If your volunteer board of directors is well-equipped to handle potential cyber incidents and protect valuable data, you can stop reading now. However, if you feel your board may not be fully cyber-ready, then you may want to read on.
In today’s technology-driven landscape, the role of nonprofit and charity boards of directors extends beyond traditional decision-making; they also hold the responsibility of safeguarding sensitive information and upholding data security. With the increasing frequency and sophistication of cyber threats, it is imperative for volunteer boards to be cyber-ready. In part one of our two-part series on how your board can be cyber-ready we explore
- Board cyber risk oversight
- Key cyber risk questions to ask
- Top threats facing board members
- Cyber-readiness for volunteer boards.
Cyberattacks Are Here and Rising
Nonprofits and NGOs raise more than $30 billion annually, which naturally draws the attention of cyber criminals. Nonprofits and charities are also targeted because they are perceived to lack the staff and financial resources for effective cybersecurity in comparison to corporations.
Research by the CyberPeace Institute revealed that only 1 in 10 NGOs trains its staff regularly on cybersecurity, only 1 in 4 actively monitors their networks, and only 1 in 5 have a cybersecurity plan in place.
What’s the Board’s Cyber Risk Oversight Responsibility?
The board has a fiduciary duty to act in the best interests of the organization and its shareholders and stakeholders; this includes overseeing the organization’s cyber risk strategy. With a focus on protecting an organization’s assets and interests, boards must ensure that measures are in place to appropriately manage cyber risk and protect against cyberthreats.
“It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.” – Stephane Nappo, CISO, Groupe SEB
Key Cyber Risk Oversight Principles
Understanding the organization’s cyber risk profile: The board should have a good understanding of the potential cyber risks facing the organization, including the likelihood and potential impact of cyber incidents.
Helping determine the organization’s level of cyber risk tolerance: No approach to cybersecurity can ever be 100% risk-free, and boards play a unique role in determining the right level of risk tolerance for the organization, accepting that a certain level of cyber risk is part of the cost of doing business.
Overseeing the organization’s cyber risk management strategy: The board should be involved in the development and oversight of the organization’s cyber risk management strategy and ensuring that it is aligned with the organization’s broader risk management strategy. Additionally, the board plays an important role in helping ensure the organization takes a broad-based approach to cyber risk management across departments, and that efforts are not “siloed” to the technology/security team.
Ensuring compliance with laws and regulations: The board should ensure that the organization is compliant with relevant laws and regulations, such as GDPR, HIPAA, PCI DSS, etc., and that appropriate measures are in place to comply with these regulations.
Reviewing the organization’s cybersecurity program: The board should regularly review the organization’s cybersecurity program to ensure that it is effective in protecting the organization from cyber threats — including insider threats.
Ensuring continuity of operations: The board should ensure that the organization has a robust backup and disaster recovery plan in place, and that the plan is regularly tested.
Communicating with stakeholders: The board should communicate the organization’s cyber risk management strategy and its incident response plan (at a high level) to stakeholders such as shareholders, employees and customers.
Five Key Cyber Risk Questions for Board Directors to Ask
Here are some cyber risk questions your board should be asking:
- How are the organization’s cyber risks communicated to the board, by whom and with what frequency?
- Has the board evaluated and approved the organization’s cybersecurity strategy?
- How does the board ensure that it is organized appropriately to address cybersecurity risks and does management have the skillsets it needs?
- How does the board evaluate the effectiveness of the organization’s cybersecurity efforts?
- When did the board last discuss whether the organization’s disclosure of cyber risk and cyber incidents is consistent with regulations and legal compliance?
Understanding Cybersecurity vs. Cyber Resilience/Cyber Readiness
The terms “cybersecurity” and “cyber resilience” may appear interchangeable as they both relate to cyber safety and have the same goal of safeguarding against cyberattacks, but they are not quite the same.
When we talk about “cybersecurity” we are referring to the various technologies, human activity, processes, methods and governing policies put in place by security teams to protect an organization’s digital assets, computer networks and systems against cyberattacks. Cybersecurity creates a barrier — such as antivirus, firewalls, locked computer screens, awareness and employee training.
