I had a great conversation with Eric Curtis from Curtis Strategy the other day. Curtis Strategy is one of the country's leading strategy consulting firms for nonprofits.
As he was sharing some of the big shifts he is seeing in the nonprofit world, he touched on the recent acceleration of Mergers & Affiliations.
As we chatted, I realized that Nonprofits face similar cyber risk challenges as their for-profit peers. The reality is that from a risk standpoint nonprofits may even have greater cyber risk exposure.
Here are 3 areas CEOs and Executive Directors should focus on (or assign to a senior team member) during the merger & affiliation process:
Recognize that any time an organization goes through a big transition, especially if the organization is in the public eye, the risk of ransomware attacks and data theft increases.
One of the "tricks" hackers use when social engineering employees (and volunteers!) is capitalizing on the chaos created in transition... and there is always some chaos. People are concerned about their jobs, their roles, their value to the new organization; don't know who they will be reporting to, or afraid of who their new boss will be; aren't sure if the new organization or direction is what they believe in.
To counteract this fear and reduce the risk of social engineering (aka email phishing attacks) is to communicate as clearly and often as possible. While it is often required leading up to a big transition, silence can be deadly once the transition or transformation starts. Set up an internal website for employees, send out weekly updates, survey employees, basically show that employees are being tended to as much as the process.
A second point of attack for hackers, especially during periods of transition where new (although typically used and possibly outdated) technology is being integrated, is scanning external endpoints for known vulnerabilities that can be exploited. Common entry points include: unpatched firewalls, unpatched VPNs, cloud instances, websites with weak passwords, RDP or VNC ports open to the internet, network misconfigurations, and computers with weak/limited/no security protections.
This list is a checklist that leadership can use to ensure the network perimeter is protected. Verifying the organizations' security posture upfront will save many headaches down the line while reducing risk of data loss.
The final cyber risk issue Eric and I discussed was how organizations going through transition need to address and manage data ownership and privacy rules. From California to Europe, data privacy and ownership regulations are getting stricter.
Leaders should assign a senior executive to verify that the data they have and the data the other party has is properly secured, managed, and maintained. While it is not ideal, a simple checklist that covers the basics of data ownership and protection is a good start. Beyond the basics, verifying how financial transactions (PCI-DSS), healthcare records (HIPAA), and other personal records are processed and maintained is critical to avoiding legala issues. One pro tip: Reach out to the individuals involved (students, patients, members, donors, etc) asking for their ongoing commitment and participation in the new organization. This step will create a baseline and provide assurance that the "new" organization is legally llowed and able to maintain and use their data.
Addressing these 3 points during a transition will help establish leaders as the executive in charge that understands the new world of data security and how valauable their data is to the organization.
If you have more questions or want to discuss a specific issue or project, please contact Eric Curtis at Curtis Strategy (www.curtisstrategy.com) or Robert Fitzgerald at Arcas Risk Management (www.arcasrisk.com).