CYBER SECURITY: NON-PROFIT
Can you afford not to manage your cyber security?
Reputation is everything to a nonprofit organization—and a data breach can destroy a reputation in one fell swoop. That’s why, time and again, our lengthy list of nonprofit clients asks us what they should be doing to better protect themselves—and what, exactly, they should be protecting themselves against.Is your business prepared in the event of a cyber security breach? Now is the time to take stock of your cyber security health, including the importance of securing information through best cyber security practices; identifying your risk and the types of cyber threats; and learning best practices for guarding against cyber threats. Cyber security should now be a major concern of any non-profit that collects client data including personal information like date of birth, where they live, any health records, or credit card information. A cyber security threat can range from being merely inconvenient to life-threatening, or can cause your non-profit it's donors.
Have you ever wondered if you, as Director or Board Member if your non-profit is prepared to deal with a cyber security failure in your organization? Are there all the necessary systems in place? Do you have enough resources and is there enough careful planning to keep any attack from interrupting your organization’s activity and causing it individual, financial or reputation damage?
At POWERNET, we support non-profit's by offering a 50% discount on all of our service cost. We know a non-profit can not afford the standard rate, but need the services of a cyber security management team. We have years of cyber security management, expertise in helping you identify your policies & procedure, focus on potential vulnerabilities and implement sound data breach prevention practices for effectively securing your sensitive information.
What are cyber criminals after when they target non-profits?
Nonprofit organizations handle volumes of sensitive data every day. From donor information to client financial records, and confidential emails, nonprofit organizations are the keepers of data that is extremely valuable—especially on the black market. Nonprofit organizations must now fend off ever-present cyber attacks—the threat of cyber criminals. POWERNET will act as your CIO / CISO through our CIO Consulting Solutions. We also have other Cyber Security GRC and Managed Technology Solutions that your non-profit can benefit from.
Cyber Security must be addressed at the most senior levels
With your limited resources, keeping secure is often overlooked. But nonprofit cyber security needs should be top of mind. Nonprofits store a ton of personal information online. Information such as donor data, credit card information, staff employment and health insurance. Imagine how your donors would feel about sharing any information, were there a breach in cyber security putting them at risk. In many organizations, cyber security has been treated primarily as a technology issue. Most respondents believe that Executive Directors have too little understanding of the cyber security risks and business implications to discuss the trade-offs for investment, risk, and user behavior. A few institutions have started to make cyber security a key part of business strategy rather than technology governance.
Refresh cyber security strategies to address rapidly evolving organizational needs and threats - We heard many respondents say that Directors and Boards inquire how to “solve” cyber security. Non-profit organizations need to acknowledge that it is an ongoing battle. New digital assets and mechanisms for accessing them simply mean new types of attacks. In addition, non-profit organizations must make cyber security, such as the information security measures that need to be implemented before entering new geographies, a key part of the organizational case for major initiatives.
What should Board of Directors do to ensure that cyber security is sufficiently addressed?
At leading organizations, cyber security should be a constant item on the agendas of Directors and boards. To stay ahead of the threats, executives must engage in an ongoing dialogue to ensure their strategy continually evolves and makes the appropriate trade-offs between organizational opportunity and risks. We believe this dialogue should start with a number of critical questions:
- Who is responsible for developing and maintaining our cross-functional approach to cyber security? To what extent are organizational leaders owning this issue?
- Which information assets are most critical, and what is the “value at stake” in the event of a breach? What promises—implicit or explicit—have we made to our client and donors to protect their information?
- What roles do cyber security and trust play in our client protection—and how do we take steps to keep data secure and support the end-to-end client experience?
- How are we using technology, organizational processes, and other efforts to protect our critical information assets? How does our approach compare with that of our peers and best practices?
- Is our approach continuing to evolve, and are we changing our organizational processes accordingly?
- Are we managing our vendor and partner relationships to ensure the mutual protection of information?
- As an industry, are we working effectively together and with appropriate government entities to reduce cyber security threats?
- Do we as a non-profit organization have enough cyber insurance to cover all of our risk?
As more value migrates online and non-profits adopt more innovative ways of interacting with clients and donors, the cyber security challenge will only increase. Since the virulence and sophistication of assaults and complexity of IT environments have risen rapidly, addressing this challenge requires solutions that cut across strategy, operations, risk management, and legal and technology functions. Organizational need to make this a broad management initiative with a mandate from Board of Directors in order to protect critical information assets without placing constraints on organizational innovation and growth.
