From the largest, multinational corporations to the smallest, not-for-profit organizations, nobody is immune from a cyber-attack or breach. The best that an organization can do is to understand the risk, then take steps to manage the risk and mitigate the potential impact of a breach. In order to manage cybersecurity risk, it is important to first understand what cybersecurity is and the specific impact it can have on a not-for-profit.
In essence, cybersecurity is the protection of:
While data privacy is most commonly understood as the focus of cybersecurity, cybersecurity actually has the following three objectives:
All companies and organizations are subject to specific cybersecurity-related compliance requirements including state privacy laws. Organizations that accept credit cards for donations and program-related revenues are subject to PCI DSS requirements. Not-for-profit healthcare organizations face mandatory HIPAA security and privacy regulations. Organizations with donors or constituents in the European Union are required to comply with new GDPR privacy rules. Enactment of regulations under the Single Audit Act and potentially new compliance requirements for testing are being deliberated. Unfortunately, the list goes on and on.
The costs of a cyber-breach are significant, and may include: fines and penalties; technology expenditures; forensics and legal costs; constituent notification requirements; operational downtime; and, distraction from mission.
One of the most significant costs to a not-for-profit is the reputational damage that can result from a breach. Donors and constituents are entrusting your organization with their assets, and in certain instances, with personal and confidential information. If you can’t protect this information or need to dedicate resources to respond to a breach instead of staying focused on mission-advancing programs, your donors and constituents will find another organization that can.
Although there is no way to fully protect your organization’s data, there are best practices that will help to manage risk and mitigate losses in the event of a breach. We suggest the following:
Managing cybersecurity risk is an iterative process, especially in the not-for-profit sector; budget and resources are always constrained and optimally dedicated to mission-supporting programs and activities. However, by understanding the importance of cybersecurity, leveraging the use of expert advisors, and focusing on continuous incremental improvement, significant risk reduction is possible.
Citrin Cooperman’s Information Technology and Not-for-Profit practice professionals can assist you in further understanding cyber security and information technology risks at your organization, review your current IT environment, and provide best practices and right-sized solutions to meet your needs.