Cyber Security Tips for Executive Directors and Nonprofit Board Members
By Sharon Burns
Nonprofit leaders must effectively navigate complex technology decisions just like their corporate counterparts. Often though, the nonprofit executive has limited resources which sometimes leads to cutting corners or just ‘getting by’ until next year. Unfortunately, hackers are not sympathetic to the nonprofit plight nor impressed with the good they do. Instead, like any predator, hackers look for a soft prey and an easy meal ticket. Don’t let your nonprofit be a victim.
When funding is limited, investments in IT security become a tradeoff, a balancing act between spending on proactive strategies like staff training and and reactive options like cyber liability insurance. Only an executive can make the decision because only the executive is able to balance the organizational risk with the required investment
A review of an organization’s strategic security components requires an executive’s eye. Because nonprofit leaders are responsible for the organizations assets they uniquely positioned to assess all risks: financial, reputational and cultural.
Here are three steps every nonprofit executive director and board member can take to better manage their organizations’ cyber risks.
1) Understand your Cyber Liability Insurance Options
Cyber liability insurance is available at a wide range of costs and varying coverage options. A recent review of options for a nonprofit client resulted in a staggering list of investment options. The very good news is that the cyber insurance policies are written for an executive (not a technologist) and the costs and benefits are quite clear. What is also clear, is that if you are hacked, the insurance payout for the recovery is dependent on documentation of security protocols being in place. Be sure to read the fine print!
Do not push the review of cyber insurance to your tech person. Use your cyber insurance review as an opportunity to strategically manage this critical risk to your organization. Strategic investing in cyber insurance also requires strategic investments in in-house technology training and systems. Get involved and asks questions.
2) Learn Your Responsibilities for Protecting PII
PII (personally identifiable information) is any data you store on your network that can identify a specific individual. First name, last name is PII data, first name with an email is PII data. Why is this data so important? Because in the world of ‘big data’, the kind that assumes a level of anonymity, PII data can be used to de-anonymize anonymous data.
While controlling access to all data is a priority, securing PII data has specific legal responsibilities that vary by country and from state to state. Specific regulations for students are being developed with fines up to of $5,000 per breach incident.
PII data must be secured when it is at rest (on a server in your back closet or in the cloud, another whole article!), but also when it is being transmitted across the internet and when it is in use either on a laptop or handheld device. To ensure the long-term viability of your nonprofit organization, you, as the executive must be confident that you are compliant with all PII regulations. Learn what PII data you keep and how it is secured as it transitions through your network.
3) Develop a Data Breach Protocol
Those in the IT security field say that there are two types of organizations, those who have been hacked and those that don’t know they’ve been hacked. While data breaches used to be front page news, today it has become the norm. While the bad guys used to go after the big companies, today they direct their attention on smaller organizations, nonprofits, soft targets.
With this reasoning, it is fairly safe to assume that your organization will suffer a major data breach in 2017. When this happens, do you want the recovery protocol and communication plan for staff, your customers, the public and the regulatory agencies to be unscripted and in the hands of your IT staff? I guarantee they will be very very busy working on the problem and communications will fall to the bottom of their list. Instead, having a well thought out, executive-designed program in place ensures that the entire organization is on the same page with the recovery protocol and communication plan. Legal disclosure laws vary. Know what is required and design your data breach protocol plan now.
My hope is that these three low cost suggestions will encourage every executive and board member to get involvement in strategic cyber security planning.
Let me know if this post was helpful!