Cyber Security is a challenging field and you’ve probably already seen that even big companies suffer from data breaches and cyber attacks, and they have a lot more resources than a non-profit. But the numbers show that your organizational is more vulnerable to attack than you may realize, because of the issues above and many more. Cyber Security is a concern for organizations of all sizes.
What Can I to Reduce the Risk?
Non-Profits may not fully appreciate their Internet risk exposure, nor have the time, money or expertise to invest in the sophisticated technologies and internal programs that their big business counterparts are able to afford. But there are steps non-profits can take to improve security and mitigate their potential financial loss even with a limited budget. These three controls are a good place to start.
- Build a Security-aware Organization
Cyber security isn’t just about preventive technology; it requires the awareness and participation of everyone within the organization. A top-down approach, beginning with policies and procedures that are sanctioned by the business owner or a team of senior managers, conveys to employees the importance of information security and the need for their collective effort to protect the company’s assets.
- A written technology security plan that identifies the organization’s security policies, goals and priorities. At a minimum, at POWERNET, we set forth policies for network security; use of company email, social media, instant messaging and the Internet in general; the handling of proprietary company information; and activities that are prohibited on company-owned devices, networks and other resources.
- Many state regulators request written cyber security plans when investigating organizations with clients that have experienced a security breach. Having a plan in place not only establishes internal policy for employees, it can also demonstrate to regulators and customers that security is a priority for the organization.
- An inventory of the organization’s core assets and sensitive data, where it is stored and who within the organization has the authority to access it. Include personally identifiable information (PII) for employees and clients (such as social security numbers, healthcare records, credit card numbers, etc.), bank account data, organizational intellectual property and any other information that could damage the organization if it got into the wrong hands.
- Access control. Limit access to computers, company networks and confidential data based on an employee’s need to know.
- Employee training programs. Workplace security depends upon a workforce that is trained in company protocol, alert to the signs of a potential breach and knows how to respond. POWERNET can provide the training on basic security practices and policies which is essential. Phishing awareness exercises can further help employees recognize and avoid email, websites and phone calls that are designed to infiltrate organizational systems or steal personal information.
- Establish Security Safeguards
The following baseline measures are recommended to help safeguard organizational sensitive data from unauthorized access and use:
- Encryption for laptops, desktops and mobile devices. Encryption encodes information so that only the person (or computer) with the key can decode it. While it is not a full security solution, encryption remains highly recommended for all devices, especially those that contain sensitive information. Most newer model mobile phones and tablets come with auto-encryption software preinstalled. Many privacy and consumer protection statutes also recognize the importance of encryption in protecting client’ information and provide safe harbors within the statutes to incentivize businesses to adopt the control.
- Cloud service providers. Outsourcing security management to cloud-based providers is an increasingly viable alternative to an in-house security program. Cloud providers offer expertise in identity and vulnerability management that the non-profit organization needs but often lacks while helping to lower the non-profit’s operating costs. However, non-profit organizations should negotiate with providers to ensure they get the security and privacy services that best serve their company’s protection needs.
- Password protection and authentication controls Passwords are the primary means for controlling access to sensitive data resources. Change default passwords and require complex passwords with a variety of types of characters that must be changed every 90-120 days. Multi-factor authentication may be required depending on the type of data being accessed or the source (such as remote users).
- VPN (virtual private network) for remote access. For organizations with remote users, VPN provides a secure channel through the Internet to the non-profit organization’s private network. VPN controls include encryption of all data that is transmitted over the channel, multi-factor authentication, strong passwords and automatic timeouts after a period of inactivity.
- Vendor security. non-profit organizations need assurance that any vendors with which they share organizational information makes security a priority. Before entrusting your data to a third party, get in writing the vendor’s specific controls for protecting sensitive information and augment them with additional controls if necessary. Also require the vendor to return or destroy all sensitive information upon termination of the contract.
- Prepare for the Worst, Hope for the best!
A security breach is a near certainty for non-profit organizations today – more a matter of when, not if, one will occur. For non-profit organizations, preparedness is key to surviving the fallout. An incident response plan (IRP) prescribes the way a business will respond to and manage the effects of a security attack. Its goal is to limit the damage and reduce recovery time and costs. All non-profit organizations should prepare an IRP that includes the following components:
- Identification of an incident response team like POWERNET, at minimum, security staff who are system-savvy and a manager authorized to make decisions on behalf of the organization
- Clear delineation of possible incidents (such as unauthorized access or malicious code) and how to identify and contain them based on the non-profit organizations impact (confidential client data vs. intellectual property)
- Procedures for eradicating the root cause of the attack and all traces of malicious code, restoring data and software, and monitoring systems for any remaining signs of weakness
You may not fully appreciate their Internet risk exposure, nor have the time, money. But there are steps you can take to improve security and mitigate their potential financial loss. These three questions you should ask:
- When was the last time you met with IT management to determine possible areas of concern?
