POSTED ON July 23, 2018

With today’s current Information Technology (IT) environment, data breaches and cyberattacks should no longer be an afterthought. Nonprofit organizations both large and small generate and manage large volumes of important information electronically and IT Security is essential to an organizations survival. An essential part of an organization’s survival and continued operations is their IT Security.

Living in California, we are always faced with the threat of an earthquake. The disasters that are often overlooked are the ones that don’t make the news. A water main in the floor above us breaks, a gas leak or any other incident that makes our offices uninhabitable. Being unavailable to clients following disasters such as a water main break or a gas leak can damage client relationships should a company not have a business continuity/disaster recovery plan in place.

Often overlooked, natural disasters pose a large threat to nonprofit organizations IT. Yes, hurricanes, earthquakes, tornadoes, fires and floods should be considered when building your IT governance and performing your IT risk assessment.

Developing a Disaster Recovery Plan

A Disaster Recovery Plan (DRP) should be developed to ensure operations will not be significantly impacted and interrupted in case of a natural disaster. Zetta, an American company specializing in data recovery for small and mid-sized businesses, surveyed approximately 400 IT professionals noting two in every five companies do not have a documented DRP, and companies with a written plan only tested their DRP once a year. This shows that organizations have no recorded business continuity plan set up or they have not thought about what they would need to do in order to keep operations going after a disaster or disruptive event. This is a sure way of losing all-important information to the organization. A DRP is a vital preventative step to help mitigate IT risks.

When developing a DRP here are 10 things your organization should consider or your plan should cover:

  • Complete and compile an inventory of all IT hardware (e.g. servers and laptops), software applications and data.
  • Identify what data to back up, and then perform backups regularly. The data should be checked periodically to ensure that it was accurately backed up.
  • Assess how often and where backups are sent, whether it be tapes, large capacity USB drives, physical servers or to a “cloud.”
  • Consider implementing a “hot site,” which is a site outside of the organization’s headquarters that is completely compatible to take over processing and operations of the organization.
  • Perform a risk assessment to identify all potential threats and possible solutions or reactions.
  • Identify critical and key people who are responsible for responding to a disaster. Make sure contact information is readily available for everyone in the organization.
  • Document the organization’s DRP, and ensure it is written down.
  • Test the DRP periodically (e.g. annually, quarterly, monthly), and perform practice drills to ensure it works.
  • Create a DRP Oversight Committee or Cybersecurity Risk Management Committee.
  • Revisit the DRP at a minimum annually, and consider updates.

Do a Self-Assessment

  • Does your Nonprofit have a DRP?
  • If your Nonprofit does have a DRP, has it been updated recently?
  • How will your Nonprofit respond to a disaster or cyberattack?

Again, with today’s ever-changing IT environment and technology, these are questions your organization needs to, and should, consider.

There are many benefits gained with a well-planned and written DRP. These include minimizing risks of delays or interruptions, creating a sense of security, reducing potential legal liabilities and reducing stress in the work environment. The biggest mistake organizations can make concerning cybersecurity is waiting until after a cyberattack or disaster to act and figure out what the next steps are. Being unavailable to clients following disasters, even as minor as a water main break can damage client relationships should a company not have a business continuity/ disaster recovery plan in place. Do not wait, but rather be proactive and start implementing preventative measures such as a DRP.

Contacting GHJ’ Nonprofit Team could be your first step in putting a plan of action in to effect and significantly reduce your Nonprofit’s IT risk and exposure.