Why do nonprofits need to pay close attention to cyber risk now? New changes caused by the COVID-19 pandemic have been a catalyst for newly emerging cyber risks. The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on April 8 regarding the growing use of COVID-19 targeted cyber attacks. In addition, the World Economic Forum has identified cyber risks and data fraud as being the third top concern for organizations worldwide. Lastly, nonprofit organizations are a traditionally vulnerable sector for cybercrime. Over 80% of nonprofits do not have a cybersecurity policy in place (NTEN). It is vitally important to begin making cybersecurity a priority. Nonprofits can do this now! Implement a written cybersecurity plan and ensure you are adequately covered in your cyber insurance policies.
The three main risks of a cyberattack for nonprofits are:
- Data breach
- Downtime of systems
- Ransom demand
Unfortunately, nonprofits generally do not operate at the scale of large companies that make headlines, but the effects can be even more devastating when an attack occurs. Reputational damage, regulatory fees, and delayed business operations are examples of the types of high-cost losses that can occur. A phishing attack, for instance, costs nonprofits $1.6 million on average. Hosting your data in the cloud alone does not protect your organization from loss.
Remote Work Arrangements Are a Key Factor of Increased Cyber Risk
Temporary remote work arrangements for employees are a key factor in exponentially increasing cyber risk for nonprofits. Phishing, spoofing of apps, use of personal devices and residential networks while working from home, and lack of training on cybersecurity best practices are factors for this increased cyber risk. Nonprofits need to inform themselves of how to reduce these risk factors and educate their employees on best practices now, as well as when employees return to work. See our Work From Home Toolkit resource for helpful tips and guidance.
Written Cyber Security Plan
If your nonprofit does not have a written Cyber Security Plan, then make this a priority! Be ready to change your existing pans to account for changes due to the COVID-19 pandemic. A written Cyber Security Policy provides the measures you have in place to protect your organization from cyberattacks as well as your contingency plan should an attack occur. In developing your policy consider all business relationships such as employees, clients, business associates, partners, and third-party vendors. It should identify management’s roles and responsibilities and the organizational cybersecurity protocols. There should also be a protocol for how to report cybersecurity incidents. Be prepared with a robust cybersecurity policy.
Are You Covered For Remote Cyber Risks?
Nonprofits are well-advised to conduct a risk assessment to identify new cyber risks that have emerged from changes due to COVID-19. As such, you should review your organization’s cyber insurance policy to determine whether work-from-home arrangements and personal computing are included in the coverage. The definitions of “computing system” and “security event” in your policy will determine whether your organization is covered for losses that occur from a remote cyberattack. Your dedicated Sales or Service Team contact can help you with a risk assessment and policy review.