The computer in a non-profit organisation has the same functionality as that in any other organisation, with many factors of concern, resources are tight and dependant on government or fundraising resources. It is a nice juicy target for a hacker – member or patient records, medical, personal and or other information are stored within the computer systems.
Hackers are hard at work targeting vulnerable organisations. Non profits, like many organisations may not necessarily have the IT expertise to protect their systems. Their Managed IT providers do that the skill set but may be that premium feature that is just beyond the resources available.
Non-profits need to do more to bolster cybersecurity to protect their customers and patrons, like all organisations, they are taking their responsibilities of developing a data breach response plan more seriously.
With the rapid progress of cyberthreats and the power and fortitude of modern cybercriminals, non-profits need to persevere and enlist the help of experts and management software programs to improve their efforts to face the future’s trials.
Data Breach Exposes Vulnerabilities of Services for Vulnerable Populations
What Can Non-profits Learn from the Most Recent Data Breach(s)?
Best practices for cybersecurity measures indicate that all organisations, including non-profits, should manage cybersecurity as part of their risk management program. Cybersecurity experts recommend that organisations follow the three lines of control mechanisms including
- management control,
- risk management,
- and the internal audit process.
These processes are also often referred to as ownership, oversight, and assurance.
The first area to review is management control of IT security, the need to manage cyber risks and IT security by implementing controls. The organisation, staff and management need to understand the vulnerabilities of their assets and set the acceptable tolerances in controlling them. This means taking lead on risk events, updating the risk register, implementing and managing the controls that affect the people, process and technology
The secondary aspect is risk management. This area may be the catch all in terms of analysis, documentation, mitigation and control. Many things fall under risk management including looking at aggregate risks at the enterprise level and ensuring legal and compliance standards, as well as setting up quality controls and financial controls. This defense also covers control frameworks, defines the metrics for key response indicators, ‘KRI’s, and perform risk assessments. Risk management teams should be tracking the actions of the first line of defense and analysing the impact of the actions to assess how effective they are in mitigating cyber risks.
These are less operational and more higher functions, typically by the management team of board of management and are tasked to challenge the assumptions of the first line.
The third aspect is internal audit. This relies on external input, typically from auditors and regulators. They evaluate the processes of risk management of IT in the organisation. Control Frameworks must be regimented but flexible enough to tackle the risk that organisation faces. This aspect challenges the previous two control mechanisms.
According to Ernst & Young, “Cybersecurity is no longer just about deflecting attackers. Today, it’s about figuring out how to manage and stay ahead of intruders who are already inside the organisation.” Board directors have to look at taking cybersecurity measures that will be a staple of the organisation now and into the future.