Duty of Care: Your IP & Data Protection
By Dr. Randal Dick | Nonprofit Principal
Most boards work very hard to avoid risk and negligence. It is getting more difficult every year, especially since cyber threats are coming from commercial enterprises and not just isolated individuals. Cyber threats are now priorities for nation-states and have become potential weapons for terrorists.
A Clear and Present Danger
Nonprofits may feel that they are small, low-risk targets. This is not true. Most cyber attacks are carried out by machines that do not know or care who they are attacking. When the machine locates a breach, the humans get involved and evaluate whether the target contains something worth their while. This can range from encrypting your data and charging a ransom to get it back to getting enough information about major donors to steal their identities. Part of the board's duty of care in this environment is to create policies that ensure cyber protection is an organization-wide priority. The board should then monitor for compliance. This simple expression of the duty of care may make all the difference when you consider the following. According to cyber security company and Microsoft partner adaQuest:
- Most phishing campaigns are preventable
- 90 percent of successful intrusions start with an email
- 23 percent of people open phishing messages
- Most successful intrusions use fear and urgency as motivators
If something or someone has not created an environment where defense remains top of mind, the attackers have a good chance of eventually getting through.
The Trap of Convenience
In the competition between security and convenience, the winner will eventually be convenience unless there is an intentional energy put behind security. Equifax, the latest mega-breach, was the result of one employee who, for convenience, ignored security procedures. There was a security patch available to Equifax for over a month, but they did not install it in a timely manner.
The attackers were inside Equifax for an extended period. According to adaQuest, when a breach occurs and is undetected, the average amount of time attackers spend inside a company or organization averages 180 days. The first thing they do is go for the administrator's login — that's the holy grail. If they can compromise that login undetected, they can go anywhere and take their time to mine all the relevant data of the organization. They do searches for keywords like "account," "password," "bank," "benefit," etc. They get to know the company and in some circumstances have even been able to study its leadership to the point that they could convincingly send emails that appear to be from an executive. Imagine what damage could be done to your organization.
So, what to do? The best defense is taking care of all the small things. The IT people build and maintain the company defenses. But everyone else has to care enough to take the time to use the stronger passwords, to change them when asked and not use their birthday or anniversary. Microsoft estimates that more than 50 percent of Office 365 users have not turned on all of the security tools available in the software. Yet, there were 6,449 new cyber threats uncovered in 2016. Only care and commitment to vigilance from everyone in the organization can prevent the cyber hordes from taking over.
About the Author
Randal is a results-driven, development and execution-oriented leader with more than 25 years of experience leading high performance teams. He’s a proven business professional, capable of leading change in both the boardroom and on the frontline, with a strong track record leading strategy development, entrepreneurship, performance and evaluation globally across a variety of social enterprises and functions.
Prior to joining OneAccord, Randal was the president of Profit Environment, a startup company that brings new solutions to enable CEOs to recapture profit lost due to an unhealthy corporate culture. At Design Group International, Randal was a senior consultant and his focus areas included organizational development, operations improvement, governance excellence and interim leadership.