Cyber attacks pose a major threat to all kinds of organizations, arts and culture nonprofits notwithstanding. Those in leadership positions at nonprofit organizations might not think their organizations are attractive targets, and as such, frequently fail to invest in adequate security measures. The reality is that this makes nonprofit organizations more vulnerable and cybercriminals are taking advantage.
Nonprofit organizations, regardless of their scale, often manage significant volumes of highly sensitive data. They collect donations online, manage vast quantities of donor information, and maintain detailed employee records. As the infrastructure of nonprofits has become increasingly digitized, their attack surface has only grown.
The prevalence of cyber attacks is increasing across every industry as new threats continue to emerge. If a nonprofit does not have an adequate risk mitigation framework in place, it’s not just their data that’s in jeopardy: their very ability to execute their mission is under threat.
In this overview, we will detail the cybersecurity risks faced by arts and culture nonprofits. We will also explore the steps nonprofit leaders must take to implement a robust risk mitigation plan that helps protect their organization.
As a byproduct of the fundraising process, many nonprofits collect and retain significant amounts of highly sensitive data. This information, particularly Personally Identifiable Information (PII), is extremely valuable to would-be attackers––a fact many nonprofits fail to realize.
This lack of awareness of the organization’s cybersecurity obligations can prove extremely costly. The key risks associated with failing to adopt a sophisticated risk mitigation plan can be grouped as follows:
In the past couple of years, the volume and sophistication of attacks nonprofit organizations face have increased significantly.
One attack vector nonprofits are particularly vulnerable to is website spoofing attacks. These occur when a group seizes control of a nonprofit’s website and redirects donations or donor data. Another example is inference attacks, where attackers use data maliciously obtained from nonprofit databases to personally target employees, donors, and partners.
A risk mitigation plan provides nonprofit organizations in the arts and culture space with a framework that minimizes their risk profile. Mitigating obvious vulnerabilities lessens the organization’s exposure to attacks but does not eliminate it entirely. For this reason, many risk mitigation plans also include tactical elements including business continuity plans and incident response frameworks.
By implementing a risk mitigation plan, nonprofits are better placed to quantify the adverse impacts of potential security breaches, take steps to strengthen their security profile, and ensure they are fulfilling their legal and regulatory requirements.
Many nonprofit organizations, even large ones in the arts and culture sector, lack the internal cybersecurity resources to effectively implement a comprehensive risk management plan. Working with an external firm focused on enterprise risk mitigation enables nonprofits to understand their risk profile, adopt industry-standard cybersecurity controls, and ultimately, better protect their organization against cyber threats.
At Smith + Howard, our Enterprise Risk Services practice has significant experience developing risk mitigation strategies for nonprofit organizations in cultural industries. Our team uses a comprehensive three-step process that quantifies the potential business impact of a breach, assesses risk, and aligns stakeholders on the implementation of an organization-wide information security framework.
Read on for a brief overview of the process.
Risk mitigation plans typically begin with a business impact analysis. This process evaluates the security systems currently used by the nonprofit and assigns a financial value to key assets, including databases of sensitive information. The analysis also qualifies the potential impact an attack would have on a nonprofit’s ability to carry out its mission.
This portion of the analysis establishes a baseline and demonstrates to nonprofit leadership the potential cost of a breach in terms of lost fundraising revenue or a temporary pause in operations.
A risk assessment identifies the specific security risks that a nonprofit faces through a comprehensive analysis of three distinct pillars: a nonprofit’s people, processes, and technologies:
Following the completion of the risk assessment, it’s possible to evaluate the maturity and strength of the nonprofit’s overall cybersecurity posture and to recommend the scope of further engagements to strengthen this.
Establishing the risks that arts and culture organizations face and showing the potential business impact of these is ultimately fruitless unless the nonprofit implements a robust cybersecurity framework to address these.
In this stage, it’s important to align cybersecurity controls with the strategic goals of the wider organization. Using a predefined set of controls, such as the NIST Framework, is a systematic approach that effectively aligns the nonprofit with industry-standard cyber controls.
Risk mitigation is not a one-off exercise. The threat landscape is constantly evolving and it’s important that nonprofits continue to invest in their cybersecurity infrastructure to maintain a robust defense.
In this regard, conducting an annual risk assessment and maintaining a risk register is considered best practice. A risk register is a living document that details the nonprofit’s vulnerabilities. This document should be updated as security challenges are addressed and new risks are discovered.
Arts and culture organizations that take a proactive approach to risk management are significantly more secure in the long term. It’s often the case that nonprofit organizations fail to realize their obligations as stewards of confidential donor, employee, and partner information, and consequently, do not invest in building an effective security infrastructure until they fall victim to an attack.
If you’re in need of guidance developing or revitalizing a risk mitigation plan for your arts and culture organization, the Enterprise Risk Services team at Smith + Howard can assist you. Our security consultants partner with nonprofit organizations across the country to quantify risk, implement proven security frameworks, and maintain data integrity.
To learn more about developing a risk mitigation plan for your arts and culture organization, contact an advisor.
If you have any questions and would like to connect with a team member please call 404-874-6244 or contact an advisor below.CONTACT AN ADVISOR