Good cybersecurity practices start at the top and trickle down throughout the organization, which means your board members should lead by example. This powerful group is responsible for knowing everything about your organization, including its strategic direction, fundraising strategies, and any risks that threaten those plans.
As a board leader myself, I understand the temptation of skimping on your cybersecurity practices — especially if you lead a small organization. Aren’t there much more important things that your team should be focusing on? Well, of course your team has a lot on its agenda, but you can’t push those initiatives forward with confidence if your security practices are lackluster.
Technology can be a powerful resource, but with it comes the threat of cyberattacks. Taking the time to educate your team on security issues and implement measures to counteract any challenges now can prevent some major problems later on.
There’s no better time to reassess your board security practices than now, as we enter the new year. To help, we’ll explore the following core strategies:
- Implement password requirements.
- Offer scalable and protected solutions for remote workers.
- Invest in secure board software.
- Have a plan in place in case a cybersecurity breach occurs.
You don’t want poor cybersecurity protocol to get in the way of your board members’ responsibilities. Start devoting some time in your meetings to discussing different strategies. Your board will spend a lot less time worrying and a lot more time leading!
Implement password requirements.
It can be tempting to reuse the same passwords over and over so we don’t forget. After all, what’s more frustrating than trying to log into a platform in a time-sensitive situation just to realize you’ve forgotten your password? Well, I’d say that someone hacking into your account is even more frustrating than that!
Implementing password requirements, particularly on your board of directors, is a very simple step that any organization can (and should) take!
Between email, their board management solution, and any other platforms, your board of directors has access to a lot of platforms with sensitive information. Protect their accounts and implement password requirements like:
- Minimum password length. Longer passwords are often harder to crack than shorter ones. Set a rule that passwords should be at least eight characters long (or even longer than that!).
- A mix of character types. This might mean requiring at least one of each of the following: lowercase letters, uppercase letters, numbers, and special characters (like punctuation).
- No commonly used passwords. You’d be surprised how many people use the same exact passwords. Provide everyone with a list of the most commonly used passwords, and ask that they don’t use those.
- Frequent updates. The more often people update their passwords, the less likely it is that hackers will be able to crack them. Consider having people update their passwords every 180 days or so.
Simplify this step by using platforms that automatically enforce secure password requirements. That way, you don’t have to worry about anyone using a poor password and slipping under the radar. You’ll also want to mention that board members shouldn’t write down their passwords where anyone else can access them.
Offer scalable and protected solutions for remote workers.
There has been a massive shift to remote operations since the start of the pandemic. Like many others, I’ve enjoyed the flexibility of remote work. But we must recognize that going virtual presents major security risks that we haven’t had to face before — at least not to this degree.
While working from home, more data is being exchanged digitally than ever before. Not to mention, more people are using personal devices and home networks, making it easier for cybercriminals to attack.
Your board of directors in particular needs scalable security solutions to continue fulfilling responsibilities remotely without worrying that their work will be compromised in some way. Here are some steps you’ll want to take into account to make remote operations more viable and trustworthy:
- Run secure virtual meetings. Meetings are a crucial time for your board members to discuss strategies and make important decisions. They need the option to continue meeting while physically apart. Boardable’s guide to hybrid board meetings explains that one of the primary concerns with virtual and hybrid meetings is cybersecurity. Whether your meetings are entirely or only partially virtual, the solution you use should prevent uninvited guests from joining. Just like for your virtual and hybrid events, select a protected solution that uses SSL certification to encrypt data and allows you to require a password to join.
- Provide them with devices. While it’s likely not doable on a slim budget, some organizations provide their board members with devices that they should use strictly for board work. Doing this makes it incredibly easy to wipe the device if it’s lost or somehow falls into the wrong hands.
Cybersecurity oversight has now become a hot topic for boards everywhere because of remote work. Offering scalable solutions for members who engage in board activities remotely should be on the top of your priority list if it isn’t already.
Invest in secure board software.
A good bit of the work your board completes will be done within your board management platform. Between managing documents, deciding on important matters, and anything else they tackle, a lot goes on within this type of platform.
Many resources point to secure software solutions as one of an organization’s first lines of defense. It doesn’t matter if you’re looking at developing a website for the organization, collecting donations, or governing the entire organization. You should double-check that your solution implements the appropriate security measures.
