Will you still be the CEO if your association or nonprofit becomes the victim of a cybersecurity hack?
The precedents are troubling. Target’s CEO had been with the company for 35 years when the board requested his resignation after a credit card security breach affected 40 million customers. You might also remember the CEO of Sony who was fired after her company’s high-profile hack.
CEOs also take the fall for employees’ mistakes. An Austrian aerospace manufacturer fired its CEO after someone successfully impersonated him in a phishing attack that caused an employee to transfer $47 million to the hacker’s account.
Getting serious about cybersecurity is now part of a CEO’s job security.
Learn what you need to know as a CEO about cybersecurity before your board asks you a question you can’t answer. Even if your board doesn’t normally delve into those types of questions, they could if you talk with any of them right after a headline-grabbing hack. Or, if a board member experiences their own security breach, they may take fiduciary duties to a new level by asking you some tough questions about security.
10 things an association CEO needs to know about cybersecurity
Understand cybersecurity fundamentals. Become comfortable with the basic language and practices of cybersecurity. You can start by reading our eBook, The Cybersecurity Watchlist for Association and Nonprofit Executives. It identifies the most likely security threats for associations, their cause and impact, and the questions you need to ask your IT team to ensure your organization is protected.
Then, keep your knowledge current by reading the security posts on the DelCor blog (better yet, subscribe to blog updates using the form on this page), the technology posts on Associations Now, and the Technology Section discussions on ASAE Collaborate.
Obtain cybersecurity insurance. Does your association carry cybersecurity insurance and is your coverage adequate? DelCor isn’t an insurance company, but we’d be happy to put you in contact with quality, qualified insurance people to review or initiate coverage. We participated in a webinar on these risks, and you just might want to check it out.
Plan regular cybersecurity and risk assessments. Find out where your organization is most at risk so you can focus more resources there. Don’t put off an assessment to a budget-friendly “better time.” As guardian of your employees’, members’, and customers’ data, you can’t afford not to immediately identify your organization’s security vulnerabilities.
Understand existing security measures. Using our eBook as a guide, find out what policies, practices, and tools your IT team or Managed Services Provider (MSP) is using against threats like malware, ransomware, web app attacks, bots, email spoofing, and the many other variants of cybercrime. For example, are all your software, plug-ins, and other tools updated (patched) regularly? Is your organization using any old tools (like out-of-date browsers) that are no longer supported by developers?
Know your compliance requirements. Is your organization subject to PCI or other regulatory compliance? What about HIPPA compliance and/or certification? What level of compliance must you maintain? You must be able to talk intelligently with your board about the measures your organization takes to ensure compliance.
Understand implications of state, federal, and/or international data privacy laws. Which state, federal, or international regulations apply to your organization? For example, as the CEO, you should be able to discuss how your association is complying with the European General Data Protection Regulation.
Become a backup advocate. With ransomware becoming more pervasive, you must talk with your IT team about your organization’s backup strategy and practices as well as recovery objectives. How frequently and meticulously are backups made? How long would it take to completely restore your data in a worst-case scenario? Don’t forget about data residing on vendors’ servers.
Ask for an incident response plan. Charge a cross-departmental team with developing an incident response plan and a crisis communication plan. Make sure everyone knows what to do if your network is breached.
Be the champion for employee training. Security is everyone’s business. Everyone on staff must be educated about cybersecurity best practices, including mobile device use and file storage procedures. Budget for and schedule regular security briefings and staff training. Deploy phishing tests so staff can learn how to respond to malicious emails and websites in real-life scenarios.
Lead by example. Show up for every training session and follow every security policy—if the word gets out that exceptions are made for you, you’ll never establish a culture of security.
Know what’s in your security policies. Who’s responsible for developing your organization’s security policies? How often are they reviewed and updated? How effectively are they communicated to staff? Make sure you know (and follow) these policies and understand the reasoning behind them.
The cybersecurity hack stops with you, the association CEO.
As the CEO, you have a key role in creating a culture of security at your organization—a topic I’ll cover in my next post. Security is not IT’s job, it’s everyone’s job, and your success as CEO may depend upon that. Set aside time to discuss these issues with your IT team or MSP so you can confidently discuss cybersecurity with your board and staff—and avoid becoming a security risk yourself.
Our ebook, The Cybersecurity Watchlist for Association and Nonprofit Executives, includes the questions you need to ask your IT team to determine whether you have anything serious to worry about. Download and review it with your IT staff to protect your organization—and your job.