In part one of our two-part series on board cyber-readiness, we explored board cyber risk oversight and some of the top threats facing board members.
In this second part, we’ll take a deeper look at the risks of board members not being cyber-ready, examine new board member recruitment vs. upskilling existing members, and outline some best practices for cyber-readiness for your mission-driven organization.
Risks of Board Members Not Being Cyber-Ready
Nonprofits, like any other type of organization, rely heavily on technology and digital infrastructure for communication, data management, fundraising, and more.
Having nonprofit board members who are not cyber-ready can expose the organization to a range of risks and vulnerabilities. Here are just a few of the risks associated with your board members not being cyber-ready:
- Data Breaches: Board members often have access to sensitive information about donors, volunteers, beneficiaries, and the organization’s operations. If they are not knowledgeable about cybersecurity best practices, they might inadvertently expose this data to unauthorized individuals or malicious actors, leading to data breaches.
- Financial Loss: A cyber incident can result in financial loss due to legal fees, fines, the cost of notifying affected parties, and potential lawsuits. Moreover, a loss of trust could lead to a decrease in donations and funding.
- Reputational Damage and Loss of Trust: A data breach or cyber incident can damage the nonprofit’s reputation, making it harder to attract donors and volunteers. Negative media coverage and public perception can have long-lasting effects. Nonprofits depend on the trust of their stakeholders, including donors, volunteers, and beneficiaries. A cyber incident can erode this trust if personal information is compromised or misused due to board members’ lack of cyber readiness.
- Operational Disruption: Cyberattacks can disrupt the organization’s operations, including communication, fundraising, program delivery, and administrative tasks. This disruption can hinder the nonprofit’s ability to fulfill its mission.
- Limited Oversight: Board members play a crucial role in overseeing an organization’s activities, including cybersecurity. If they are not well-versed in cyber risks, they might not be able to provide effective oversight, leaving the organization vulnerable. Board members may also be held personally liable if they fail to uphold their fiduciary duty to protect the organization from foreseeable risks, such as cybersecurity threats.
- Legal and Regulatory Compliance: Nonprofits are often subject to data protection regulations, such as the General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA), depending on the nature of their work. Failure to comply due to lack of cyber readiness could result in legal consequences.
To mitigate these risks, nonprofit organizations should prioritize cyber readiness by providing training and resources to board members.
Recruiting New Members vs. Training Existing Members
Having cyber-ready board members means more effective governance of those significant organization-wide cyber risks. It also means more effective conversations with management, staff and volunteers around cyber knowledge ultimately leading to more robust cyber risk oversight.
However, there is currently a skills gap for volunteer board directors when it comes to cyber literacy. Nonprofit organizations are finding it difficult to recruit new trustees that have those necessary skills.
The choice between recruiting new members with existing cyber expertise and investing in training for existing members presents a crucial strategic decision. Recruiting new members can infuse the organization with specialized skills and fresh perspectives, potentially accelerating its cyber readiness.
On the other hand, training existing members fosters a sense of continuity and loyalty while capitalizing on their institutional knowledge, ultimately cultivating a culture of cyber awareness and vigilance across the organization.
If you are finding it too difficult to recruit new members with that expertise, look at how you can use best practices twinned with technology and training to help upskill existing board members to be cyber-ready.
Best Practices for Board Cyber-readiness
By adhering to a set of best practices, nonprofit boards can mitigate the risks associated with cyber vulnerabilities and position themselves to navigate digital threats more effectively. Best practices for board cyber-readiness include:
- Maintaining a strong cybersecurity posture
- Phishing and social engineering awareness
- Data protection measures
- Clear cybersecurity policies and procedures
- Incident response planning
- Ongoing education on cybersecurity best practices
Maintaining a Strong Cybersecurity Posture
It’s essential for nonprofit leadership to recognize that cybersecurity is not solely an IT issue but a holistic organizational concern that requires attention from all levels, including the board of directors.
Bring in third-party experts to help guide your cyber risk strategy and planning. Take advantage of supports and information available from the government and other agencies around best practice for nonprofits on cybersecurity.
Carry out a cyber threat analysis to check data vulnerabilities in your organization’s processes and controls. Store the results on your board management software and use these for frequent updates and check-ins for the board.