In regard to board management, here are a few considerations to bear in mind when assessing the security of your solutions:
- Secure Document Storage. Your board handles a lot of private documents between strategic plans, budgets, and governing documents. Make sure documents are encrypted when uploaded to your board platform. You should also be able to limit the audience for each document or folder. That way, users only have access to the resources they actually need.
- Secure Sockets Layer (SSL) Certification. SSL is the standard technology for keeping an internet connection secure and protecting any sensitive data that’s being shared between two systems. A board management platform that has SSL certification, which may also be referred to as its successor Transport Layer Security (TLS) certification, will safeguard any data shared between two online board users.
- Customer Data Encryption. Make sure any data you share is protected, particularly payment information. You’ll need to pay for your board management solution, and the last thing you want is for your credit card information or any personal details attached to the account to be compromised. Ensure your credit card information is protected at every point in the payment process by making sure your board management provider uses a PCI-compliant payment processor. No need to worry about your organization’s funds this way.
Your board management platform provider should take security seriously. So when you’re looking for a new system, ask about their security policy and what measures they take to protect your information. It’ll be apparent if they take it as seriously as they should. This really goes for any software your team invests in.
You’ll also want to check that they assess their cybersecurity protocol on a regular basis. Trusted providers may regularly simulate a cyberattack on their system to check for potential vulnerabilities — often annually. This helps ensure that their platform is doing everything it can to protect your organization’s data.
Have a plan in place in case a cybersecurity breach occurs.
So you put all of this security protocol in place, yet a breach still occurs. What’s next? Well, you should have an emergency response plan in place and should always be prepared for the worst, even if it’s unlikely to happen.
Bloomerang’s guide to nonprofit cybersecurity mentions that 68% of nonprofits don’t have documented policies to implement in case of a cyberattack. You don’t want to be on the wrong side of that statistic!
In the event that a breach happens, here are a few steps your team should take to reduce the chaos and get everything back in line:
- Assign specific roles and define the chain of command. Clarify the roles of different team members. Some boards establish a specific committee devoted to managing cybersecurity. Within this committee, you might have someone who will organize internal communications, another person who will manage external communications, and someone else who will take mitigation steps.
- Make sure everyone is on the same page internally. First thing’s first, make sure to communicate with your board and other internal leaders about what will be said externally. There needs to be a single version of truth regarding what happened and what the game plan is for moving forward, so everyone outside of the organization still has some trust in the organization during an inherently tense time.
- Be transparent about what information was compromised. Defining reporting requirements is crucial before an attack ever occurs. While storing stakeholder data can be incredibly useful for campaigns, that also means security incidents often involve people who aren’t a part of the organization. Identify any legal reporting requirements and be intentional about communicating what information was compromised both internally and externally.
- Define different mitigation strategies. There are different types of cybersecurity incidents that can happen. Do your best to plan for different kinds. For example, if there’s a data breach, would you shut the compromised system completely down? Who makes the call to do so? What steps will you take to strengthen uncompromised systems?
Especially if your organization is large and well-known, you need to accept that there’s a chance your information will be breached despite your best efforts. Having an emergency response plan and updating it to account for new potential incidents will be immensely helpful if a breach does happen.
Be sure to set aside some time on the agenda to revisit your response protocol with your board members every so often. That way, everyone will be fully aware of what they need to do in these cases. You’ll also want to share a report of all cybersecurity incidents with your board — at least annually. Any incidents that pass a certain severity threshold should be brought to the board immediately, allowing them to take the appropriate actions.
Final Thoughts on Cybersecurity for Boards
Especially with the shift to remote work, more boards and their organizations are talking about cybersecurity. It’s worthwhile to do your research and take extra precautions. Wouldn’t you rather do too much than too little and risk compromising sensitive information? What was just covered will give you a solid starting point.
If you need more ways to improve your cybersecurity protocol, brainstorm ideas with your board. Avoid group-think and put effort into thinking creatively about different cybersecurity issues. After all, two heads (or multiple in this case) are better than one!
Author: Jeb Banner is the founder and CEO of Boardable, a board management software provider for mission-driven boards. He is also the founder of two nonprofits, The Speak Easy and Musical Family Tree, as well as a board member of United Way of Central Indiana and ProAct. Jeb is based in Indianapolis, Indiana.