 110 million Target customers whose credit and debit cards were compromised in 2013 to the more than 250 million Google and Yahoo! email usernames and passwords exposed by Russian hackers in May, we’re constantly bombarded by news of major companies being hacked and consumer data being stolen.
Nonprofit leaders might ask, “Who would want to hack my organization?” But attacks on nonprofits like the Utah Food Bank—where personal and credit card information was stolen in 2015—and more recent ransomware attacks on U.S. hospitals send a clear message that few organizations are exempt from hacking activity. According to the 2015 NetDiligence Cyber Claims Survey, nonprofits made up 4 percent of cyber claims, while hospitals—listed as a separate category—made up 21 percent of claims, which made them the most affected sector among those surveyed.
In fact, nonprofits are particularly vulnerable, given the vast amounts of donor, member, staff, and, in some cases, patient information. Although resource constraints and competing demands make it difficult to prioritize and properly manage cybersecurity requirements, nonprofits can no longer afford to brush it off—it must be a top priority.
Size aside, pack on the muscle
There are steps nonprofits can take now—regardless of size or budget—that could limit vulnerabilities and go a long way toward protecting against and preparing for cyber-attacks. Any time and resources spent developing a data governance program, particularly one that focuses on cybersecurity, will pay dividends in maintaining donor and member trust.
Many nonprofits operate with leaner resources than privately or publicly held companies, but regardless of size or resource constraints, data should be treated like any other business asset. To mitigate the risk of a data breach, nonprofits should conceptualize data governance programs as though they are big businesses. For example, if donor data is the most vital type of data, consider how a larger organization might manage and protect it. From there, scale back efforts as necessary.
Similar to other organizations, the scope of a nonprofit’s data governance program may vary depending on available time and resources. But it is essential that nonprofit executives make the business case for incorporating the program into their budget.
With that in mind, these 10 steps can help nonprofits of all sizes better govern their data and information:
- Identify the program champion and gain board support – Without the right team and executive-level sponsorship, business initiatives aren’t likely to succeed. As such, gaining support from an executive-level sponsor or program champion, and then the board, should be top priorities. The champion will help identify key stakeholders (such as the board of directors, managers, legal and compliance, auditors, etc.) and individuals that could contribute to building and maintaining the cybersecurity program. Beyond an individual champion, it is essential to have buy-in from the board around data management and protection strategies to ensure successful implementation, management and enforcement of any program. An engaged board can work with the program champion to communicate the importance of a cybersecurity program in terms of the organization’s mission statement.
- Form a committee to develop the data protection and privacy program – Before implementing any program, organizations should select a committee of representatives across all key areas that can consistently oversee the program, determine its effectiveness and adjust it as needed. It is critical to determine roles, responsibilities, supporting personnel, materials and individuals to consult and inform of committee activities. Ultimately, this committee will build the organization’s overall governance strategy, framework, policies, teams and processes to establish a strong data protection and privacy program. Select a thorough program leader to ensure the committee follows through with its responsibilities and avoids the trap of not delivering.
- Assess for risks – Risk management is a team effort, and should include representatives across IT, legal and compliance, human resources, accounting and finance and operations. For a smaller organization without these departments, the team should be comprised of executives and senior managers responsible for managing donor or member information and financial records, as well as the technical resources that support those systems. The first priority in risk assessment should be to conduct a data mapping and inventory exercise. In doing so, the team will map how data flows throughout the organization to identify high-value data and records that require higher levels of protection and privacy. The team then needs to consider the implications of asset failure or loss, asset theft or exposure to unauthorized entities—all of which could compromise employees’ and donors’ personally identifiable information or lead to potential HIPPA or PCI violations. For each of these potential threats, consider ways to avoid or mitigate the risk, as well as the cost of each mitigation strategy and a plan to respond to the event. To keep pace with changing technology, it’s important that organizations review their risk management practices regularly.
- Analyze the data – To detect fraud and limit unauthorized exposure of data and information, use data analytics to help make reasonable assessments of risks and potential threats. Sample sets of data can be used to proactively measure the quality, integrity and consistency of certain record types. Organizations might also consider testing certain financial transactions on a limited basis to ensure there are no unexplained anomalies. A gap analysis can evaluate the efficacy of policies, procedures and controls to enhance protection and deter and detect compliance failures. It can also help determine whether the organization conforms to industry best practices for organizations of similar size. Further investigation, including forensic technology or due diligence, can follow if there is a high risk of compliance failures. This in-depth analysis will provide the organization with increased controls and an improved basis for decision-making and policy changes.
