The new year is right around the corner, and for nonprofits, it’s a chance to level set on technology and cybersecurity.
By performing an IT and cyber assessment, your organization can align technology with your strategic plan to better support your mission. You can find and close gaps in your information security, reducing the chances of a data breach. And you can acquire and maintain cyber insurance to cover you in case an incident does occur.
Insurance is increasingly a main driver
The COVID-19 pandemic has been a key driver for organizations in improving their cyber posture and IT infrastructure. Remote work, rising cybercrime, increased funding for technology — it’s all related to the pandemic, and it’s certainly highlighted the consequences of maintaining outdated technology and not creating a solid cyber and risk management program.
In addition to responding to the pandemic, another driver has been — and will certainly continue to be — insurance companies.
For years, insurance companies have paid out millions of dollars in claims to cover everything from ransomware payments to legal costs to forensic investigations. Now, they’re increasingly making stronger cybersecurity a condition of obtaining or renewing cyber insurance.
For example, many now require multifactor authentication on remotely accessible systems (e.g., VPNs and email) and on internal administration privileges. Another common requirement is endpoint detection and response, which monitors your key IT systems and provides earlier notification of ransomware-like activities so organizations can prevent or reduce the impact of a data breach.
Premiums are increasing in general, but for organizations without these controls in place, we’re seeing premiums increase 10 times what they used to be, or organizations are flat-out being denied coverage. For organizations that misrepresented the strength of their cybersecurity, their claims are not being paid out.
Cyber insurance requirements are only going to grow in 2022. Fortunately, an IT and cyber assessment can help your nonprofit organization meet and exceed the minimally insurable standard.
How nonprofits can prepare to undergo an IT and cyber assessment
There are certain activities you can do to prepare for the IT and cyber assessment to ensure it goes smoothly and is a valuable experience or your organization. Here are our four tips:
1. Collect your technology documentation
Your technology partner is going to want to review your technology documentation — items like your network diagram, application inventory, org chart and a list of technology projects on the horizon — and gathering this for them ahead of time make the process smoother and faster.
2. Identify your key cyber and tech concerns
By identifying your key concerns, you can better tailor and use the assessment to answer your questions and find solutions. Here are key questions organizations often include:
- Is our technology optimized to support a remote workforce?
- Are our systems secure from outside attackers?
- Have we properly structured systems to prevent insider risks?
- Have we educated our users on how to identify and react to modern cyber threats?
- Are we at risk for ransomware?
- How well are my systems being monitored, maintained and patched?
- Do I know what the useable life of my technology is?
3. Identify key stakeholders and set the right tone
Whether it’s your leadership team, program directors or IT/security staff, there are three critical responsibilities the stakeholders of an IT and cyber assessment have.
The first is setting the right tone at the top. The assessment’s purpose is not to identify who on your staff has done a poor job with your technology or cybersecurity. Instead, the goal is to find opportunities for improvement. Setting the right tone can help ease staff members’ minds and focus them on the benefits of the assessment, not any potential consequences.
The second is being upfront about your organization’s limitations and gaps. An IT and cyber assessment isn’t an audit. You’re not trying to give your technology partner documentation proving how robust your organization is. You want them to see the full extent of your situation so they can properly identify areas for improvement.
Third, executives need to be prepared to act on your technology partner’s recommendations. Some solutions require a bigger investment than others, but only implementing the easiest or most cost-effective recommendations leaves vulnerabilities open and increases the chances of your nonprofit experiencing a devastating cybersecurity incident.
Start off your 2022 with an IT and cyber assessment
The average cost of a data breach in the U.S. is $9.05 million. And for nonprofits, you can factor in the potential loss of donations and grants as your reputation takes a hit and funding sources start asking questions.
The time to shore up your technology and cybersecurity is now. Plus, if you’ve recently updated your strategic plan, you have an even greater incentive to use this assessment to better align your technology to that plan.
Wipfli can help. Our team regularly performs cyber and IT assessments for nonprofit organizations, as well as strategic planning and IT roadmapping. Click here to learn more.
We’ve also developed a sample RFI for a cybersecurity and IT assessment that your nonprofit can use to find the ideal third-party. Click here to download this free sample RFI.