Not for profit organisations often have limited funds for investment in technology, and particularly information security and protecting the critical systems and assets of the organisation can take a back seat. However, NFPs are just as vulnerable to cyberattacks as any other organisation. With many holding a vast treasure trove of personal information from donors and other stakeholders, they are a valuable target for online criminals. The good news is that effective cybersecurity does not have to cost a fortune. But it does require an intelligent, risk-based approach in order to maximise the return on investment.
There is a lot of free and low-cost guidance available – tools such as the Australian Cyber Security Centre’s Essential Eight and frameworks from NIST offer a lot of advice on what NFP boards can focus on. But, before diving into technical solutions it’s important to have an enterprise-wide plan. The following five tips can help NFP boards keep their organisations cyber safe.
1. Identify your most valuable data assets
NFP boards are responsible for a wide range of governance matters. Good governance starts by understanding what you are actually governing. Finance committees know the financial position of the organisation, have access to account balances, budgets, forecasts and other important information. The same goes for good cybersecurity governance.
NFP boards need to understand what their most valuable system and data assets are. While some items will be easy – chances are you know your customer data is in a customer relationship management system – but others will be harder to identify. For example, are staff members keeping important data on personal computers? What about how our volunteers access and maintain data?
Start with a thorough audit of your data, systems and processes so you understand exactly what data you have, where it is, who has access to it and how it’s used.
2. Undertake a risk analysis
Now that you know what you have, you can conduct a risk analysis. There are a number of questions you should ask.
- What would be the impact of a cyber attack on our reputation and operations?
- Where is our data kept?
- Who has access to our data?
- How are we protecting customer data?
- What happens if a key supplier or partner is hacked?
- How many people in our organisation are focussed on managing cybersecurity risk?
- Do we have an incident response plan?
- What are the threats we face?
- Should we pay the ransom?
- Have we considered insurance as part of our cyber risk treatment plans?
For each major system or piece of data, you need to understand what measures you have in place, what threats you face and how you will react if you are attacked.
3. Don’t skimp on user education
The days of security education being an annual checkbox item designed to keep an auditor happy are behind us. Every person in the organisation, from board members to volunteers, requires regular training. Rather than boring people through a two-hour annual training session, look for opportunities to offer regular, smaller bite-sized training opportunities that support longer-term behavioural change.
For example, teaching people why strong passwords and multi-factor authentication (MFA) are valuable is far more useful than bombarding people with lots of information about weak passwords and the technical ins and outs of what the security team is doing. They don’t need to know that MFA is recommended in the Essential 8. But if you tell them this is the best way to secure their Facebook account and that it works in the office as well, then they can become personally invested in the secure behaviour you want to encourage.
4. Partner with experts
Cybersecurity is complex and there is a dearth of expertise in Australia. Partnering with someone who takes the time to understand your risks and puts in place measures that are appropriate to your risk appetite and budget can make the journey far smoother.
Technical skills are important but look for a partner that doesn’t simply arrive with a generic box of security tools. Look for a partner that listens to you and provides advice that fits your specific needs and current security maturity.
5. Continuous monitoring
Good information security is not a project. While deploying new tools to better secure your people, processes and systems can be a project, staying abreast of emerging threats and ensuring your strategy remains relevant is an ongoing program of activity.
NFP boards should have a regular cybersecurity reporting item as part of their ongoing risk management regime. The person responsible for the day-to-day management of cybersecurity should report to the board regularly, using risk-based business language and not technical jargon, so the board is aware of what is happening with critical data and system assets. They should see these assets in the same way they consider OH&S for staff in hazardous situations with regular monitoring and communication.
Cybersecurity is an ongoing threat and NFPs are in the firing line for online criminals. By taking a risk-based approach, backed by strong user education and a commitment to regular monitoring and reporting, NFP organisations can minimise the chance of an attack and reduce the impact should your defences be breached.
By Anna Leibel and Claire Pales, co-authors of The Secure Board book and Directors of The Secure Board advisory firm.
Anna Leibel (GAICD) is a Director of The Secure Board, a Non-Executive Director and senior executive across the financial services, management consulting, telecommunications and technology industries.
Claire Pales (FAISA, GAICD) is a best-selling author, a podcast host, and Director of The Secure Board, a consulting company committed to advising executives and boards, and helping businesses to establish exceptional information security practices.