I spend a lot of time talking with Not for Profits (NFPs) about how to prevent cybersecurity breaches. After all, prevention is always cheaper than a post-incident reaction.
Yet, when I’ve asked, “What would you do first if you actually had a breach? – few executives and board directors could answer my question immediately.
That’s where the Incident Management Plan is very handy.
Why an Incident Management Plan is Critical for NFPs.
Many organisations have a Business Continuity and Disaster Recovery Plan (BCDC Plans). However, these rarely address the specific challenges of a cybersecurity breach.
With most NFPs now operating in the cloud, the traditional BCDR focus is less relevant. Whereas the need for a cybersecurity-specific plan has grown significantly.
Still, few Not for Profits have an Incident Management Plan.
What’s included in an Incident Management Plan?
An Incident Management Plan is essentially the playbook for responding to a cyber incident, outlining the “what, when, who, and how” of what is needed in these situations.
Usually it covers:
- Incident Categories – Define types of incidents and determine if they’re “reportable” to the Office of the Australian Information Commissioner (OAIC).
- Incident Response Team (IRT) – List key personnel and their contact details. Clarity and speed are crucial in the first 24 hours.
- Response Process – While steps can vary depending on the nature of the breach, a consistent framework helps reduce chaos.
- Communication Plan and Templates – Pre-drafted messages for notifying stakeholders and reporting to the OAIC can save valuable time and reduce legal exposure.
The Australian Signals Directorate offers templates to help you put one together. I think they are too complex for most Not for Profits, but they will give you an idea of what’s needed.
The importance of regular testing
Even if an organisation has an Incident Management Plan, the main problem I see is that it’s usually out of date and it’s never been tested. It’s almost as bad as not having one at all.
That’s why I recommend running annual Incident Response simulations. These tabletop exercises are invaluable for uncovering gaps and reinforcing a culture of cybersecurity awareness from the senior level down.
Final Thoughts – Are you really ready?
Prevention is always a better strategy than reaction. Yet, preparation for an incident also reduces the potential impact if a cybersecurity incident were to occur.
Every Not-for-Profit should have a tested, current Incident Management Plan to minimise damage in the event of a breach.
How confident are you in your organisation’s readiness?
I regularly help Not for Profits mitigate cybersecurity risks. Let me know if you need some help.
P.S. If you found this article helpful, you might want to read these too:
- If I were a non-technical manager in charge of cybersecurity
- How volunteers increase your Association’s cybersecurity risks
- Is your Not for Profit compliant with the Privacy Act changes?
Tammy Ven Dange is a former charity CEO, Association President, Not for Profit Board Member and IT Executive. Today, she helps NFPs with strategic IT decisions, especially around investments.