Is your volunteer board cyber-ready?
If your volunteer board of directors is well-equipped to handle potential cyber incidents and protect valuable data, you can stop reading now. However, if you feel your board may not be fully cyber-ready, then you may want to read on.
In today’s technology-driven landscape, the role of nonprofit and charity boards of directors extends beyond traditional decision-making; they also hold the responsibility of safeguarding sensitive information and upholding data security. With the increasing frequency and sophistication of cyber threats, it is imperative for volunteer boards to be cyber-ready. In part one of our two-part series (read part two “How to Make Your Volunteer Board Cyber-Ready” here) on how your board can be cyber-ready we explore
- Board cyber risk oversight
- Key cyber risk questions to ask
- Top threats facing board members
- Cyber-readiness for volunteer boards.
Cyberattacks are here and rising
According to the Australian Cyber Security Centre, cyber threats are on the rise in Australia, with charities and not-for-profits prime targets for cybercriminals. In the 2022-23 financial year, ASD received nearly 94,000 cybercrime reports. This averages to one report every 6 minutes.
But research carried out by Infoxchange in 2023 showed that only 23% of nonprofit organisations reported having effective processes to manage information security risk while only 13% of organisations agree they have a clearly documented plan to improve cybersecurity protection.
What’s the board’s cyber risk oversight responsibility?
The board has a fiduciary duty to act in the best interests of the organisation and its shareholders and stakeholders; this includes overseeing the organisation’s cyber risk strategy. With a focus on protecting an organisation’s assets and interests, boards must ensure that measures are in place to appropriately manage cyber risk and protect against cyberthreats.
“It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.” – Stephane Nappo, CISO, Groupe SEB
Key cyber risk oversight principles
Understanding the organisation’s cyber risk profile: The board should have a good understanding of the potential cyber risks facing the organisation, including the likelihood and potential impact of cyber incidents.
Helping determine the organisation’s level of cyber risk tolerance: No approach to cybersecurity can ever be 100% risk-free, and boards play a unique role in determining the right level of risk tolerance for the organisation, accepting that a certain level of cyber risk is part of the cost of doing business.
Overseeing the organisation’s cyber risk management strategy: The board should be involved in the development and oversight of the organisation’s cyber risk management strategy and ensuring that it is aligned with the organisation’s broader risk management strategy. Additionally, the board plays an important role in helping ensure the organisation takes a broad-based approach to cyber risk management across departments, and that efforts are not “siloed” to the technology/security team.
Ensuring compliance with laws and regulations: The board should ensure that the organisation is compliant with relevant laws and regulations, such as GDPR, HIPAA, PCI DSS, etc., and that appropriate measures are in place to comply with these regulations.
Reviewing the organisation’s cybersecurity program: The board should regularly review the organisation’s cybersecurity program to ensure that it is effective in protecting the organisation from cyber threats — including insider threats.
Ensuring continuity of operations: The board should ensure that the organisation has a robust backup and disaster recovery plan in place, and that the plan is regularly tested.
Communicating with stakeholders: The board should communicate the organisation’s cyber risk management strategy and its incident response plan (at a high level) to stakeholders such as shareholders, employees and customers.
Five key cyber risk questions for board directors to ask
Here are some cyber risk questions your board should be asking:
- How are the organisation’s cyber risks communicated to the board, by whom and with what frequency?
- Has the board evaluated and approved the organisation’s cybersecurity strategy?
- How does the board ensure that it is organised appropriately to address cybersecurity risks and does management have the skillsets it needs?
- How does the board evaluate the effectiveness of the organisation’s cybersecurity efforts?
- When did the board last discuss whether the organisation’s disclosure of cyber risk and cyber incidents is consistent with regulations and legal compliance?
Understanding cybersecurity vs. cyber resilience/cyber readiness
The terms “cybersecurity” and “cyber resilience” may appear interchangeable as they both relate to cyber safety and have the same goal of safeguarding against cyberattacks, but they are not quite the same.
