Not-for-profits routinely collect highly sensitive personal information, including information on people’s health, relationships and finances (how does your organisation store the credit card details of donors, for example?). And their data often includes information about some of society’s most vulnerable people, who are the core business of many not-for-profits.
At the same time, the sector has little cash to invest in built-for-purpose secure IT systems, so often this information is collected and stored via online third-party tools and basic apps such as Excel spreadsheets, and many organisations are reliant on off-the-shelf systems designed for the corporate and public sectors. Compounding these challenges, many NFPs find it difficult to recruit people with strong IT skills because they are in high demand and therefore expensive.
With all of these cyber security risks creating potentially rich pickings for cyber criminals – and the potential for serious reputational damage – not-for-profit board directors have a critical role to play in asking the right questions of their organisational leaders.
These 10 questions will help board directors to consider their responsibilities in relation to cyber security at their organisation.
To know why you should be asking these questions, download the full document.
1. Who’s accountable for what?
2. Who has access to what?
3. Are our policies fit for purpose and up to date?
4. Is our staff training up to date?
5. Are our computers and systems fit for purpose?
6. What are our biggest threats?
7. Does our culture protect our data?
8. How do we make decisions which could affect cyber security?
9. What would we do if a data breach occurred?
10. Cyber insurance: is it worth it?