Estimated Reading Time: 4 minutes
Once organizations understand what cybersecurity is and recognize that it is a threat to their operations, the next step is to assess what cyber risks the organization has. By conducting risk assessments and implementing appropriate protections, organizations can decrease the likelihood of a cybersecurity attack. Additionally, the risk assessment process often increases communication within an organization, at least temporarily, since those facilitating the assessment must speak to employees throughout the organization.
Although many risk assessment guidelines exist, standards based on the National Institute of Standards and Technology (NIST) guidelines are generally considered the best. The NIST Cybersecurity Framework includes five functions[1]:
Nonprofits, especially, should be concerned about three categories of risks and threats:
To further understand what risks an organization may face, the organization must first begin by identifying the data it collects. NIST defines risk assessments as tools “used to identify, estimate, and prioritize risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.” To perform a risk assessment, begin by listing all data the organization collects and uses, and then asking who, where, what, and how. For each data type, determine 1) who owns the data, 2) where the data is stored, 3) what the level of sensitivity or confidentiality of the data is, and 4) how access controls and security measures are implemented on the data. Organizations will need to repeat this process for other digital and physical assets, including websites and servers; these assets are vulnerable to cyber-attacks as well. The next step in this process is, for each item on the list, to determine the impact of a cyber breach or attack, and the likelihood of an attack.
The protect step of the framework “supports the ability to limit or contain the impact of a potential cybersecurity event.”[2] This includes activities such as training staff on cybersecurity awareness, creating policies and procedures to protect systems and data, and strengthening access control by requiring strong passwords and controlling who has access to data and when. Protecting against potential cyber events translates to proactively implementing security protocols to make an organization’s systems and data more difficult for attackers to access. Detecting cybersecurity events is more challenging, as “cybersecurity incidents are often difficult to detect.”[3] In fact, attackers reside within a system on average 146 days before being detected.[4] To effectively carry out this function, organizations should implement continuous monitoring software to alert organizations of any anomalies in the system.
Should an organization fall victim to a cybersecurity attack, the primary goal in responding to the incident is to contain, or prevent the spread and impact, of the attack. Organizations will need to communicate with a variety of internal entities, including legal, HR, and IT, and external entities, including law enforcement, clients, and donors, as appropriate. Organizations must
also analyze how hackers were able to access the system, and update protocols to prevent future attacks. Recovering from a cybersecurity attack requires organizations to restore functionality to the pre-attack state. Organizations that regularly backup data and systems will have an easier time restoring information and operations.
The NIST Cybersecurity Framework is intended to scale with an organization’s resources. All organizations should develop the capability to periodically conduct cybersecurity risk assessments, and identify, at least theoretically, steps to be taken if any data or systems are compromised. Using the risk assessment to guide conversations between an organization’s IT, finance, programs, and executive leadership, will allow the organization to understand its vulnerabilities and make informed decisions about how much risk to absorb, and how many resources should be expended to mitigate the remaining risks.
This excerpt was originally written and published by NTEN. Risk Management Essential readers can read the full copy in “Cybersecurity for Nonprofits: A Guide.” NRMC received permission from NTEN to republish this excerpt.
[1] Cybersecurity Framework: The Five Functions.
[2] Cybersecurity Framework: The Five Functions.
[3] Microsoft Inc. Nonprofit Guidelines for Cybersecurity and Privacy.
“First let me congratulate you on a conference well done. I had a great time at the Nonprofit Employee Benefits Conference and walked away with some valuable tools and questions that we’ll need to be addressing in both the short and long term. Thanks to you and your staff for all you do to provide us with quality resources in support of our missions.”
“BBYO’s engagement of the Center to conduct a risk assessment was one of the most valuable processes undertaken over the past five years. Numerous programmatic and procedural changes were recommended and have since been implemented. Additionally, dozens (literally) of insurance coverage gaps were identified that would never have been without the work of the Center. This assessment led to a broker bidding process that resulted in BBYO’s selection of a new broker that we have been extremely satisfied with. I unconditionally recommend the Center for their consultative services.
“Melanie Herman has provided expert, insightful, timely and well resourced information to our Executive Team and Board of Directors. Our corporation recently experienced massive growth through merger and the Board has been working to better integrate their expanded set of roles and responsibilities. Melanie presented at our Annual Board of Director’s Retreat and captured the interest of our Board members. As a result of her excellent presentation the Board has engaged in focused review which is having immediate effects on governance.”
“The Nonprofit Risk Management Center has been an outstanding partner for us. They are attentive to our needs, and work hard to successfully meet our requests for information. Being an Affiliate member gave us access to so many time- and money-saving resources that it easily paid for itself! Nonprofit Risk Management Center is truly a valued partner of The Community Foundation of Elkhart County and we are continuously able to optimize staff time with the support given by their team.”
“The board and staff of the Prince George’s Child Resource Center are extremely pleased with the results of the risk assessment conducted by the Nonprofit Risk Management Center. A thorough scan revealed that while we are a well run organization, we had risks that we never imagined. We are grateful to know that we have now minimized our organizational risks and we recommend the Center to other nonprofits.”
Great American Insurance Group’s Specialty Human Services is committed to protecting those who improve your communities. The Center team has committed to delivering dynamic risk management solutions tailored to nonprofit organizations. These organizations have many and varied risk issues, hence the need for specialized coverage and expert knowledge for their protection. We’ve had Melanie speak on several occasions to employees and our agents. She is always on point and delivers such great value. Thank you for the terrific partnership and allowing our nonprofits to focus on their mission!