Insights
Industries: Nonprofit

Cyber risk continues to be a major concern for organizations of all kinds. According to Gartner’s “Top Corporate Governance Trends for 2024,” 64% of directors ranked cybersecurity and data privacy among the top five board oversight topics in 2023, while 38% said they believe cybersecurity is the most challenging area for the board to oversee. At the same time, global cyberattacks are rising and the average data breach cost reached an all-time high in 2023. Therefore, a strong cybersecurity defense is critical to protecting your investors and clients from the damage a cyberattack can cause.

This is especially important for nonprofit organizations, particularly those focused on education. The education sector had the highest ransomware attack rate as of 2023, according to Sophos’ most recent “State of Ransomware” report. 80% of elementary, middle and high schools and 79% of higher education institutions reported sustaining attacks in the year leading up to the survey. Additionally, lower education organizations were the most likely — across all sectors — to report losing business or revenue due to ransomware incidents. In one recent example, the ransomware gang Vice Society struck the Los Angeles Unified School District, California’s largest public school system. When the district refused to pay the ransom demand, the operators leaked 500 GB of stolen data on the dark web.


Download exclusive insights: A white paper on materiality and cybersecurity


The importance of cybersecurity governance for nonprofit organizations

If you’re a nonprofit planning to reassess your cybersecurity policies this year, governance will be critical to your success. With a robust cybersecurity governance process in place, an organization is better prepared to effectively mitigate risks, address threats, and meet regulatory and compliance responsibilities. Cybersecurity governance means that the board and management understand the cybersecurity program, are involved in decisions, and actively participate in risk acceptance, mitigation or transfer.

The three pillars of cybersecurity governance

There are three pillars of cybersecurity governance: What are you doing? Is it enough? How do you know? Let’s take a closer look at each of these and what they mean.

What are you doing? 

First, you should fully understand the cybersecurity program and governance model you currently have in place.

This means you should:

  • Understand the data you’re collecting and how you’re collecting it.
  • Ensure you store the minimum amount of data you need to run your organization.
  • Understand regulatory compliance obligations.

Is it enough? 

Your cybersecurity plan should involve a constant process of evaluating risk and ensuring you are comfortable with that risk over time. If you determine that your residual risk is too high, it may be time to make additional investments in security and controls, such as cybersecurity insurance, to reduce or transfer that risk.

The following are a few considerations:

  • Do you understand your risks?
  • Are you meeting compliance obligations?
  • Do you have controls in place to ensure only certain people have access to and can modify specific data?
  • Do you have redundancy, backup, recovery and resiliency plans in place?

How do you know? 

Knowing you are prepared is about having the right monitoring processes and understanding how you would react to cybersecurity events.

Ask yourself:

  • Do you have appropriate monitoring to detect a cyber breach should one occur, and has a third party validated that it functions as intended?
  • If an attack succeeds, do you have processes in place to help you recover?

Start building a cybersecurity governance plan today  

BPM offers Cybersecurity Assessment Services, including penetration testing and incident assessment support. Our independent team evaluates your organization to identify your information security weaknesses and helps you understand where threat actors are most likely to strike. Then, we work with you to build a methodology to manage cybersecurity risk and develop risk-prioritized recommendations and controls so you can respond to and monitor an attack should the worst occur.

If it’s been a while since you’ve evaluated your cybersecurity plan, learn how we can help prepare you for whatever cybersecurity threat might come your way.

Contact us today to get started.


Headshot of Daniel Figueredo.

Shannon Winter

Related Insights
Subscribe