Cybersecurity challenges for not-for-profits: your questions answered

In a recent webinar, Cybersecurity challenges for not-for-profits, senior manager Mike Cullen discussed:

  • The impact of data breaches to organizations
  • How cyber criminals are attacking your organization
  • Developing and formalizing an incident/breach response plan
  • What your organization can do to reduce cybersecurity risks
  • The role of the board in cyber-risk oversight

As mitigating cyber risks is top of mind, cyber specialist Mike Cullen answered a few questions that many organizations are asking. These answers can help you raise awareness about cyber risks within your organization and start developing a plan to address the risks.

How do I know where to focus my resources and efforts when assessing my organizations cybersecurity landscape?

  • Begin with a risk assessment to identify the bigger risk areas and items that may exist within your organization
  • Perform walkthroughs with key information technology (IT) professionals, business users, and other leaders to understand their cybersecurity practices
  • Risk rank gaps in practices to determine where to focus your time and resources to address your risks

How can I raise awareness within my organization about cybersecurity and the risks that exist?

  • Begin at the top – Build a security culture that encompasses all departments and operations since cybersecurity is not an IT issue, it is an organizational issue
  • Advance your knowledge – Stay up to date with cybersecurity leading practices and standards (e.g., NIST, SANS, ISACA)
  • Establish governance – Outline responsibilities for monitoring, evaluating, and reporting risks, both within the organization (especially senior management) and to regulatory agencies and industry organizations
  • Conduct ongoing training – Ongoing education and training for all employees is critical to an overall risk management and cybersecurity strategy

What exercises can be performed to gain a feel for how my organization would handle suspicious activity or identified breaches?

  • Perform social engineering exercises attempting to trick employees into giving up their usernames and passwords  
  • Conduct a breach response exercise and go through the steps of your plan to evaluate its effectiveness

What are some of the key components of an effective cybersecurity management program?

  • Data classification – Identify high risk or regulated data and establish data handling procedures
  • Security control implementation – Establish a control framework to standardize protections for your data and systems
  • Regular review of security control performance – Periodically  evaluate security controls to determine whether the cybersecurity controls are operating as intended
  • Breach preparedness planning and testing – Develop a breach response plan and test it regularly
  • Cyber insurance– Evaluate the organization’s cybersecurity program and decide whether to transfer certain risks through a cyber-insurance policy

What can I do to strengthen my organization’s cybersecurity program with limited resources?

  • Hire external help to evaluate your program, identify risk areas, assist you in addressing the risks, and to provide you with independent and objective perspectives and recommendations

View the presentation >

For more information on this topic, or to learn how Baker Tilly cybersecurity specialists can help, contact our team.