As nonprofits digitize their operations, they need to focus on protecting their data and reputation. The first step to putting a cybersecurity plan into place is to identify, analyze, and understand sources of risk.
Understand data sources and risks
Before doing anything else, every organization needs to identify and classify the data it collects, transmits, processes, and stores.
When starting the identification process, nonprofits should look to see whether they collect:
- Birth dates
- Home addresses
- Email addresses
- Social security numbers
- Financial account information
- Credit card information
- IP addresses
- Healthcare information
Next, they need to know where they store this information, including the following locations:
- Mobile devices, like smartphones and tablets
- Cloud services providers, like M365, Google Suite, or Box.
- Servers, both on-premises and in the cloud
- Removable hardware, like USB drives
Finally, they need to understand who has access to the data, including:
- Third-party contractors
- Third-party technology services providers
Conduct a Risk Assessment
After collecting these lists of data, places, and people, nonprofits should assess their risk. For example, some users may be at a greater risk than others. An IT admin who can create accounts or change any information is a higher risk than a volunteer who might only be able to access a single computer with limited internet connectivity.
After determining the risk that each data type, user, and device poses, the organization needs to analyze the impact that a data breach would have. This means looking at the likelihood that a data breach would occur in combination with the financial and reputational impact that the breach would have on the organization. This will help nonprofits create a cybersecurity strategy that protects against a wide variety of vulnerabilities.
Drill Down on the Actual Risks
Not every risk is equal. Some assets are low risk. For example, a single computer located on-site that has no internet connection is a low-risk asset. Meanwhile, a cloud database that stores sensitive information and is outfitted with many third-party applications is a high-risk asset.
By drilling down into the actual risks, the nonprofit can decide how to prioritize its cybersecurity risk mitigation strategies. In some cases, a risk may be too high, so the organization finds another tactic to avoid the risk entirely. For example, a certain provider may not have a great reputation for security, so they pivot to a different provider with cutting-edge security. In other cases, the organization may decide to mitigate the risk by putting security controls in place or transfer the risk by purchasing cyber risk insurance.