“Cyber resilience” or “cyber readiness” is an organization’s capacity to prepare, respond and recover when a cyberattack is successful. Becoming cyber resilient means having precautionary measures in place which, if a breach does occur, help to mitigate the impact. These measures support business continuity, reduce loss of productivity and help the organization to get onto the path to recovery more quickly.
Top Threats Facing Board Members
Did you know that CEOs and board members are 12 times more likely to be the target of cyberattack? The top three threats facing CEOs, board members and other executives are:
- Business Email Compromise (BEC): uses your authority against you
- Personal mobile devices: put your documents at risk
- Public Wi-Fi: a cybersecurity minefield
IT and cybersecurity aren’t just about protecting documents and data these days. It’s about people, too. Gone are the days where cybercriminals would waste their time chasing small targets. Nowadays, they operate just like any other business. They demand a high return on their investment.
Business Email Compromise (BEC)
Phishing emails have been around for decades, but this latest variation – commonly referred to as Business Email Compromise (BEC) – is designed to play on the inherent trust given to those at the top of the organization by secretaries, assistants and other members of staff.
Those in the C-Suite don’t just have access to data. They have authority, which is often unquestioned. New phishing emails harness this inherent trust, impersonating high-ranking executives with emails to staff that ask for important information, access details, or even monetary payments.
Phishing attacks continue to be a major threat to nonprofit organizations, one in three employees is likely to click on a suspicious link or email or comply with a fraudulent request.
One of the biggest vulnerabilities for organizations is the fact that 80% of board trustees are still using usernames and passwords, and nearly 60% are asking security questions for account access. Is your organization using two-factor authentication (2FA), a security system that requires two separate, distinct forms of identification for access?
Personal Mobile Devices
Laptops, phones and tablets are the ultimate convenience, but convenience comes at a cost. Mobile devices are inherently insecure and prone to being lost, misplaced or stolen. The same goes for many other portable devices the modern executive carries with them, such as USB drives and external HDDs.
Many executives also use mobile devices to serve dual purposes – for both personal and business – leading potentially to more cyber risk when accessing websites and online information.
Public WiFi is as much as a blessing as it is a curse. It’s really convenient, but also vulnerable and often one of the easiest entry points for cybercriminals looking to gain access to sensitive information. It’s incredibly easy to create fake networks, which are so hard to differentiate from the real thing. These are typically found in cafés, airports and hotels.
Using Governance Technology Helps Boards Establish a Sound Cybersecurity Framework
Using governance technology helps volunteer boards protect sensitive data, as well as prevent, mitigate and respond to cybersecurity threats.
Governance technology brings in a sound cybersecurity framework that provides:
- Controls to limit 3rd party access
- User-based permissions to protect sensitive information
- Robust data encryption to secure board communication
- A path for new board members to get up to speed quickly on cybersecurity policies
Given the value of information that exchanged and accessed by the board, it’s imperative to secure it as much as possible.
Using specific board technology should offer:
- Encryption of data in transit and at rest
- Multi-factor authentication
- Mobile applications that are sandboxed from the rest of the device with the ability to remote wipe if device lost or stolen
- Ability to restrict printing and emailing from the system
- User-based permissioning.
By regularly assessing and analyzing your entire system, you’re better able to spot any new vulnerabilities and emerging threats. It’s also important to educate board members about cyber security best practices so they are equipped to handle various types of cyberattacks.
Alongside using governance technology, boards should:
- Conduct regular security audits and training on cybersecurity
- Follow good practices in data management
- Have an emergency preparedness plan
- Have a clear vision of who-does-what after a breach
As part of continued commitment to help boards navigate the ever-changing landscape of governance and be prepared for what’s the round the corner, the Diligent Institute is now offering a course for board members to enhance their knowledge of Cyber Security Risk.
See how BoardEffect, a Diligent Brand can help strengthen your nonprofit’s cyber resilience. Request a demo today.