Does Your Internal Audit Include Cyber Security?

By February 5, 2019Nonprofit

Nonprofit leaders know the importance of performing an annual internal audit. But do you know the importance of adding a cyber security audit to your financial audit?

Travelers insurance puts the cost of a data breach in a nonprofit organization at $221 per record, which doesn’t sound like much until you count up the number of potential records in your nonprofit’s files. Then you realize the eye-opening fact that you could be on the hook for thousands, perhaps millions, of dollars in damages should hackers get into your records.

But the cost to your organization doesn’t stop at monetary damages. There’s also the loss of trust, which is invaluable. It may take years to rebuild the trust damaged by a data breach.

Now you understand why it is critical to tighten up your cyber security. What better time to do so than when you perform an internal audit?

What Nonprofits Need to Know – and Do – to Improve Cyber Security

As you prepare for your organization’s internal audit, it’s a good idea to schedule a cyber security audit. Board members who meet to review the financial audit may also wish to review the findings from a cyber security audit so they can make decisions related to its findings.

To conduct your own cyber security audit, here are several suggestions.

  1. Review current cyber security plans: Depending on your role within the organization, you may be well aware of any plans in place to protect against or respond to a cyber threat. As your first step, take time to speak with your IT manager, CIO, or other technology leader. Ask all department heads to provide you with any information they have on cyber protection, training, or risk management. Once you have all the information, you can make a good assessment of what is being done to protect against cyber threats.
  2. Contact third party vendors: Third-party vendors who receive or manage any data from your organization should also provide you with details on what they are doing to prevent security threats. This includes the obvious providers such as cloud software providers but the not-so-obvious ones as well, like your mailing house, which addresses and sends donation solicitations, catalogs, and other direct mail. Other vendors may include the company you use for your email list management, website hosting, and similar third party vendors.

Once you’ve reviewed both internal and external security processes and precautions, you can make an educated guess as to your risk level.

What Next?

If you were buying a home, you’d want to know if it’s in a flood zone so you could assess the risk of flood damage and the need to purchase flood insurance protection. The same goes with cyber security threats; once you understand the potential risk and your organization’s specific vulnerabilities, you can take steps to protect against threats.

Some steps to take may include:

  • Implementing internal security controls over software and technology services. This may include authorizing only IT staff to download software, updating and enhancing virus protection, and keeping databases behind a secure firewall.
  • Requesting that all vendors provide you with security plans and protection, if possible, or at least an understanding of their security protocols.
  • Training your internal teams on how to spot phishing schemes and preventing common cyber fraud and crimes.
  • Finding a cyber security expert to work with or retaining a consultant in the event a breach occurs.
  • Purchasing cyber insurance for your nonprofit, a policy which would protect against financial damages and technology repairs in the event a cybercrime occurs.

The time to take steps against cybercrime is now, before it happens. You have strong locks on the doors of your office to prevent thieves from stealing your computers. Do you have similar “locks” on your data?

Welter Consulting

Welter Consulting bridges nonprofits and solutions to help them find technology that works for them. We invite you to contact us for any assistance you need with nonprofit technology and business solutions. Call 206-605-3113 or contact us.