Phishing and Social Engineering Awareness
Board members who are not cyber-ready might fall victim to phishing attacks or social engineering tactics, such as fraudulent emails or phone calls. This could lead to unauthorized access to sensitive systems or financial fraud.
All board trustees should have regular training and reminders to keep them aware of phishing. Store training materials, guidelines, videos, etc in one place on your BoardEffect platform. The survey and polls features can also be used to help with awareness by asking board members regularly if they are following your guidelines or quizzing them on how to deal with different scenarios and examples.
Data Protection Measures
Given the handling of sensitive information about donors, beneficiaries, and operational activities, data protection measures are of paramount importance. Establish comprehensive data protection policies that outline the proper handling, storage, and sharing of data.
Encryption should be employed to secure both data at rest and data in transit, ensuring that even if unauthorized access occurs, the information remains unreadable and unusable to unauthorized parties. Regular data backups are essential to prevent data loss due to cyber incidents, enabling quick recovery in case of a breach or system failure.
Additionally, access controls should be implemented to restrict data access based on roles and responsibilities, minimizing the risk of internal breaches.
Adherence to relevant data protection regulations that you have to comply with, such as HIPAA or GDPR, is also crucial, and nonprofits should appoint a data protection officer or designate responsible personnel to oversee compliance.
Clear Cybersecurity Policies and Procedures
Your organization needs clear cybersecurity policies and procedures to guide board members, as well as staff and volunteers, in handling technology and data. Development and implementation of these policies needs oversight and management by the board.
Your organization’s policies and procedures can be stored in your board management platform for new board trustees to cover during onboarding. Look at how you can build frequent refreshers and updates for all board members as part of their “everboarding”.
Incident Response Planning
The board needs to have a clear vision of who-does-what after a breach.
A comprehensive incident response plan will outline step-by-step procedures for detecting, reporting, and responding to various cyber threats. These plans should designate roles and responsibilities, ensuring that all staff members, including board members, understand their roles in the event of a breach.
Clear communication channels and escalation protocols should be established to facilitate swift information dissemination and decision-making during a crisis. Store your cyber response plan on your board management software where board members can access it quickly.
Regular testing and simulation exercises are critical to validate the effectiveness of the incident response plan and familiarize staff with their roles under stress. It’s also good practice to establish relationships with external cybersecurity experts, legal counsel, and law enforcement agencies to ensure a coordinated response in case of a major incident.
Post-incident analysis and documentation are also vital to identify lessons learned and areas for improvement. By adopting a proactive approach to incident response planning, your organization can minimize the damage caused by cyber incidents, reduce downtime, and maintain the trust of stakeholders.
Ongoing Education on Cybersecurity Best Practices
Continual education on cybersecurity best practices is essential for your board to effectively oversee and safeguard the organization’s sensitive information. By staying updated on evolving cyber threats and prevention strategies, board members can play a pivotal role in ensuring the organization’s resilience against online vulnerabilities. Keeping existing board members trained also helps fill that cyber literacy skills gap.
With increased pressure from regulators and stakeholders for board members to upskill in cybersecurity, now is the time to build your board’s competency. The Diligent Institute Cyber Risk & Strategy Certification teaches cyber literacy for directors to effectively govern significant organization-wide cyber risks and have meaningful conversations with management, staff, volunteers and donors.
The Cyber Risk & Strategy Certification covers:
- The Cybersecurity & Regulatory Landscape
- Cyber Risk Management
- Cyber Strategy & Board Oversight
- Cyber Incidents
- Simulated Cyberattack Exercise
To find out more and discuss training and software bundles for your organization, contact the BoardEffect team.
Cyber-readiness Equals Cyber-confidence
Enabling your board trustees to become truly cyber-ready by implementing these best practices and upskilling, your board members also become more confident in cyber strategy and risk, and in their ability to meet new requirements for cyber oversight from regulators.
When a cyberattack does occur, your board and management will be prepared to act with confidence with clarity about their role.
Downtime, organizational shock and reputational damage, among all the other potential impacts, will also be mitigated, helping your organization to survive, sustain and grow to meet its mission.
See how BoardEffect, a Diligent Brand can help strengthen your nonprofit’s cyber resilience. Request a demo today.