skip to Main Content
How To Make Your Volunteer Board Cyber-ready

How to make your volunteer board cyber-ready

 

In part one of our two-part series on board cyber-readiness, we explored board cyber risk oversight and some of the top threats facing board members.

In this second part, we’ll take a deeper look at the risks of board members not being cyber-ready, examine new board member recruitment vs. upskilling existing members, and outline some best practices for cyber-readiness for your mission-driven organisation.

Risks of board members not being cyber-ready

Charities and nonprofits, like any other type of organisation, rely heavily on technology and digital infrastructure for communication, data management, fundraising, and more.

Having board members who are not cyber-ready can expose the organisation to a range of risks and vulnerabilities. Here are just a few of the risks associated with your board members not being cyber-ready:

  • Data breaches: Board members often have access to sensitive information about donors, volunteers, beneficiaries, and the organisation’s operations. If they are not knowledgeable about cybersecurity best practices, they might inadvertently expose this data to unauthorized individuals or malicious actors, leading to data breaches.
  • Financial loss: A cyber incident can result in financial loss due to legal fees, fines, the cost of notifying affected parties, and potential lawsuits. Moreover, a loss of trust could lead to a decrease in donations and funding.
  • Reputational damage and loss of trust: A data breach or cyber incident can damage the organisation’s reputation, making it harder to attract donors and volunteers. Negative media coverage and public perception can have long-lasting effects. Nonprofits depend on the trust of their stakeholders, including donors, volunteers, and beneficiaries. A cyber incident can erode this trust if personal information is compromised or misused due to board members’ lack of cyber readiness.
  • Operational disruption: Cyberattacks can disrupt operations, including communication, fundraising, program delivery, and administrative tasks. This disruption can hinder the organistion’s ability to fulfill its mission.
  • Limited oversight: Board members play a crucial role in overseeing an organisation’s activities, including cybersecurity. If they are not well-versed in cyber risks, they might not be able to provide effective oversight, leaving the organisation vulnerable. Board members may also be held personally liable if they fail to uphold their fiduciary duty to protect the organisation from foreseeable risks, such as cybersecurity threats.​
  • Legal and regulatory compliance: Nonprofits are often subject to data protection regulations, such as the General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA), depending on the nature of their work. Failure to comply due to lack of cyber readiness could result in legal consequences.

To mitigate these risks, charities and nonprofit organisations should prioritise cyber readiness by providing training and resources to board members.

Recruiting new members vs. training existing members

Having cyber-ready board members means more effective governance of those significant organisation-wide cyber risks. It also means more effective conversations with management, staff and volunteers around cyber knowledge ultimately leading to more robust cyber risk oversight.

However, there is currently a skills gap for volunteer board directors when it comes to cyber literacy. Charities and nonprofits are finding it difficult to recruit new trustees that have those necessary skills.

The choice between recruiting new members with existing cyber expertise and investing in training for existing members presents a crucial strategic decision. Recruiting new members can infuse the organisation with specialised skills and fresh perspectives, potentially accelerating its cyber readiness.

On the other hand, training existing members fosters a sense of continuity and loyalty while capitalising on their institutional knowledge, ultimately cultivating a culture of cyber awareness and vigilance across the organisation.

If you are finding it too difficult to recruit new members with that expertise, look at how you can use best practices twinned with technology and training to help upskill existing board members to be cyber-ready.

Best practices for board cyber-readiness

By adhering to a set of best practices, charity and nonprofit boards can mitigate the risks associated with cyber vulnerabilities and position themselves to navigate digital threats more effectively. Best practices for board cyber-readiness include:

  • Maintaining a strong cybersecurity posture
  • Phishing and social engineering awareness
  • Data protection measures
  • Clear cybersecurity policies and procedures
  • Incident response planning
  • Ongoing education on cybersecurity best practices

Maintaining a strong cybersecurity posture

It’s essential for leadership to recognise that cybersecurity is not solely an IT issue but a holistic organisational concern that requires attention from all levels, including the board of directors.

Bring in third-party experts to help guide your cyber risk strategy and planning. Take advantage of supports and information available from the government and other agencies around best practice for charities and nonprofits on cybersecurity.

Carry out a cyber threat analysis to check data vulnerabilities in your organisation’s processes and controls. Store the results on your board management software and use these for frequent updates and check-ins for the board.

