New research from the Nonprofit Technology Enterprise Network and Microsoft may sound an alarm about the cybersecurity readiness (or lack thereof) of many nonprofit organizations. The November 2018 “State of Nonprofit Cybersecurity” report, based on a survey of more than 250 organizations across the country, reveals ample room for improvement. One of the biggest takeaways is that nonprofits should do a better job of thinking about cybersecurity risks before they happen — thereby giving staff the best possible chance to minimize the damage that might occur in the wake of such an event.
IT Department Size Relates to Staff Security Training
The good news is actually mixed news, with both bright spots and areas of concern. For example, the majority of organizations (more than 71 percent) have policies and procedures that govern backups for data, hardware and software. But the remaining organizations either don’t have such a policy or staff members who were surveyed aren’t aware of it. That lack of awareness can be just as damaging as not having a backup policy at all.
More than half of nonprofits (55 percent) have created a policy to guide the handling of cybersecurity risk, equipment use and data privacy. But nearly 39 percent don’t have such a policy, and 6 percent of respondents say they don’t know.
Organizations fare even less well when it comes to training their staff in cybersecurity issues. Fully 59 percent say they provide no such training. Understandably, as the report notes, organizations with a larger IT department are more likely to provide such training. That’s a challenge because many nonprofits simply lack the resources to engage a full-time IT pro.
The NTEN/Microsoft survey shows that in approximately 27 percent of organizations, IT duties are handled by a less-than-full-time person; another 16 percent have no one handling IT. These are sobering findings given that every organization, regardless of mission, is becoming more and more reliant on technology to drive and improve operations.
Security Drills and Simulations Help Nonprofit Staff Prepare for a Crisis
Based on the survey, it seems safe to say that many nonprofit staff would be caught flat-footed if their organization did experience a data breach. The majority (68 percent) lack documented policies and procedures to follow after an attack; another 11 percent don’t know of such policies. That means that staff will be trying to put out the immediate fires of the crisis while also scrambling to figure out their next move.
One readiness strategy is to conduct drills and exercises, which give staff a chance to think through a response to a data crisis, step by step. It’s a tactic that appears to be underutilized: Only 15 percent of nonprofits say they held a threat assessment exercise in the past year, and 7 percent say it’s been more than a year since their last such exercise. When it comes to conducting a simulation activity, only 7 percent of organizations have done so.
In the corporate world, cyberattack simulations can be quite sophisticated, designed to give executives as much hands-on practice as possible. The consulting firm EY, for example, gathers participants in a “crisis room” where they must go through a mock response that includes answering telephone calls, issuing a press release and responding to questions from stakeholders.
Notably, EY consultants spend half a day leading participants through the simulation, and three times that long helping them process what they learned afterward. That speaks to the most valuable part of a cybersecurity exercise: the insights that staff gain, which they can then use to improve procedures, change policies and otherwise address any weaknesses identified during the exercise.
“A well-planned and well-crafted simulation can reveal an organization’s blind spots and often leaves participants feeling more confident, better prepared and working more effectively as a team,” says Jeremy Smith of Deloitte Touche Tohmatsu Limited’s Global Center for Crisis Management.
It may be cost-prohibitive to engage a consultant to lead a nonprofit staff through a complex simulation, but leaders can find affordable ways to increase their team’s exposure to the types of issues that might arise if a data beach occurred. At the very least, facilitating ongoing conversations with staff about threats and preparedness can go a long way toward increasing the level of organizational readiness. The International Association of Privacy Professionals offers several considerations to help guide those discussions.