Learn tactics for securing your organization’s valuable information from Apparo Expert Link partner, The Trust Bridge.
By Penny Heyes. COO of The TrustBridge, An Apparo Expert Link partner
No organization, nonprofit or for profit, however large or small, is immune to data breach and or cyber attacks so everyone should be prepared with an incident response plan. In fact, there is evidence that small to medium size organizations are at a higher risk as they don’t invest in data and cyber security measures to mitigate the risks – often due to budgetary considerations. “Threat actors” aka the Cybercriminals, frequently target small businesses in order to gain access to larger organisations, through the 3rd party supply chain – the biggest source of data breach and cyber attacks. For example, association sponsors may well be a great target. Therefore, we advise that everyone get prepared.
Below are our top tips for all organizations:
1. Master Your Data Universe
Make sure you know what data you hold, where it is and with whom you are sharing it. You should do a data flow map of all data, client and customer as well as employee, and review and update this on a regular basis. Don’t collect data that you do not really need, and retain it only for as long as you need it, or are legally required to keep it. This applies to B2B (business-to-business) and B2C (business-to-consumer) organizations.
2. Risk Assessment Adventure
Make sure you understand where vulnerabilities and risks could arise, and what level of risk you are prepared to run. Document your decisions around your level of risk appetite so that you can show that you have considered the issue, and made the appropriate decision
3. Policies and Procedures Blueprint
Ensure you have all the legally required policies and processes in place and that they are reviewed, updated regularly. Ensure that access to data is limited to only those need it and is protected by a process and policy.
4. Busting Overconfidence Myths
Do not assume that your organization is not likely to attract attention from the regulator or from threat actors who want to “attack” you, or customers who want to know what you are doing with their personal data. All organizations should operate with appropriate data protection and cyber security protocols, and all are at risk of attack Do not think that just because you are a small organization, you will not be targeted.
5. Third-Party Supply Chain Shield
Check with all organizations or individuals with whom you interact, share and collect data to ensure that they have the right security protocols in place. This can be done via a security questionnaire which you require them to complete. Some US states require (legally) all organizations to prepare a WISP (Written Security Information Program) which is a public facing statement showing the security and privacy protocols that are in place (see 9)
6. Data Sharing Strategy
Make sure you have a suitable data sharing agreement in place if you are sharing your data with any other organization, such as a sponsor and / or a supplier, or with any software platform you use See section 9 regarding the WISP. Data security incidents frequently occur in the 3rd party supply chain, so make sure those with whom you share data are as responsible in its treatment as your organization (See section 9)
7. Cross-Border Compliance Navigator
If you are operating in more than one region, state, and / or country, or have clients, sponsors, suppliers in more than one country or state/region, make sure you are operating within the appropriate data protection laws that relate to that jurisdiction or
8. EU / UK Representation
If you are operating in the EU and UK however you do not have a legal entity there, yet have members, customers, clients there, you may need a representative in those regions who acts on your behalf in data privacy matters when dealing with regulators and or customers who are resident there.
9. WISP Compliance Check
The Written Information Security Program is a legally required document in many regions. Make sure you have this document which is a publicly available statement demonstrating that you have the correct data protection policies and procedures in place. You should always ask any other organization with whom you interact and intend with whom you intend to share data., for a copy of their WISP. If they do not have one, you should ask them to submit a supplier / 3rd party questionnaire.
10. Comprehensive Data Protection Training
Ensure that all staff (including the board and senior management) are regularly trained and understand their obligation under data protection law which applies to their daily work. Board directors are personally responsible for any failure in their organization’s security measures or for any contravention of data privacy regulations. There are laws coming into force which compel all organizations to train their staff in data privacy and cyber security, and to test their systems on a regular basis. All executives and board directors need to take responsibility for the protection of all the data they hold, whether a membership organization or charity, B2B or B2C company. They are liable under several Data Protection and Privacy regulations and we are seeing action now by the regulators, such as the SEC, under which directors are being investigated, sued and fined. So they too should be aware of the data protocols that are in place – don’t leave it to the CIO. Be prepared, be aware and get involved. Every organization needs an accessible incident response plan which details the action they should take, the people who should be involved.
No organization is immune, not for profit and for profit: according to recent statistics 66% of organizations say they had been affected by a cyberattack within the past year. All data protection and cyber policies and procedures must be reviewed and approved, looked after and managed, monitored and maintained. Above all they must be communicated to all parties. The data held by all membership organizations, conference centers and hotels, sales companies and retail outlets is all valuable to someone; not least the organization that “owns” it. It is often personal information of individuals – so it should be protected at all cost.
“It takes a lifetime to build a reputation and only seconds to destroy one.”
The investment associated with the introduction of cyber security and data protection measures, in order to minimize and mitigate the risk of attack, and to prepare oneself to respond quickly, efficiently and effectively in the case of an attack, is far lower than the cost, actual, opportunity and reputational, that an attack will cost any organization, by several times.
“The greatest cost to any organization is ignorance”