Cybersecurity: Five Questions Not-For-Profit Boards Should Ask to Minimize Risks

Despite the financial and reputational implications that cybersecurity risks pose to not-for-profits, these organizations still struggle to move beyond having an awareness of cybersecurity risks to creating an actionable plan designed to mitigate this risk.

CohnReznick’s 2017 Not-for-Profit Governance and Financial Management Survey revealed that 37 percent of not-for-profit organizations identify cybersecurity as one of the top 3 risks to their organizations which is an increase from 22 percent in 2016. However, only an average of 14 percent of not-for-profit organizations surveyed incorporate cybersecurity into their annual risk assessment process and only 52 percent of respondents reported having a cybersecurity breach response plan. 2  Clearly, a chasm exists between not-for-profit organization’s concerns for, and need for, better cybersecurity. This directly hinders a strategic plan of action for mitigating cybersecurity risk. 

To progress beyond merely identifying cybersecurity risks, and begin mitigating risks, not-for profit boards and audit committees can play a pivotal role in helping an organization understand cybersecurity risks, as well as driving the change needed to help effectively protect the organization. This can be accomplished through an open discussion with management and asking the following questions: 

When did we perform our last cybersecurity assessment, and what did it cover?

An annual assessment is critical and should align to a recognized framework, such as provided by the National Institute of Standards and Technology (NIST), and the Center for Internet Security (CIS). This is imperative. Not doing so could leave significant gaps in your cybersecurity program. Also, from a legal perspective, you would fare far better during a breach investigation if you could show that an attempt was made to match your security program back to a standard, rather than having an ad-hoc approach.

Have we identified critical data, and do we know where it resides?

Asset management is essential, as is understanding all forms of data your organization uses—personally identifiable information (PII), financial information, corporate data, etc. It is not possible to adequately design an effective cyber defense unless you have given this consideration. 

How would we recognize if a breach occurred?

Organizations of all sizes struggle with their ability to identify malicious activity on their systems, because they lack the tools and processes to capture and review system logs for anomalous activity that could indicate the presence of a hacker. Organizations should consider deploying Security Information and Event Management (SIEM) technologies, or similar tools that log system information, correlate events, and detect malicious events. Then, processes must be instituted to review the information and take the needed action.

Have we assessed internal and external vulnerabilities?
Hackers may probe an organization’s network for weeks or months to understand the network layout and probe for vulnerabilities. If you don’t know where your vulnerabilities are, hackers will. We advise performing regular internal and external assessments to understand how a hacker may circumvent defenses and obtain access to critical data. When conducting this exercise, organizations need to think through various scenarios that could compromise their systems (e.g., denial of service, information disclosure, spoofing identity, etc.) and always remember that oftentimes, humans are the weakest link in the chain.

Do our security program and policies match our risk profile and tolerance?

This is arguably the most important question, as it gauges the alignment of an organization’s existing cybersecurity program to those of its stakeholders’ expectations. While your organization may not be able to answer all of the above, by understanding these fundamental cybersecurity issues, boards can help raise their organization’s awareness regarding cybersecurity gaps and help design an appropriate remediation plan.

At a minimum, organizations should conduct a cybersecurity assessment for their organization and its technology infrastructure to at least minimize the impact of the breach. This includes a crisis management/ communication plan to assure donors and other stakeholders, in the event of a breach, that a comprehensive plan exists and your organization is ready to act upon it. Most importantly, it’s important to realize that cyber-risk is real, and growing. Any not-for-profit organization and its board that does not take cybersecurity seriously may be headed for big trouble.

CohnReznick provides cybersecurity solutions that are dynamic, scalable, and “right-sized” for our clients. CohnReznick’s security professionals average more than 15 years in the field and hold key certifications. Our professionals have deep experience assisting organizations in implementing and complying with information and cybersecurity requirements using NIST 800-53, ISO 27001, COBIT, CIS, and other industry leading standards and frameworks.

CohnReznick has a dedicated Not-for-Profit and Education Industry Practice that works closely with the boards, management, and financial leaders for not-for-profit and educational organizations. Our clients include associations, foundations, educational institutions, not-for-profit affordable housing developers, religious and cultural organizations, and social service and charitable agencies.

¹ Source: Ponemon Institute 2017 Cost of Data Breach Study report 

²Source: CohnReznick 2017 Not-for-Profit Governance and Financial Management Survey