As if 2020 wasn’t challenging enough already, many leading cyber security experts (including us) have identified a significant increase in attacks and malicious activity against Not-for-profit organisations, often exploiting remote workers and insecure corporate networks.
5 steps to protect your NFP organisation from cyber threats and security risks
If you’re responsible for private or consumer data of any kind, security experts are advising leaders to assume that, sooner or later, your organisation is likely to become a target. If it’s a matter of ‘when’ rather than ‘if’, now is clearly the time to assess your current security posture and take steps to ensure your organisation is fully compliant.
It can seem daunting, but these 5 clear steps provide an effective roadmap to securing your Not-for-Profit IT:
Understand your legal obligations
Many countries have recognised the harm caused by data breaches and have enacted significant legislation (with commensurate penalties) to ensure organisations understand their obligations. In Australia, the application of privacy policies and handling of customer data is regulated by the Australian Privacy Act which includes 13 Australian Privacy Principles (APPs) – this should be your first port of call to help you get a clearer picture of your obligations.
Identify and assess potential risks
Any data, information or knowledge your NFP has collected from individuals could be of value to a potential attacker. Also look for information and assets that are vital for the smooth operation of your NFP to run smoothly, such as accounts and passwords. Document the staff (paid and volunteer) collecting personal and sensitive information on behalf of your organisation your charity, taking note of collection methods and storage locations. Once you have identified all ‘critical assets’, talk with your IT projects service provider, so you can identify potential incidents, forecast the likelihood and impact of an incident, and explore ways to mitigate against these incidents. You should record the findings review them regularly.
Take action to prevent and mitigate breaches
The risk assessment helps you prioritise and plan your preventative action, which should consider leveraging Microsoft 365 to safeguard employees, data, and client information with enterprise-grade security, promoting good password habits and hygiene, and maintaining regular off-site data backups.
Engage your staff and volunteers
Cyber security is only as effective as the humans implementing it, so invest time in a cyber security awareness education and training program to help your staff get up to speed and comfortable with the threats and protections available. Publishing and distributing clear policy guidelines on security and data privacy, as well as a collection of information, helps set expectations amongst team members and goes a long way to ensuring ongoing compliance.
Have an action and response plan
If you wait until a crisis to plan your response, you’ve waited too long. Run scenarios and role-play responses in real-time, just as a team would practice before a game. Ensure people in your organisation know who is responsible for the various tasks as you step through the common stages of a security breach. After each exercise, review performance and update policies and procedures to improve your response.
Cyber security isn’t just good business sense – it could also help to ensure the future of your organisation. Proposed changes to government policies at both the state and federal levels indicate that ongoing public funding could become conditional on an organisation’s ability to demonstrate they consistently meet detailed minimum security standards. Now is the time to prepare for this new level of public sector scrutiny.
Your funding may depend on your security posture
Remember - the aim of most hackers and ‘bad actors’ is not to kick in the cyber front door – they gain an advantage by remaining undetected, moving around your systems and collecting information over a long period of time. This explains why many data attacks are detected months after the initial breach.
A smart first step is to request a complementary Dark Web Scan to ascertain whether any of your organisation’s data has already been compromised and made available on the dark web for purchase.
Our team has years of experience assisting organisations of all sizes to maintain security integrity and our complimentary Dark Web analysis can help get you started. Click here to request a cyber security assessment, and we'll be in touch personally to show you what we find.
