by MNA Partner for Good Nonprofit Tech Services

It’s time that nonprofits address the elephant in the room, and take proactive steps for cybersecurity.   Understanding risks and learning how to mitigate them is the first step to becoming cyber-secure and it’s not as complicated as it can be made to sound.

The term cybersecurity implies protection from threats that exist on the Internet. Before we can begin to understand cyber threats, we must first understand what we are protecting. The intent of an online presence is to expose the good work you are doing, but in doing so you may also expose valuable assets to a variety of threats. 

These assets include the systems you use to serve constituents, find donors and generate revenue for your programs. Consider what the impact would be if these systems were suddenly unavailable. 

Next, think about the information you collect, process and store. This information is likely critical to the operation of your organization but it also brings a great deal of responsibility for protecting it from unauthorized disclosure. This responsibility leads us to yet another asset that may be at risk – your organization’s reputation.  The manner with which an organization protects information entrusted to it can have a direct impact on its reputation.  Consider how a tarnished reputation would impact your organization’s ability to perform its mission. 

Poor or neglected cybersecurity is clearly a serious business risk.  Addressing cyber risk is not a technical problem, best left to the technical people to solve, it is a business risk and business leaders are responsible for understanding and managing it.

What is your organization doing to protect its systems, information and reputation? Here are a few questions that may help you assess your current state.

1. Does our Board and staff receive periodic cybersecurity awareness training?
2. Who is responsible for our cybersecurity program?
3. What is our greatest security risk?
4. Does our Board understand the impact of a data breach?
5. Do we have a deep understanding of the content we are storing?
6. Do we periodically review access permissions granted to staff?
7. Have we considered purchasing cybersecurity insurance?
8. Are we in compliance with the Payment Card Industry Data Security Standards?
9. Do we have an Information Technology Acceptable Use Policy?
10. Do we use personal email to conduct business?
11. Is cybersecurity and information handling part of our staff onboarding process?
12. How do we ensure we are following our Document Retention Policy?
13. Do we have a cyber-incident response plan?
14. What is the date of our most recent cyber-risk assessment?
15. Have we had an external assessment of our information security practices?
16. Have we enabled multi-factor authentication for our domain?
17. What layers of protection do we have in place?
18. How does remote work impact our security?
19. How does the Board execute its oversight of cyber-risks?
20. Do we have access to a technology leader?

What will you do if your organization is the victim of a data breach or is infected with ransomware?  The time to answer this question is now, before the incident has occurred. 

Mike Parrish – [email protected]
Technology Leadership Consultant
Nonprofit Tech Services
Helping Those Who Serve Montana

Check out Mike’s Partners for Good Directory listing to get in touch!