Risks happen during uncertain times, especially when an organization’s operations change. And this often means that technology is being utilized in ways not previously imagined. Case in point: Zoom meetings. Security issues arose and Zoom had to quickly enact enhanced security procedures.
So what about non-profit associations? Should security concerns be left entirely with the association’s staff or should the board become involved? And if so, how much? Board members should understand that cybersecurity is something the association has to deal with and just like with the organization’s finances, the responsibility ultimately rests with them. Many boards stay away from addressing this issue, because of the technicalities involved. However, boards don’t need to understand technology, they just need to ask the right questions. Any discussions that are held should be in non-technical language and clearly address the risks the association could face in a variety of scenarios.
What parts of the association could have value and be at risk? What information would be worth selling? How would risks occur if the information was maliciously modified? Cyberattacks are often motivated by profit or by obtaining a benefit that would give hackers an advantage. For associations, that could mean the credit card information of its members or access to high-level donors.
According to experts, a lot of money is wasted on cybersecurity and they encourage groups not to spend more, but to spend more wisely. Resources are often focused in the wrong directions. Cybersecurity must be solely concerned with the most significant risks the association faces or it will not be effective. Before new controls are enacted, the difficulty of managing those controls should be examined. If they are too difficult to maintain, staff will not follow them.
According to Association Acumen’s IT Director, Dave Bayer, Board members should ask the IT staff if testing is also incorporated. “Specifically testing that data backup restorations are performed to ensure what is being backed up can successfully be restored to a test environment on a semi-annual or annual basis is critical. Also, since the biggest threat comes from email phishing campaigns, a test campaign can be performed at regular intervals to help identify staff that need more training,” Bayer said.
Boards can gauge their performance on cybersecurity by making sure they understand the cybersecurity measures in place. If they don’t understand them, then the procedures have not been properly explained or are inadequate. Cybersecurity should not be siloed and should be incorporated into the entire organization. Experts stress that the security of the organization is at risk, not the computers. Sit down with your Executive Director and find out what safeguards are in place, how often they are reviewed by IT staff and reviewed and enforced by all staff. What are the specific activities that are being protected? Do the safeguards protect the activities at risk? What would happen if a cyber crisis occurred? How would it be handled? Is there an emergency policy in place for addressing this?
Most board members are executives themselves and should be familiar with addressing company risks. Associations are no different. So, if boards can work together with staff to define cyber risks, they will have performed an important function in creating consensus about what’s important to the long-term growth, safety and sustainability of the organization.