Cybersecurity challenges for not-for-profits: your questions answered

In a recent webinar, Cybersecurity challenges for not-for-profits, the following topics were discussed:

• The impact of data breaches to organizations
• How cyber criminals are attacking your organization
• Developing and formalizing an incident/breach response plan
• What your organization can do to reduce cybersecurity risks
• The role of the board in cyber-risk oversight

As mitigating cyber risks is top of mind, cyber specialist Mike Cullen answered a few questions that many organizations are asking. These answers can help you raise awareness about cyber risks within your organization and start developing a plan to address the risks.

How do I know where to focus my resources and efforts when assessing my organizations cybersecurity landscape?

• Begin with a risk assessment to identify the bigger risk areas and items that may exist within your organization
• Perform walkthroughs with key information technology (IT) professionals, business users, and other leaders to understand their cybersecurity practices
• Risk rank gaps in practices to determine where to focus your time and resources to address your risks

How can I raise awareness within my organization about cybersecurity and the risks that exist?

• Begin at the top – Build a security culture that encompasses all departments and operations since cybersecurity is not an IT issue, it is an organizational issue
• Advance your knowledge – Stay up to date with cybersecurity leading practices and standards (e.g., NIST, SANS, ISACA)
• Establish governance – Outline responsibilities for monitoring, evaluating, and reporting risks, both within the organization (especially senior management) and to regulatory agencies and industry organizations
• Conduct ongoing training – Ongoing education and training for all employees is critical to an overall risk management and cybersecurity strategy

What exercises can be performed to gain a feel for how my organization would handle suspicious activity or identified breaches?

• Perform social engineering exercises attempting to trick employees into giving up their usernames and passwords  
• Conduct a breach response exercise and go through the steps of your plan to evaluate its effectiveness

What are some of the key components of an effective cybersecurity management program?

• Data classification – Identify high risk or regulated data and establish data handling procedures
• Security control implementation – Establish a control framework to standardize protections for your data and systems
• Regular review of security control performance – Periodically  evaluate security controls to determine whether the cybersecurity controls are operating as intended
• Breach preparedness planning and testing – Develop a breach response plan and test it regularly
• Cyber insurance– Evaluate the organization’s cybersecurity program and decide whether to transfer certain risks through a cyber-insurance policy

What can I do to strengthen my organization’s cybersecurity program with limited resources?

• Hire external help to evaluate your program, identify risk areas, assist you in addressing the risks, and to provide you with independent and objective perspectives and recommendations

For more information on this topic, or to learn how Baker Tilly cybersecurity specialists can help, contact our team.