Books, music, and movies offer factual and fictional stories that capture our imagination, invoke emotion, and move readers to act. The most interesting stories have drama, plot twists, tragedies, ironies, and comedies that reflect on current conditions and paint a vision of better conditions. Not-for-profit organizations, like many other private and governmental organizations, have been digesting a best-selling cybersecurity story fueled by fear, uncertainty, and doubt. If you are one of those board members, consider if the cybersecurity story you are reading or listening to is fact or fiction.
Start with why
Many issues and questions surface as not-for-profit boards discuss cybersecurity risks. Sorting through the cybersecurity issues and questions takes focus and patience to understand. But you don’t need to be a technology or security expert to be effective. Simon Sinek, the famous British-American author, motivational speaker, and organization consultant has written books and spoken extensively about a powerful technique he uses—start with why. To do so, NFPs need to ask why is [cybersecurity] important to their mission. The answers will galvanize the organization’s focus and motivate stakeholders to do things that will help meet the mission and avoid or minimize the things that will jeopardize the mission.
For example, let’s imagine the mission is “To restore, maintain, and sustain [art, botanical gardens, cultural history, forests, health & welfare assistance, landmarks, parks, wetlands, etc.] for the benefit of [community, city, state, etc.] current and future citizens”.
Understand what must be protected
We could continue asking “why”, but at this point it should be abundantly clear why cybersecurity is an important issue for NFPs. Without exhaustively asking why, what needs to be protected may be incomplete and create a blindspot leaving your organization vulnerable to costly exploits. Why informs NFPs what they need to protect:
Networks, Servers, and Devices— Networks, servers and other computing devices store, transport, and process NPI so they must be protected to maintain confidentiality, integrity, and availability of NPI.
Employees and third parties— Employees and third parties that handle NPI and must be trained to understand how to protect NPI and guard against phishing and other social engineering threats.
Practical how-to guidance
“What”, informs NFPs how they may protect their important and sensitive data. There are so many point solutions that may be helpful and technology companies are willing to sell. However, NFPs should resist buying tools advertised to help without framing a holistic cybersecurity program. The cybersecurity program is the blueprint to address how the NFP mitigates cybersecurity risk. NFPs have limited funds. It is incumbent of them to understand the priority, sequence, and dependencies of what needs to be done over time. These activities will have varying costs, levels of effort, levels of difficulty, and ongoing maintenance costs. That necessitates a strong discipline to communicate and balance resource requirements to achieve the mission with the budget available. Finite resources mean NFPs will need to accept some cyber risk. Risk acceptance must be explicit not surprising.
Do you have the right people, processes, and technologies to protect your business from cyber threats? A good place to start is to review the NIST Cybersecurity Frameworki which has become a benchmark for what to do not only in the US but is being adopted or emulated across the globe. Additionally, there is complementary guidance from NACD, ISACA, and The IIA on how to elevate cybersecurity to your company board’s governance agenda. If that is too much to consider, review the Center for Internet Security punch list of 20 critical information security controlsii to determine not only are they in place but whether they are being done well enough. Realize that there are no silver bullets for cybersecurity. These frameworks, guidelines, and benchmarks do nothing for your organization if the company is unwilling to accept they have some gaps that will require a plan of action to close the gaps.
Here are four pragmatic measures to consider:
1. Independent Assessments
Annual independent assessment is a critical governance tool to provide a comprehensive evaluation of implemented security policies, procedures, controls and staff in relation to best practices and industry standards. If risks have shifted it may warrant reallocating resources accordingly. Cyber threats are becoming more numerous and damaging with every device that connects to the internet. It’s not going to stop. Think about it. If you need convincing, read the 2019 Verizon Data Breach Investigation Report and you will either agree or fall asleep because you don’t understand it and
that may speak volumes about your cybersecurity maturity. Cyber risk is a business risk that has managerial, operational, financial, legal, and technological dimensions. Technology changes faster than all the other dimensions making it difficult for businesses to adapt to it. We’ve been trained to deal with catastrophic loss by reviewing business continuity plans and getting the right insurance coverages. That said, these strategies or tactics need to be revisited or updated to understand the appropriate mitigations to protect your company from a cyber-attack. Insurance is a logical risk tool, but it doesn’t fix your cybersecurity posture. People, processes, and technology help you do that.
2. Vulnerability Management
Preventive and detective security controls are the keys to minimize the impact of ransomware and other types of hacker attacks in the enterprise. Hackers do their homework. Their reconnaissance efforts begin with an understanding of the vulnerabilities in the target environment (think your network). Threat actors use many of the same tools IT security departments would use to scan your environment for the latest vulnerabilities to ascertain exploit impacts. Understand vulnerability scanning must not be a mechanical process. Rather, a vulnerability management program requires:
Coordination - Patching and remediation efforts take more time than scanning which constrains IT and security teams from doing other things. Taking time to scan and know vulnerabilities does nothing if IT doesn’t prioritize time and resources to fix critical or severe vulnerabilities.
Governance - Vulnerability reporting should be transparent to the executive team and board to ward off false assurance. If your NFP is thin on resources you can outsource your vulnerability scanning program to a managed security services provider (MSSP).
3. User Awareness Training
The need for User Awareness Training is evergreen. The technology landscape changes, consumer choices change, user behaviors change. Consider supplementing your program with an active phishing campaign periodically, if your user awareness program is a tired PowerPoint deck or a policy acknowledgment done once a year or only completed during employee onboarding. It is relatively easy to put a phishing email in front of everyone on your system to see which users are quick to put the firm at risk. Your internal or external IT experts can likely handle this chore, or it is relatively inexpensive to outsource this kind of system test.
4. Incident Response Planning
Provisioning an incident response team is an important prevention, detection, and correction planning step. Planning incident response when an incident is occurring is rarely productive or successful. Realize that incident response involves a coordinated communication plan and orchestration of internal and external resources. NFPs should investigate the sustainability of shouldering this effort on their own. Smaller businesses have been turning to Managed Detection and Response (MDR) service as an economical approach. MDR providers bring the tools, processes, and people to watch for malicious activity on your network and work quickly to respond appropriately by interrupting unfriendly connections, or containing malicious activity from spreading extensively to lower the cost of recovery. In many respects, MDR is a force multiplier that provides access to leading edge technologies, refined processes and dedicated personnel 24x7x365 for a fraction of the cost an NFP could build it. There’s a lot more to incident response, but in particular, establish relationships with federal, state, and local cybersecurity officials as well as federal agencies like the Department of Homeland Security (DHS), and US Computer Emergency Readiness Team (US-CERT)iv.. Sharing information with law enforcement agencies about unusual network activity, denial of service attacks, phishing attacks, and quarantined malware allow more parties to be vigilant. Observations of malicious activity provided to law enforcement may help triangulate the identity of hackers and eventual prosecution. Are you prepared?