There are many priorities in a non-profit organization’s daily activities, and sometimes cyber security doesn’t rank in the top 5 or even among the top 10. But don’t be surprised if you should find yourself in the situation. Cyber security isn’t just about preventive technology; it requires the awareness and participation of everyone within the organization. A top-down approach, beginning with policies and procedures that are sanctioned by the Director or Board, conveys to employees the importance of information security and the need for their collective effort to protect the non-profit organization’s assets.
- When did you last look at your policies and procedures of your non-profit organization’s critical assets?
Do you have a cyber security policy in place? If not, you should definitely create and implement one to give your team a set of guidelines to follow when it comes to information security. A compliance policy won’t do. You need one dedicated to protecting your non-profit organization’s confidential information and intellectual property.
A cyber security policy or an information security policy ensures that all the hard work you put into building your company is shielded from cyber criminals. This will be your written plan to handle any and all issues related to cyber security, from encrypting and backing up data to handling a crisis situation in the event of a data breach. POWERNET can get started and help you personalize one according to your needs.
Content is created all the time in your organization. Data flows through numerous channels, but do you have tight defenses around your most valuable assets? It’s essential for all key people in the company to know what these assets are and how they are protected. Don’t skimp on resources with this respect, because having critical data compromised could have lasting negative effects on how the company operates. Here are some of the elements to include in your non-profit organization’s cyber security policy:
- Acceptable Use Policy – an Acceptable Use Policy (AUP), acceptable usage policy or fair use policy, is a set of rules applied by the owner or manager of your non-profit organization’s network that restrict the ways in which the network or system may be used.
- Internet Access Policy – this policy applies to all Internet users (individuals working for the company, including permanent full-time and part-time employees, contract workers, volunteers, partners, and vendors) who access the Internet through the computing or networking resources.
- Email, Passwords and Communications Policy – this policy regulates the way email and other communication channels specific to the company are used. Passwords are the primary means for controlling access to sensitive data resources. Change default passwords and require complex passwords with a variety of types of characters that must be changed every 90-120 days. Multi-factor authentication may be required depending on the type of data being accessed or the source (such as remote users).
- Network Security Policy – a network security policy, or NSP, is a generic document that outlines rules for computer network access, determines how policies are enforced and lays out some of the basic architecture of the non-profit organization’s security environment.
- Remote Access Policy – the remote access policy is a document which outlines and defines acceptable methods of remotely connecting to the internal network. It is essential in non-profit organizations where networks are geographically dispersed and extend into insecure network locations such as public networks or unmanaged home networks.
- BYOD Policy – a BYOD policy, or bring-your-own-device policy, is a set of rules governing your non-profit IT department’s level of support for employee-owned PCs, smartphones and tablets. If not set, it could be a nightmare.
- Encryption Policy – the purpose of an encryption policy is to provide guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively.
- Do you have a cyber security incident response plan in place? Are there a set of predefined communication guidelines that can be used in the event of a security failure?
A security breach is a near certainty for businesses today – more a matter of when, not if, one will occur. Preparedness is key to surviving the fallout. An incident response plan (IRP) prescribes the way a business will respond to and manage the effects of a security attack. Its goal is to limit the damage and reduce recovery time and costs. There are 6 common categories of costs when it comes to cyber security threats:
- Reputation and brand damage
- Lost productivity due to downtime or system performance
- Lost revenue due to system availability problems
- Cost of repair to network & forensics to determine root causes
- Technical support to restore systems
- Compliance and regulatory failure costs.
Find an Insurance Carrier that Provides More than Just Coverage
At POWERNET, we will help you for free find a great insurance carrier. Always work with your insurance carrier to ensure that any procedural requirements for coverage are integrated into your final plan. Having appropriate cyber insurance coverage is just as important as having best practice-based policies and procedures in place. Partnering with the right insurance carrier can help SMBs proactively improve their cyber security posture and reduce financial losses. Experienced carriers need to provide full breach risk management solutions to help SMBs prevail in the face of an inevitable security event.
POWERNET will work with owners and executive teams to help you be proactive against your cyber security risks. POWERNET has both hourly and retainer contract rates, if you are interested in our services, feel free to call us at our offices at 256-489-8425 with the type of service you need, or just fill out this form.