In our last nonprofit blog “Risk Management for Nonprofits – How to Not Make the News,” Yulia Murzaeva noted seven commonly identified risk exposures that nonprofits are continuously faced with and should assess as part of their risk management strategy. This post will take a deeper dive into one of the most complex and highly targeted areas of risk management, Technology.

What are the risks?

Information Technology (IT) risks are at the forefront of everyone’s minds both personally with cyber-attacks on Equifax affecting 143 million American consumers or Uber’s massive data breach where hackers accessed a server containing personal information on 57 million Uber divers and riders. Whether a nonprofit or commercial entity, gone are the days when IT can be left out of governance and strategy of an organization. Leaders of organizations need to be cognizant to build IT into their governance framework. When considering IT governance and risk related to IT, the considerations below are essential: When building IT governance, a company should consider:

1. Assessment of Current and Potential Software and Systems. Board members and management should assess their current software and systems in place on an annual basis and always be on the lookout for new and exciting technology that could increase the operating effectiveness and security of the organization. However, there may be backlash relating to implementing new software or applications as they are perceived to be unnecessary, costly, and time consuming to implement. This creates a culture of resistance to change and maintenance of the status quo. The potential risk is that legacy systems may be slow, lack of vendor support, and easy for hackers to infiltrate. It is important to mention that there are companies that will perform penetration tests at no cost to the organization to assess the IT response and sufficiency of the procedures and security currently in place.
2. Cyber Liability Insurance. Organizations should assess the risk of not having cyber liability insurance. This type of insurance is particularly targeted for data breaches from hackers that can expose client information, social security and credit card numbers, or hold an organization’s software hostage. It is also important to ask suppliers and vendors if they have this type of insurance as well, as the organization’s data could become compromised on their suppliers’ side.
3. Strategic Planning and Big Data. There is a risk that the board and management are not utilizing data from their systems to properly analyze trends in grant making, donor trends, government contracts, expenses, or business streams if the organization is supported by various business streams. The data may give insights into areas such as a change in grant making philosophies or bottlenecks in the systems that could hamper operational efficiency of the organization.
4. 4.Proper Logical and Physical Access Controls. Logical controls are controls that use software and data to monitor access to information whereas physical controls are controls over the computing environment of the facility. Typical logical controls to consider are multi-factor authentication, segregation of duties, encryption, password length, complexity, reuse and resets. Physical access controls are typically around access to the servers on site and who has access to them.
5. Proper Segregation of Duties. This may seem obvious, however organizations that do not put the proper segregation of duties in place in relation to IT, could open themselves up to personnel who are able to bypass security settings that could lead to nefarious acts such as embezzlement. This could occur if personnel can assign others access and have the ability to modify the systems and applications of the organization. This risk can be exacerbated if the organization does not have enough resources to have multiple IT personnel.
6. Disaster Recovery and Business Continuity. This is the risk that no one wants to think about, but can be devastating to your organization if a disaster occurs. It is crucial that the topic of data restoration and continuous operations be considered in the strategic planning of the organization by way of a disaster recovery plan. To implement such a plan, the organization must assess risks/disasters, identify mission critical programs/applications, develop a plan, assign responsibilities and ultimately test the plan. The organization should also assess how often and where backups are taking place, whether that is physical servers or to a cloud based platform. Organizations may also want to consider having alternative sites available in the event of a disaster such as a “hot site”, which is a site outside of the organization’s headquarters that is completely compatible to take over processing and operations of the organization.

In today’s world, IT functioning can no longer be an afterthought in regards to risk management and governance. Organizations should continuously research and adapt to new technologies with respect to opportunities and threats. For those who are concerned about funding such investment, there are resources available such as grants that can be used to hire consultants to assess the organization’s current systems and needs, to companies that will perform assessments of cyber vulnerability at no cost. Although technology can be an intimidating topic for some, breaking it down into bite-size pieces is the first step in effectively managing and operating a core portion of the organization.

Douglas Ferguson, Director of Information Technology at GHJ, has seen the threat landscape change dramatically in recent years. Ferguson says, “One of the most dangerous areas in a company’s network is the space between the keyboard and the chair. Companies can spent a fortune securing their computer systems but if employees do not receive Cybersecurity awareness training, the risk of falling victim to a ransomware attack or similar breach of their network is extremely likely. Email is the #1 delivery vehicle for most malware and viruses. Not-for-Profit organizations are especially vulnerable as they receive emails from many different outside organizations and their Executives are often easily identified and targeted.”

How does your nonprofit manage information technology risks? Is your company in need a risk assessment? Contacting the GHJ Nonprofit team can be your first step to mitigating the risks.