Uso Sayers is a managing director at Johnson Lambert LLP in Atlanta.
With more staff working remotely during the pandemic, associations should review cybersecurity practices and make changes when appropriate to keep member, financial, and employee data safe.
Due to the sudden shift to a remote workforce over the past few months, organizations are facing increased cybersecurity risks. Loss or theft of member, financial, or employee data could cause permanent reputational damage and is something that everyone should be cognizant of.
While implementing a cybersecurity program may sound like a monumental task, especially for smaller associations, it is possible. Associations can pragmatically implement a cybersecurity program that considers the potential risks to the organization and demonstrates management’s commitment to securing and protecting the integrity of information and systems.
Associations can have the most secure infrastructure, but if they do not educate users on the importance of employing and adhering to secure measures, cybersecurity risks remain a serious threat.
Moving forward, associations should assess the risks specific to them to determine appropriate solutions. Below are some key considerations when addressing cybersecurity risks:
Find a framework. Although nonprofits are not required to adhere to a specific cybersecurity framework, they should identify one that can be adopted as a guide for implementation of controls to mitigate cybersecurity risk.
A common framework is the NIST cybersecurity framework, which is comprehensive but can be daunting initially. The core of the framework is implementing scalable controls to protect people, processes, and technologies. Controls should be implemented to identify vulnerabilities, protect against and detect incidents or breaches, and respond to and recover from those incidents or breaches. Additionally, the New York Department of Financial Services developed a cybersecurity regulation based on the NIST framework. This regulation is a great guide to assess your current state to determine risk posture. The Center for Internet Security is another good resource.
Get committed. Obtain commitment from the board and executive leadership to mitigate cybersecurity risks. It may be necessary to educate the board on the importance of implementing security controls and supporting infrastructure to protect the organization’s network.
Bring the defenses. Employ in-depth defense with security at various layers, perimeters and networks, applications, and data. Security solutions for each layer will vary for each association. Where needed, use third parties to fill gaps that cannot be managed internally.
Secure partners. If third parties supplement the control infrastructure, consider the risks associated with such reliance. All third parties should be assessed to determine whether their access to the association’s information or systems pose a risk. Third-party relationships to consider include accounts payable, billing, accounting and bookkeeping, event planning (including virtual events), fundraising, information technology, and membership.
Train staff. Implement security training and awareness for all staff using organizational systems and data. Security awareness is one of the most important controls to implement. Associations can have the most secure infrastructure, but if they do not educate users on the importance of employing and adhering to secure measures, cybersecurity risks remain a serious threat.The format and depth of an association’s cybersecurity program will vary based on its size and the value of its assets. At a minimum, cybersecurity programs should be documented and include
More sophisticated cybersecurity programs should include an approach for managing vendors and third parties, encrypting data, and a detailed incident response plan that has been tested.
If not done already, associations should document their crisis management plan, business continuity plan, and disaster recovery plan. Cybersecurity events can have adverse effects and preparedness is one of the few factors that can mitigate the impact.