Insights

When it comes to cybersecurity, it is tempting for nonprofits to envy their for-profit counterparts' budgets, to wince and then hope for the best. How safe a nonprofit is, however, need not depend on how much it has to spend on IT upgrades. Rather, the most important predicate to improved cybersecurity is whether that organization's leadership commits to revamping work procedures to reduce IT-borne risk.

The scary cyberthreats that nonprofits face arise in part from the porous technologies that everyone – good, criminal or careless – uses. The internet, computers and smartphones are engineered to favor instant copying and transmission of data – in volume, across networks and borders. Thus, security technologies are an iffy exercise in retrofitting, conflicting as they do with IT's bias in favor of openness, which bad guys so often find ways to exploit.

In such circumstances, it makes little sense to equate improved cybersecurity with security technology spend (even if one can spend a lot). Rather, an organization can best protect itself by candidly examining how it uses IT to perform its mission, revising its work habits to reduce its overall risk and, as funds permit, upgrading tech. Important steps in this process include the following:

• Make an unflinching inventory of information that the organization generates, grading its sensitivity according to the damage that would ensue were that information to leak.
• Apply the above findings to curtail unnecessary creation, circulation and retention of sensitive information.
• Draft, test, revise and then implement a security incident response plan. (It will prevent confusion, reassure stakeholders and regulators, and avoid litigation.)
• Invest in vulnerability testing and security awareness training. The testing will assure any tech dollars are spent wisely. Awareness training will train staff at no or low cost not to make what may otherwise be devastating errors.