Phishing and social engineering awareness

Board members who are not cyber-ready might fall victim to phishing attacks or social engineering tactics, such as fraudulent emails or phone calls. This could lead to unauthorised access to sensitive systems or financial fraud.

All board trustees should have regular training and reminders to keep them aware of phishing. Store training materials, guidelines, videos, etc in one place on your BoardEffect platform. The survey and polls features can also be used to help with awareness by asking board members regularly if they are following your guidelines or quizzing them on how to deal with different scenarios and examples.

Data protection measures

Given the handling of sensitive information about donors, beneficiaries, and operational activities, data protection measures are of paramount importance. Establish comprehensive data protection policies that outline the proper handling, storage, and sharing of data.

Encryption should be employed to secure both data at rest and data in transit, ensuring that even if unauthorised access occurs, the information remains unreadable and unusable to unauthorised parties. Regular data backups are essential to prevent data loss due to cyber incidents, enabling quick recovery in case of a breach or system failure.

Additionally, access controls should be implemented to restrict data access based on roles and responsibilities, minimising the risk of internal breaches.

Adherence to relevant data protection regulations that you have to comply with, such as GDPR, is also crucial, and nonprofits should appoint a data protection officer or designate responsible personnel to oversee compliance.

Clear cybersecurity policies and procedures

Your organisation needs clear cybersecurity policies and procedures to guide board members, as well as staff and volunteers, in handling technology and data. Development and implementation of these policies needs oversight and management by the board.

Your organisation’s policies and procedures can be stored in your board management platform for new board trustees to cover during onboarding. Look at how you can build frequent refreshers and updates for all board members as part of their “everboarding”.

Incident response planning

The board needs to have a clear vision of who-does-what after a breach.

A comprehensive incident response plan will outline step-by-step procedures for detecting, reporting, and responding to various cyber threats. These plans should designate roles and responsibilities, ensuring that all staff members, including board members, understand their roles in the event of a breach.

Clear communication channels and escalation protocols should be established to facilitate swift information dissemination and decision-making during a crisis. Store your cyber response plan on your board management software where board members can access it quickly.

Regular testing and simulation exercises are critical to validate the effectiveness of the incident response plan and familiarise staff with their roles under stress. It’s also good practice to establish relationships with external cybersecurity experts, legal counsel, and law enforcement agencies to ensure a coordinated response in case of a major incident.

Post-incident analysis and documentation are also vital to identify lessons learned and areas for improvement. By adopting a proactive approach to incident response planning, your organisation can minimise the damage caused by cyber incidents, reduce downtime, and maintain the trust of stakeholders.

Ongoing education on cybersecurity best practices

Continual education on cybersecurity best practices is essential for your board to effectively oversee and safeguard the organisation’s sensitive information. By staying updated on evolving cyber threats and prevention strategies, board members can play a pivotal role in ensuring the organisation’s resilience against online vulnerabilities. Keeping existing board members trained also helps fill that cyber literacy skills gap.

With increased pressure from regulators and stakeholders for board members to upskill in cybersecurity, now is the time to build your board’s competency. The Diligent Institute Cyber Risk & Strategy Certification teaches cyber literacy for directors to effectively govern significant organisation-wide cyber risks and have meaningful conversations with management, staff, volunteers and donors.

The Cyber Risk & Strategy Certification covers:

  • The Cybersecurity & Regulatory Landscape
  • Cyber Risk Management
  • Cyber Strategy & Board Oversight
  • Cyber Incidents
  • Simulated Cyberattack Exercise

To find out more and discuss training and software bundles for your organisation, contact the BoardEffect team.

Cyber-readiness equals cyber-confidence

Enabling your board trustees to become truly cyber-ready by implementing these best practices and upskilling, your board members also become more confident in cyber strategy and risk, and in their ability to meet new requirements for cyber oversight from regulators.

When a cyberattack does occur, your board and management will be prepared to act with confidence with clarity about their role.

Downtime, organisational shock and reputational damage, among all the other potential impacts, will also be mitigated, helping your organisation to survive, sustain and grow to meet its mission.

See how BoardEffect, a Diligent Brand can help strengthen your nonprofit’s cyber resilience. Request a demo today.

Jill Holtz

Jill is a Content Strategy Manager at Diligent. Her strategy background and content expertise working across a variety of sectors, including education, non-profit and with local government partners, allows her to provide unique insights for organizations looking to achieve modern governance.

Back To Top