Cybersecurity
When we talk about “cybersecurity” we are referring to the various technologies, human activity, processes, methods and governing policies put in place by security teams to protect an organisation’s digital assets, computer networks and systems against cyberattacks. Cybersecurity creates a barrier — such as antivirus, firewalls, locked computer screens, awareness and employee training.
Cyber resilience
“Cyber resilience” or “cyber readiness” is an organisation’s capacity to prepare, respond and recover when a cyberattack is successful. Becoming cyber resilient means having precautionary measures in place which, if a breach does occur, help to mitigate the impact. These measures support business continuity, reduce loss of productivity and help the organisation to get onto the path to recovery more quickly.
Top threats facing board members
Did you know that CEOs and board members are 12 times more likely to be the target of cyberattack? The top three threats facing CEOs, board members and other executives are:
- Business Email Compromise (BEC): uses your authority against you
- Personal mobile devices: put your documents at risk
- Public Wi-Fi: a cybersecurity minefield
IT and cybersecurity aren’t just about protecting documents and data these days. It’s about people, too. Gone are the days where cybercriminals would waste their time chasing small targets. Nowadays, they operate just like any other business. They demand a high return on their investment.
Business email compromise (BEC)
Phishing emails have been around for decades, but this latest variation – commonly referred to as Business Email Compromise (BEC) – is designed to play on the inherent trust given to those at the top of the organisation by secretaries, assistants and other members of staff.
Those in the C-Suite don’t just have access to data. They have authority, which is often unquestioned. New phishing emails harness this inherent trust, impersonating high-ranking executives with emails to staff that ask for important information, access details, or even monetary payments.
Phishing attacks continue to be a major threat to nonprofit organisations, one in three employees is likely to click on a suspicious link or email or comply with a fraudulent request.
One of the biggest vulnerabilities for organisations is the fact that 80% of board trustees are still using usernames and passwords, and nearly 60% are asking security questions for account access. Is your organisation using two-factor authentication (2FA), a security system that requires two separate, distinct forms of identification for access?
Personal mobile devices
Laptops, phones and tablets are the ultimate convenience, but convenience comes at a cost. Mobile devices are inherently insecure and prone to being lost, misplaced or stolen. The same goes for many other portable devices the modern executive carries with them, such as USB drives and external HDDs.
Many executives also use mobile devices to serve dual purposes – for both personal and business – leading potentially to more cyber risk when accessing websites and online information.
Public WiFi
Public WiFi is as much as a blessing as it is a curse. It’s really convenient, but also vulnerable and often one of the easiest entry points for cybercriminals looking to gain access to sensitive information. It’s incredibly easy to create fake networks, which are so hard to differentiate from the real thing. These are typically found in cafés, airports and hotels.
Using governance technology helps boards establish a sound cybersecurity framework
Using governance technology helps volunteer boards protect sensitive data, as well as prevent, mitigate and respond to cybersecurity threats.
Governance technology brings in a sound cybersecurity framework that provides:
- Controls to limit 3rd party access
- User-based permissions to protect sensitive information
- Robust data encryption to secure board communication
- A path for new board members to get up to speed quickly on cybersecurity policies
Given the value of information that exchanged and accessed by the board, it’s imperative to secure it as much as possible.
Using specific board technology should offer:
- Encryption of data in transit and at rest
- Multi-factor authentication
- Mobile applications that are sandboxed from the rest of the device with the ability to remote wipe if device lost or stolen
- Ability to restrict printing and emailing from the system
- User-based permissioning.
By regularly assessing and analysing your entire system, you’re better able to spot any new vulnerabilities and emerging threats. It’s also important to educate board members about cyber security best practices so they are equipped to handle various types of cyberattacks.
Alongside using governance technology, boards should:
- Conduct regular security audits and training on cybersecurity
- Follow good practices in data management
- Have an emergency preparedness plan
- Have a clear vision of who-does-what after a breach
As part of continued commitment to help boards navigate the ever-changing landscape of governance and be prepared for what’s the round the corner, the Diligent Institute is now offering a course for board members to enhance their knowledge of Cyber Security Risk.
See how BoardEffect, a Diligent Brand can help strengthen your nonprofit’s cyber resilience. Request a demo today.