- Improve controls and governance strategy – These assessment and analysis results should help organizations make informed decisions and develop stringent internal controls that are measurable and enforceable. Leveraging analytics with teams in technology, financial and operations will aid in developing a data governance strategy, improving compliance capabilities and delivering intelligent, consistent reporting throughout the organization. An overseeing committee should work across departments to build governance structures. Smaller organizations might consider distributing the roles and responsibilities among participants in the organization.
- Build a comprehensive program – At this point, organizations should develop a comprehensive plan that addresses data governance, privacy, data protection strategies, incident response needs, and cybersecurity controls. These plans should include a data protection and privacy program that outlines potential risks, policies, standard operating procedures, responsible parties and procedures. Organizations should be sure to consider business operations, legal, compliance, technology, security, data, information and records and identify outside parties that will be required (e.g., third-party counsel, forensic examiners, cyber investigators, notification companies).
- Incident response tabletop exercise – Once an incident response plan is developed, the organization should conduct a simulation to see how the plan works. Key steps include:
- Reviewing roles to ensure team members understand their responsibilities during the response period;
- Obtaining buy-in from team members to ensure they are invested in the response and communications process;
- Identifying and ranking gaps, weaknesses and strengths as they relate to current response capabilities (people, processes and technology);
- Involving outside parties that have been engaged to assist in incident response; and
- Identifying any additional mitigation and remediation strategies.
The response plan may need to be adjusted based on the results of the simulation. Be sure to implement insights from the exercise into a revised plan.
- Determine if cyber insurance is a smart investment – In the process of developing a cybersecurity program, nonprofits may want to consider cyber insurance. To determine whether this is a smart investment, be sure to:
- Evaluate marketplace cyber insurance providers, including product types and coverage limitations;
- Understand areas of risk and vulnerabilities through scenario-based analyses;
- Determine business interruption and recovery costs through incident simulations;
- Develop and understand coverage adequacy thresholds;
- Align expectations with coverage requirements;
- Understand current coverage;
- Determine policy options; and
- Develop a review frequency to maintain continuous coverage optimization.
- Enhance efficiency and balance investments – Organizational efficiency doesn’t only result in long-term cost savings; it also reduces room for error, fraud and other cybersecurity issues. Organizations can take several steps to increase efficiency, including enhancing automation to reduce manual processes that are subject to mistakes and subjective evaluations. Although implementing these processes involves an initial cost, the long-term benefits include increased efficiency that can limit expensive losses, improve consistency and reduce redundancies throughout operations, technology and file storage. Finally, automation and appropriate controls help organizations improve data availability and quality to ensure information sent to clients, donors and customers is accurate. Nonprofits may be intimidated by the potential financial commitment, but it’s essential for them to effectively balance their investment in different areas of data security. For example, if a nonprofit invests heavily in cyber insurance, but forgoes conducting appropriate assessments and implementing necessary controls, it may leave itself vulnerable.
- Develop a communications strategy – For many organizations, effective communication is an aspect of cybersecurity that often falls by the wayside. A communications plan provides updates, as required, to personnel, clients, board members and other stakeholders. Training staff can help remove certain threats within organizations. An effective communications strategy includes a training component, which will help teams better understand their requirements and responsibilities in protecting the organization. Communications and training strategies are essential to delivering information in a consistent and meaningful way in the event of a cyberattack.
Cyber and financial crimes against nonprofits don’t often make the front page like hacks of major financial institutions and retailers, but threats are still looming. Organizations should proactively review and implement comprehensive cybersecurity programs today to avoid worries in the future.
Karen Schuler is a Managing Director at BDO Consulting. Ms. Schuler has a broad background in multidisciplinary fraud, cybersecurity, and government investigations, as well as civil litigation spanning a variety of subject matters, including securities, intellectual property, and product liability. She is a nationally known speaker and author on enterprise risk management, cybersecurity and investigations.