skip to Main Content
Cybersecurity Survey Results How Boards Are Dealing With The Threat

Cybersecurity survey results: How boards are dealing with the threat

 

Another day, another cybercrime against a public entity or nonprofit. It’s the unfortunate truth for the city of Sheboygan, Michigan, recently targeted by a ransomware attack.

These crimes are becoming more prevalent, and we know why: public entities and mission-driven organizations are less prepared to defend themselves — at least, that is the common thinking behind these attacks. In the local press, a cybersecurity professional commented on the Sheboygan attack, “It tells you they didn’t have anything in place that was actively monitoring the different types of activity on a network.” (Ouch.) This incident raises the question: Is your board or council doing enough?

We asked public governance and nonprofit leaders to share their expertise around cybersecurity. Their responses underline the risk their entities face. Let’s take a look at these complexities as well as strategies for protecting your organization.

What leaders told us about cybersecurity

We surveyed board secretaries, executive directors, superintendents and assistant superintendents, city managers and others from the fields of education, local government and healthcare.

What are their biggest challenges?

  • Advances in technology: For 33%, the rapid rate of technological advances is the biggest challenge. A new opportunity can often come with new opportunities for criminal exploitation or simple error on the part of employees and other internal actors. Take generative AI as an example: these tools can make repetitive work tasks easier, but employees create risk when they upload sensitive information to third-party content generators.
  • Keeping up with threats: It stands to reason, advances in technology lead directly to people finding new ways to exploit them, or, in the case of the gen-AI example, new ways for humans to use uninformed judgment. About 27% of respondents found keeping up with threats to be the biggest challenge. To illustrate, the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) coauthored an advisory on 2023’s top routinely exploited vulnerabilities with Australia, Canada, New Zealand and the United Kingdom. The list is chillingly lengthy.

We also asked what the board is actively doing to address cybersecurity:

  • Discussions: Just 27% are discussing cybersecurity issues “regularly.” More than half are discussing them “sometimes,” while 20% indicated “not very frequently.”
  • Training: Has the board received cybersecurity training in the past year? A resounding 73% say yes. The remaining indicate no or they’re not sure.
  • Exercises: We asked if the board had participated in drills or other exercises around cybersecurity in the past year, and 40% indicated they had. The remainder indicated they hadn’t (or hadn’t yet) or are not sure.

As you see, boards are all over the map with how they are proactively dealing with cybersecurity.

Why are boards struggling with cybersecurity oversight?

When asked to share why the board faced challenges in cybersecurity insight, we received some valuable insight.

A public education board administrator’s answer captured the span of complexities around better preparation in today’s school leadership: a rapidly-evolving threat landscape, limited technical expertise, resource allocation and constraints, navigating regulatory compliance, cultural buy-in and the continuous challenge of incident preparedness.

For our healthcare respondents, they faced challenges understanding the investment required, the effects of cybersecurity to our organization and community at large and Identifying threats and fixing vulnerabilities.

Local government board and council representatives are struggling with continuous advances in technology, staying on top of threats and disruptive challenges in terms of technology, the organization and its people.

Nonprofit leaders cited:

  • Lack of knowledge and safety protocols
  • Keeping up with emerging threats
  • Retaining cybersecurity talent (in the face of global issues with talent supply)
  • Evolving technology

There are many areas of overlap among these industry types and leaders, and all could benefit from a few standardized practices for facing cybercrime head-on.

Best practices for public and nonprofit boards overseeing cybersecurity

Whatever your board or council is doing, it’s prudent to consider doing more. Strengthen your defenses with these tips:

  • Implement a regular discussion schedule: With just a quarter of survey respondents indicating they have regular discussions around cybersecurity, this is a great place for boards and councils to start. Add cybersecurity as a regular item on the agenda, including reports from IT leadership and other resources on the current state of the organization’s protection strategies. This can be done easily if your board management system includes document templates for meeting agendas, minutes and more.
  • Advance your cybersecurity training: Every board member needs to become a cybersecurity expert, so ongoing board development must include cybersecurity topics by default. A thorough understanding of the issues will set the board or council up to lead by example and prioritize training for all (staff, students and more). Training resources can be saved in the document library of the organization’s board management software for reuse, an economical solution.
  • Prioritize cybersecurity budgeting and resourcing: Strategic budgeting for cybersecurity can be difficult when many organizations (school boards, for example) are struggling to make ends meet. Cybersecurity, however, is one area where, as the saying goes, an ounce of prevention is worth a pound of cure. Consider the $1 million the Seattle Public Library paid in recovery costs after a ransomware attack.
  • Keep software up to date (and work with savvy partners): It’s one of the 13 best practices for the public sector, but it applies to all. In addition to promoting the importance of software patches (handled by an appropriately funded IT team), the CISA document on exploited vulnerabilities emphasizes asking software providers to discuss their security strategies.

Best practices for nonprofit boards overseeing cybersecurity

How board management software can keep your cybersecurity strong

Your organization’s board management software is your board’s or council’s primary tool to help members contribute effectively, but the right solution — such as BoardEffect — can actively support your organization’s cybersecurity efforts.

  • BaoardEFfect offers a searchable document library with the ability to house and organize documents and videos as part of the board’s cybersecurity training.
  • It offers secure servers and 256-bit AES encryption, the strongest level of encryption currently available. These elements ensure privacy and security for your board’s most confidential and sensitive data.
  • With BoardEffect’s in-app, role-based security, you can ensure users have the right amount of access — no more, no less.

Diligent is committed to protecting public and nonprofit boards against growing risk caused by ransomware phishing attacks, human error and other types of data breaches. With tight security and usable features, BoardEffect is a key tool in your board’s fight against cyberattack.

Ellen Glasgow

Ellen Glasgow serves as General Manager, Mission Driven Organizations for Diligent Corporation, the leader in modern governance providing SaaS solutions across governance, risk, compliance, audit and ESG. In her role, Ellen oversees the commercial team, which includes new and expansion sales, marketing, and sales development for the Diligent Governance solutions that support Mission Driven Organizations (Nonprofits, Associations, Education, Community Healthcare & Government).

Back To Top
PHP Code Snippets Powered By : XYZScripts.com