December 13, 2023
On December 5, 2023, the first annual GRF Virtual Cyber Symposium for Nonprofits & Associations brought together experts in cybersecurity, privacy, and insurance to share the strategies tax-exempt organizations can implement to identify risks and reduce an organization’s exposure.
Topics Covered Included:
- Creating a culture of innovation in cybersecurity
- Cybersecurity risks and mitigation strategies
- The current state of privacy laws
When it comes to identifying significant risks, many nonprofit organizations are not in alignment. According to NC State University, Board members, CEOs, CFOs, and CTOs all tend to have different risks identified. It is critical to identify and assess enterprise-level risks against key strategic objectives and make sure that all stakeholders are in consensus.
Cyber breaches are increasingly run by criminal operations vs. solitary hackers. “Ransomware-as-a-service” is a growing trend, where some groups focus on harvesting access credentials for sale and others might focus on building ransomware and managing payment processing.
Sophisticated phishing and social engineering tactics remain the most-effective way bad actors gain access to sensitive information. Employee training, including testing simulations and follow up, is an essential first line of defense.
Small nonprofit organizations are not immune from attacks. Today’s cyber criminals take a broad approach and will test anywhere they think they can breach security. Small organizations are often tested because they have limited resources and may not be prepared. According to Board Effect, 80% of nonprofit organizations do not have a cybersecurity plan at all.
Third parties who handle an organization’s data are an area of risk that is often overlooked. Don’t assume that all cloud-based systems are secure.
Be on the lookout for new state and local privacy laws. The rise in data breaches has caused many states to draft legislation to protect consumers (and donors). Privacy legislation has increased at the state level and currently 13 states have enacted privacy laws: California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia.
Nonprofits that raise money in the EU or collect personal data from EU citizens must be in compliance with EU’s GDPR (General Data Protection Regulation) law.
There is no federal privacy law yet, but there are several draft bills in Congress.
At a minimum, all organizations should be deploying these security measures: Multi-Factor Authentication (MFA), antivirus software, routine database backups, mobile device management, and regular user awareness training.
Assume that you may be a target for a data breach and take the necessary precautions now. Develop a crisis management group and protocols in the event of a successful attack.
- Melissa Musser, CPA, CIA, CITP, CISA | Partner and Director, Risk & Advisory Services
- Mac Lillard, CPA, CIA, CFE, CISA, CRISC, CITP | Senior Manager, Risk & Advisory Services
- Darren Hulem, CISA, CEH, Security + | Manager, IT and Risk Advisory Services
- Ricardo Trujillo, CPA, CITP, CISA | Partner, Audit Services
- Nicole Kardell, Special Council | Ifrah Law
- Michelle W. Cohen | Member, Ifrah Law
- Chris Ecker | CTO at DelCor Technology Solutions
- Andrew Legget | Director of Cybersecurity Operations at DelCor Technology Solutions
- Derek Symer, CPCU | Partner at AHT Insurance