The saying “if it ain’t broke don’t fix it” is widely attributed to T. Bert (Thomas Bertram) Lance, the Director of the Office of Management and Budget in President Jimmy Carter’s 1977 administration. Lance’s aim was to save money by adopting a fiscal policy that focused on needed repairs. Over time, this colloquialism has come to represent a pragmatic approach to “triaging” issues. When it comes to cyber-security readiness, however, this approach is ill-advised. Put another way, the fact that your organization has not experienced a security incident to date should not be rationale for maintaining the status quo.
Data breaches are the leading threat in today’s digital world, with a new cyberattack occurring approximately every 39 seconds. Non-profit organizations are increasingly being targeted by cybercriminals, not only because of the wealth of data they possess, but because they simply do not take the same precautions nor employ the same resources as their for-profit counterparts. In fact, small-to-medium-sized organizations are actually more likely to be targeted by hackers for that very reason.
The financial cost of managing a data breach is well documented. A recent study estimated the average cost of a breech in 2021 at 4.24 million dollars, a 10% rise from 2019. Although less tangible, the potential loss of trust of the nonprofit’s donors, volunteers and the community can be significant. Such a loss is not only difficult to restore, it can also affect fundraising activities, volunteer engagement, and partnerships with other organizations for years to come.
For organizations seeking to decrease their cybersecurity vulnerabilities, a good first step is to obtain a comprehensive understanding of the current risk environment. For example, what kind of data does your organization collect, store, share and transmit? Where and how is the data being stored, and who has access to the data? How does the organization transmit data? (Data transmission is often one of the most significant vulnerabilities; any time data is sent from one location to another, there is a risk of interception.) During the COVID-19 pandemic, the risk of insecure data transfer has increased as more and more individuals have begun accessing critical data from personal mobile devices or using personal digital storage solutions. Assessing these weak points can be achieved through a data-privacy audit whereby information gathered is then used to strengthen the organization’s cyber-readiness.
Additionally, organizations should consider implementing the following measures:
Implement (Or Update) Organization-Wide Cybersecurity Policies
The first step in ensuring the security of an organization’s data is to have consistent, documented cybersecurity policies in place for all employees to follow.
Provide Ongoing Cybersecurity Training
Next, all individuals within the organization who have access to secure data should receive annual cybersecurity training.
Focus Your Cybersecurity Efforts/Revaluate Third-Party Vendors
Focus on security controls that would be the most effective based on your specific needs and resources. And as many breaches occur from the actions/omissions of third-party vendors who store an organizations data, review the legal terms of all such agreements to make sure there are appropriate terms and conditions to protect your organization (read Are You Protected? Five Points to Include in Every Technology Agreement).
Create A Data Retention and Deletion Policy
Most organizations collect more data than they need, and hold the data longer than necessary or practical. The more data your organization stores, the greater the liability if a breach occurs. It is imperative that organizations adopt a policy that dictates the types of data to be stored, and when/how that data is deleted when no longer relevant.
Prepare for the Unexpected
Every organization needs a plan for what to do in case of a data breach. An incident response can help organizations plan to comply with applicable laws and regulations, and launch a rapid and coordinated response that will mitigate the damaging consequences of a data breach. On a side note, the recently enacted NY SHIELD Act requires organizations that collect information from NY residents to have both a Data Retention and Deletion policy as well as an Incident Response plan in place, among other requirements (read The SHIELD Act – A New York State of Mind … and Privacy).