As recent headlines illustrate, cybersecurity should be a top priority for all organizations. Many nonprofit leaders believe that they have adequate cybersecurity in place, but might not know the specifics. Given the high stakes, it’s vital to ensure that your organization has sufficient protection.
According to Lisa Traina, a partner at Traina & Associates, a CapinCrouse company, tThe four steps below go beyond the basic cybersecurity practices you should follow to help you further strengthen your organization’s cybersecurity defenses.
1. Create and implement a plan for zero-day vulnerabilities: Zero-day vulnerabilities are security holes without an update or patch available at the time of discovery. According to the Trustwave Global Security Report, vulnerabilities exist for an average of 100 days before being made public. That gives hackers an average of 100 days to exploit them.
- An effective zero-day vulnerability plan should detail:
- The sources you will use to stay abreast of new vulnerability discoveries;
- Who will be responsible for determining whether your organization is exposed each time a major vulnerability is discovered;
- A process for obtaining and applying the necessary patches or updates, if available;
- If patches and updates aren’t available, a process for following up to obtain them once they are released; and,
- A process for documenting all efforts made to address each identified vulnerability.
2. Create and implement an incident response plan: It’s no longer a question of if a cyber breach will occur, but rather when. While it’s crucial to invest in preventative security measures, it’s also critical to plan for how your organization will react and respond to a breach.
- The plan should then address:
- Forensics: Research and identify a forensic firm now, rather than waiting until a breach happens;
- Timelines for retaining audit and activity logs: Retain at least six months of logs for critical systems so forensic investigations can be conducted. The investigation in at least one recent major breach was hampered because of log retention periods of only 30 days.
- A return to normal operations: Investigations can take time, but your organization must continue to operate. Plan for the fact that normal operations can only resume after you’ve received assurances that the risk of additional intrusion or data loss has been mitigated.
- Notification of appropriate parties: Identify who you will need to notify, and how you will do so. This includes members, donors, and law enforcement and insurance agencies. Many states have regulations requiring entities to notify individuals of breaches of personally identify information.
3. Undergo routine Information Systems (IS) assessments: Effective risk mitigation can only occur after you have a list of issues to target. All organizations should undergo a periodic independent IS security assessment including vulnerability testing and information security controls testing, which helps to determine whether the appropriate controls are in place and operating effectively.
4. Develop a formal vendor review process: With the growing reliance on vendors, it’s crucial to recognize the significant cybersecurity risk they can represent. Major data breaches at Goodwill, Target, Home Depot, and Lowe’s all started with vendor security issues.
Vendors focus on providing services, not security, so it’s important for your organization to have a formal process for evaluating all vendors that provide critical functions or have access to critical data. This should include any third parties that host your data and any vendors with regular access to it.
You should perform an annual review for all current vendors and review all new vendors before you sign a contract.