Armanino Blog

Nonprofits & Digital Risks: 6 Questions For Your Board

by Ryan Prindiville
July 13, 2017

Reputation is a nonprofit’s most valuable asset, and it can be decimated in one fell swoop by a hacker. Consider the 2016 ransomware attack that forced D.C.-area nonprofit MedStar Health to shut down its computer system for several days. Inside sources told The Washington Post that the inability to access medical records delayed appointments and slowed access to lab results―creating a potentially life-threatening situation.

What would be the impact on your constituents if your services were disrupted? How would donors or employees react to news that their credit card numbers or other confidential information had been compromised? Cybersecurity is one of the top issues facing nonprofits today, yet few have controls and processes in place to protect the sensitive data they collect, not to mention their finances and reputation.

What should your nonprofit do right now to avoid being the headline of the next scary cyber story? Hint: It has nothing to do with buying expensive technology to secure your perimeter. You can start to mitigate your digital risks by taking the time to talk about cybersecurity at the board level immediately.

What to Ask Your Board
The best protection begins with an honest conversation with your board of directors. Don’t wait to have this discussion until you have all the answers. Make addressing digital risks, on a wide variety of fronts, a regular part of the board meeting agenda. Start by asking your board:

1. What is at risk?
First, are your board members aware of all the different types of data your organization processes or maintains—such as names and email addresses of high-profile donors, employee social security numbers, credit card numbers and so on? What would happen if someone used your systems to launch a broader attack on others without you knowing? What would happen to your reputation and funding if your critical information was exposed or compromised? Which of your corporate donors could be at risk of a cyberattack that could be launched leveraging information or access gained from your own system?

2. What technology and process security controls should we have in place?
Cybersecurity is much more than a technology problem. Firewalls, security patches and antivirus software are just table stakes for playing in the digital world. It’s the people, processes and governance structures that determine whether those technology tools protect your organization’s sensitive data and information systems.

Also known as the “human firewall,” people can take steps that either strengthen or weaken the technology controls you have in place. Do all your staff, members and volunteers know to be wary of unsolicited attachments? Are they aware that they could be putting the organization at risk, even accidentally? And how many of them think that logging into their work email using public Wi-Fi is completely harmless? (It’s not.)

3. Do we have the right people on the board?
One of the best ways to strengthen your organization’s digital defenses is to have people in leadership who will make cybersecurity a priority. If your board lacks cyber expertise, make it a priority to recruit someone who understands the need for strong cybersecurity. Consider creating a board sub-committee that will take responsibility for overseeing the cybersecurity program.

4. What is the board’s fiduciary responsibility?
Also drive home to board members their own fiduciary responsibility to make sure that systems and controls are in place to effectively manage the risk of cyberattacks. As they determine the nonprofit’s strategic priorities, board members need to understand the importance of setting aside enough money to protect the nonprofit, its constituents and themselves.

5. What level of risk are you willing to accept?
In every organization, there are “crown jewels” that would cause significant damage to your organization’s reputation if they were compromised — for example, personally identifiable information for donors. And then there is the information that is either publicly available or would have a much lower impact to your reputation.

By failing to talk about these different classes of data and how they should be protected, many organizations make the “accidental” decision either to do nothing or to treat them all equally. Discussing your organization’s risk tolerance for different types of assets allows you to make intentional decisions about where and how to dedicate your security resources.

6. Where is our security perimeter?
A building has a clear, physical perimeter that can be defended. When it comes to cybersecurity, that perimeter is amorphous. It’s extended by every device your employees use to download or access data remotely.

The perimeter also extends to every vendor, supplier, donor or member who has access to your organization’s data, so your risk assessment process must include the controls and safeguards those third parties have in place to protect your data.

Build Cybersecurity into Your Strategic Plan
By taking the discussion to the board level, you position your organization to build a stronger and more effective cybersecurity program. By including it in the strategic plan along with other mission-driven initiatives, you can allocate appropriate resources to fund that program. 

For help facilitating a cybersecurity conversation with your executive team and board, or for help with a cybersecurity assessment, talk to your local Armanino nonprofit expert.

July 13, 2017

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Related News & Insights
SaaS Market Trends
Between the uncertainty of 2022 and the highs of 2021, what will 2023 hold?

December 14, 2022 | 09:00 AM - 10:00 AM PT
Fraud: Current Trends & Hot Topics
Don’t let fraud negatively impact your organization.

December 8, 2022 | 11:00 AM - 12:00 PM PT
Year-End Tax Planning for High-Net-Worth Individuals
Optimize your tax position before December 31.

December 8, 2022 | 09:00 AM - 10:00 AM PT