Author: Brian Merriam
Of great importance is a discussion on what can be done to avoid a cyber event or lessen its impact. So important is this subject matter that the top U.S. national security advisors gathered with officials from 30 countries this past October to discuss how to combat the growing threat of ransomware and other cybercrime. So what are the things your nonprofit organization should "nevermore" do?
- Nevermore should employee go untrained to recognize phishing emails (social engineering, ransomware, etc.).
- Nevermore should your enterprise go without cyber policies and procedures (accounts payable, human resources, etc.).
- Nevermore will your leadership leave undone a cyber risk assessment to identify vulnerabilities or exposures.
- Nevermore will your institution fail to identify who has access to your network.
- Nevermore will your specialists not review and implement cybersecurity measures, such as multifactor authentication.
- Nevermore will you not purchase cyber insurance and review the services provided by your Insurer.
- Nevermore will you not identify and appoint a "breach coach."
- Nevermore will you not review your carrier's vendor panel (legal, forensic, public relations, crisis management).
- Nevermore will your board fail to advocate an incident response plan and test it.
The essential matter here is to take cyber risk seriously before an event occurs. Insurance companies offer many great services, but once an event has occurred it will be difficult to get a reasonably priced insurance program to establish such a partnership. Therefore, it is imperative that you first have the protocols in place to stop (or at least greatly lessen) an event so that, once you apply for coverage, an insurance company is willing to come to the table and offer you their services. Nevermore will you allow your organization to be a vulnerable victim of cyber risk.