There’s good reason why cybersecurity should be top of mind for Not for Profit (NFP) executives and directors.
Last month was the annual Australian Financial Review Cyber Summit.
At this conference and for the second year in a row, the Australian Securities and Investment Commission (ASIC) warned directors and executives that neglecting their duties to manage cybersecurity risks could result in prosecution.
This is not just prosecution against the organisation itself resulting in fines, but potentially criminal liability for both executives and directors if they fail to demonstrate sufficient cyber preparedness before a breach occurs.
How is an NFP’s executive and director’s responsibility for cybersecurity different to that in a company?
While there is no indication that these actions will also target Not for Profits, the Australian Institute of Company Directors (AICD) has reiterated in their cybersecurity handbook that the responsibilities of an NFP director are not different than those of a company director under both common law and the Corporations Act 2001.
“Your duties and obligations do not change if you are an owner director, executive director or serve as a director in a volunteer capacity (e.g. on the board of a NFP). This means that as a director, ensuring appropriate cyber risk treatments are in place, investments are made in the areas that require it, and company policies are set and understood.”
Given these risks, what can the executive team and board do to mitigate cybersecurity breaches?
How can NFP executives and board directors reduce their cybersecurity risks?
Cybersecurity can be overwhelming with techno-lingo that babbles the mind. Yet, it shouldn’t be so hard to understand that executives and directors fail to take action on these risks.
A good place to start is the three areas mentioned in the AICD’s statement above:
- Ensure cyber risk treatments are in place – You can start by asking for an Essential Eight audit from your IT managed service provider or internal IT team.
- Investments are made in the areas that require it – While some investment requirements will be found in the Essential Eight audit (such as upgrading Microsoft 365 licenses), there will be gaps. I recommend an enterprise-wide current state review to supplement the audit. It should also cover third-party applications and service providers.
- Company policies are set and understood. This also requires regular training to reiterate the policies and cybersecurity awareness education in general.
Next Steps
Within these above areas are a lot of actions. However, executives and boards can use these “headers” as reportable items in their monthly reports to understand the current status and progress of cybersecurity preparedness in general.
If cybersecurity still feels overwhelming, get some help from someone who can speak to you in plain English so you can make better decisions.
I regularly help Not for Profits with IT cybersecurity risk mitigations and investment decisions. Let me know if you need some help.
P.S. If you found this article helpful, you might want to read these too:
- 3 Reasons Why Board Directors Should Do End-User Cybersecurity Training
- Shadow data – another cybersecurity risk in your organisation
- What Not for Profits should learn from the Crowdstrike incident
Coming Soon!
Cybercrimes are constantly evolving. Roundbox Consulting will soon release a new annual online cybersecurity training program, specifically designed to help Not for Profits with the latest knowledge to mitigate these risks. Let me know if you want to know more.
Tammy Ven Dange is a former charity CEO, Association President, Not for Profit Board Member and IT Executive. Today, she helps NFPs with strategic IT decisions, especially around investments.