Here’s How to Build a Nonprofit Cybersecurity Risk Management Framework

If your mission-driven organization has been adopting new tools to further your goals and you have been moving your processes to digital systems, then robust cybersecurity now has to become a priority.

In this article, we explore how your organization can build a cybersecurity risk management framework based on best practices to ensure you are protecting sensitive data, safeguarding board members and other stakeholders, and mitigating risk while maintaining donor trust — as well as your own reputation.

Getting Started on a Risk Management Framework

The impact of cyberattacks on the services, funds or confidential information of charities and NGOs cannot be underestimated. Such attacks have the potential to cause severe financial and reputational damage, and they may also jeopardize the well-being of the vulnerable individuals who rely on your nonprofit for support.

Unfortunately, cybersecurity is often a knee-jerk reaction, at best, to a problem or new regulation. At worst, it’s an afterthought. What nonprofits need is a well-thought-out, strategic plan for cybersecurity to protect themselves and everyone else from potential sources of harm.

Like any complex, multifaceted project, the hardest part of creating a cyber risk management framework is getting past the feeling of being overwhelmed and just getting started. The following three steps will help your board get out of the rut:

1. Make a list of the tasks you need to tackle to create the framework. This process may spark ideas for even more tasks. Once the list is complete, arrange similar or related tasks into groups to make things more manageable.
2. Determine the necessary resources for completing the tasks. Will you need to purchase services or equipment? Will you need to hire additional employees or consultants? Does the infrastructure require instituting new policies or procedures? What kind of budget will support your efforts? The answers to these questions may add a few more items to your original “to-do” list.
3. Devise a plan to overcome obstacles and challenges. Be aware that potential threats are complex and interconnected. Emerging problems may slow down your progress, but they’ll also give you new opportunities to bolster your cybersecurity planning.

Be aware that new technology could emerge during your planning and that could also be an advantage, for example, board technology is already in existence and is an asset to nonprofit boards.

5 Necessary Attributes in a Cybersecurity Risk Management Framework

Adding to the challenge of developing a cybersecurity risk management framework for nonprofits is there is no one-size-fits-all plan. Nonetheless, the financial advisory firm, Crowe Horwath, describes and recommends the following five attributes as necessary components of a cybersecurity risk management framework.

1. An Effective Model

There’s no need to reinvent the wheel completely. Various organizations have already developed effective models for a cybersecurity risk management framework. Take time to review them when customizing a solution for your nonprofit. See some examples below:

• NIST Cybersecurity Framework
• ISO 27001 and ISO 27002
• SOC2
• NERC-CIP
• HIPAA
• GDPR
• FISMA

2. End-to-End Scope

Be sure your framework addresses everything your nonprofit needs to protect from one end to the other and everything in between. Be cognizant of how interconnected everything is, including networks, mobile devices, and computers. Protecting the scope of cybersecurity requires having someone who is dedicated to assessing existing and emerging threats and prioritizing them. Risk assessments must consider inside and outside perspectives.

3. Risk Assessment Threat Modeling

Nonprofits generally lack the resources to cover every base related to cybersecurity. For this reason, it’s crucial to thoroughly assess risks and prioritize them. Be sure to assess the likelihood that a risk could happen, as well as the amount of damage that could potentially occur. For example, how much money could your nonprofit lose if impacted by a threat?

4. Proactive Incident Response Modeling

Develop processes to prevent attacks by implementing firewalls and having parameters for passwords. Also, consider how to respond to a cyberattack when it happens, and develop a plan for limiting the damage it could cause. Store your cyber response plan on your board management platform so it’s easy to access should a dreaded cyberattack occur.

5. Dedicated Cybersecurity Resources

Your nonprofit board must allocate sufficient resources to support your cybersecurity risk management framework. Ensure that your IT team has the most updated training on cybersecurity risk management.

National Institute of Standards and Technology (NIST) Model

Most nonprofit boards understand that they need to improve their cybersecurity risk management. Boards are also learning more about the components that go into a cybersecurity risk management framework.

The National Institute of Standards and Technology (NIST) has developed a model that works for most organizations.

NIST encourages organizations to create a framework where everyone speaks about cybersecurity and risk management using the same language. They also recommend using extensive collaboration with all areas of the organization to get clarity about the current state of cybersecurity efforts. The initial vantage point becomes the basis for identifying strengths and weaknesses, evaluating processes and tools, and examining internal and external communications processes.

NIST recognizes that basic frameworks must continually evolve because of the rapid rate of technological changes of today. You can find the latest updates on the NIST website.

NIST gives organizations specific ways to break down core functions into categories. The five core functions are:

1. Identify
2. Protect
3. Detect
4. Respond
5. Recover

NIST recommends that nonprofits tailor security controls to their operational functions, systems, and operating environments. This step requires organizations to incorporate regulations, emerging threats, and technological advances. If it appears that updating and reworking cybersecurity systems is becoming cost-prohibitive, NIST recommends striving to find a good balance between developing the best cybersecurity efforts possible at the most reasonable and affordable cost.

Just as nonprofits take stock of their cybersecurity processes at the onset of the process of building a cybersecurity risk management framework, it’s just as important to perform a layout of all the newly added security controls and processes. Stepping back and taking a bird’s-eye view helps to make sure the plan is comprehensive and that managers implemented the intended tools and processes as planned.

The newly formed framework will aid your organization when you audit and analyze the cybersecurity framework in the future. It’s for the reasons listed here that BoardEffect has chosen to use a NIST framework to ensure the security of mission-driven organizations’ work.

Shifting From Reactive Measures to a Strategic and Proactive Cybersecurity Framework

You will see the true impact of your new framework once it has had some time to work in real time. Managers and board directors will need to monitor the new infrastructure carefully. The system may require some tweaks and adjustments, especially in the beginning. Security measures will need to evolve with emerging threats.

Not knowing where to begin simply can’t be an excuse for doing nothing. It’s perfectly okay not knowing exactly what to do in the beginning; most organizations find that once they start moving toward building a cybersecurity risk management framework, there’s no stopping them. It’s far better to start moving in some direction and learn as you go, rather than getting stuck in “analysis paralysis” and doing nothing at all.

Be sure to include your board’s work and communications as part of the scope of end-to-end security. Board technology is an easy solution to implement in your cybersecurity risk management framework. Bolstered by a NIST framework, BoardEffect is also HIPAA and HITECH-compliant. The user permission feature gives your board complete control over access to various parts of the platform.

See how BoardEffect, a Diligent Brand, can help strengthen your charity or nonprofit’s cyber resilience. Request a demo today.