Cybersecurity: Five Questions Not-For-Profit Boards Should Ask to Minimize Risks
There are an increasing number of high-profile cybersecurity breaches in the news, and the financial stakes for these breaches continue to grow at an alarming rate. A 2017 study conducted by the Ponemon Institute revealed that the average cost of a data breach to U.S. companies has been more than $6 million over the last four years, and may be on track to approach $8 million.1 The escalating costs of these cybersecurity breaches is devastating for not-for-profit organizations, which continue to be a primary target of hackers because of the treasure trove of personal data and credit card information that they store. One security breach alone could erode donor confidence and compromise future donations.
Despite the financial and reputational implications that cybersecurity risks pose to not-for-profits, these organizations still struggle to move beyond having an awareness of cybersecurity risks to creating an actionable plan designed to mitigate this risk.
CohnReznick’s 2017 Not-for-Profit Governance and Financial Management Survey revealed that 37 percent of not-for-profit organizations identify cybersecurity as one of the top 3 risks to their organizations which is an increase from 22 percent in 2016. However, only an average of 14 percent of not-for-profit organizations surveyed incorporate cybersecurity into their annual risk assessment process and only 52 percent of respondents reported having a cybersecurity breach response plan. 2 Clearly, a chasm exists between not-for-profit organization’s concerns for, and need for, better cybersecurity. This directly hinders a strategic plan of action for mitigating cybersecurity risk.
To progress beyond merely identifying cybersecurity risks, and begin mitigating risks, not-for profit boards and audit committees can play a pivotal role in helping an organization understand cybersecurity risks, as well as driving the change needed to help effectively protect the organization. This can be accomplished through an open discussion with management and asking the following questions:
When did we perform our last cybersecurity assessment, and what did it cover?
An annual assessment is critical and should align to a recognized framework, such as provided by the National Institute of Standards and Technology (NIST), and the Center for Internet Security (CIS). This is imperative. Not doing so could leave significant gaps in your cybersecurity program. Also, from a legal perspective, you would fare far better during a breach investigation if you could show that an attempt was made to match your security program back to a standard, rather than having an ad-hoc approach.
Have we identified critical data, and do we know where it resides?
Asset management is essential, as is understanding all forms of data your organization uses—personally identifiable information (PII), financial information, corporate data, etc. It is not possible to adequately design an effective cyber defense unless you have given this consideration.
How would we recognize if a breach occurred?
Organizations of all sizes struggle with their ability to identify malicious activity on their systems, because they lack the tools and processes to capture and review system logs for anomalous activity that could indicate the presence of a hacker. Organizations should consider deploying Security Information and Event Management (SIEM) technologies, or similar tools that log system information, correlate events, and detect malicious events. Then, processes must be instituted to review the information and take the needed action.
Have we assessed internal and external vulnerabilities?
Hackers may probe an organization’s network for weeks or months to understand the network layout and probe for vulnerabilities. If you don’t know where your vulnerabilities are, hackers will. We advise performing regular internal and external assessments to understand how a hacker may circumvent defenses and obtain access to critical data. When conducting this exercise, organizations need to think through various scenarios that could compromise their systems (e.g., denial of service, information disclosure, spoofing identity, etc.) and always remember that oftentimes, humans are the weakest link in the chain.
Do our security program and policies match our risk profile and tolerance?
This is arguably the most important question, as it gauges the alignment of an organization’s existing cybersecurity program to those of its stakeholders’ expectations. While your organization may not be able to answer all of the above, by understanding these fundamental cybersecurity issues, boards can help raise their organization’s awareness regarding cybersecurity gaps and help design an appropriate remediation plan.
CohnReznick has a dedicated Not-for-Profit and Education Industry Practice that works closely with the boards, management, and financial leaders for not-for-profit and educational organizations. Our clients include associations, foundations, educational institutions, not-for-profit affordable housing developers, religious and cultural organizations, and social service and charitable agencies.
1 Source: Ponemon Institute 2017 Cost of Data Breach Study report