Not If, But When: Developing a Risk Mitigation Plan for Your Arts and Culture Organization

Cyber attacks pose a major threat to all kinds of organizations, arts and culture nonprofits notwithstanding. Those in leadership positions at nonprofit organizations might not think their organizations are attractive targets, and as such, frequently fail to invest in adequate security measures. The reality is that this makes nonprofit organizations more vulnerable and cybercriminals are taking advantage. 

Nonprofit organizations, regardless of their scale, often manage significant volumes of highly sensitive data. They collect donations online, manage vast quantities of donor information, and maintain detailed employee records. As the infrastructure of nonprofits has become increasingly digitized, their attack surface has only grown. 

The prevalence of cyber attacks is increasing across every industry as new threats continue to emerge. If a nonprofit does not have an adequate risk mitigation framework in place, it’s not just their data that’s in jeopardy: their very ability to execute their mission is under threat.  

In this overview, we will detail the cybersecurity risks faced by arts and culture nonprofits. We will also explore the steps nonprofit leaders must take to implement a robust risk mitigation plan that helps protect their organization. 

What Cybersecurity Risks Do Arts and Culture Nonprofits Face?

As a byproduct of the fundraising process, many nonprofits collect and retain significant amounts of highly sensitive data. This information, particularly Personally Identifiable Information (PII), is extremely valuable to would-be attackers––a fact many nonprofits fail to realize. 

This lack of awareness of the organization’s cybersecurity obligations can prove extremely costly. The key risks associated with failing to adopt a sophisticated risk mitigation plan can be grouped as follows:

• Reputational Damage: material security breaches must be publicly disclosed. That causes significant damage to the nonprofit’s reputation, contributing to donors potentially scaling back their funding. Rebuilding this trust is far more difficult than recovering the assets lost as a result of an attack. 

• Legal Exposure: many nonprofits fail to recognize the regulatory obligations that come with collecting data from their donors, partners, and beneficiaries. If just one individual whose data the nonprofit holds is based in Europe, the nonprofit must handle their data in a manner that’s compliant with the EU’s General Data Protection Regulations, more commonly known as GDPR. 

• Operational Impacts: suffering from attacks such as ransomware attacks can bring a nonprofit’s operations to a halt, leading to canceled events, closed exhibitions, and other operational challenges. 

In the past couple of years, the volume and sophistication of attacks nonprofit organizations face have increased significantly. 

One attack vector nonprofits are particularly vulnerable to is website spoofing attacks. These occur when a group seizes control of a nonprofit’s website and redirects donations or donor data. Another example is inference attacks, where attackers use data maliciously obtained from nonprofit databases to personally target employees, donors, and partners. 

The Value of a Risk Mitigation Plan

A risk mitigation plan provides nonprofit organizations in the arts and culture space with a framework that minimizes their risk profile. Mitigating obvious vulnerabilities lessens the organization’s exposure to attacks but does not eliminate it entirely. For this reason, many risk mitigation plans also include tactical elements including business continuity plans and incident response frameworks. 

By implementing a risk mitigation plan, nonprofits are better placed to quantify the adverse impacts of potential security breaches, take steps to strengthen their security profile, and ensure they are fulfilling their legal and regulatory requirements. 

Many nonprofit organizations, even large ones in the arts and culture sector, lack the internal cybersecurity resources to effectively implement a comprehensive risk management plan. Working with an external firm focused on risk mitigation enables nonprofits to understand their risk profile, adopt industry-standard cybersecurity controls, and ultimately, better protect their organization against cyber threats. 

Developing a Risk Mitigation Plan for Nonprofits

At Smith + Howard, our Cyber Risk Management + Compliance practice has significant experience developing risk mitigation strategies for nonprofit organizations in cultural industries. Our team uses a comprehensive three-step process that quantifies the potential business impact of a breach, assesses risk, and aligns stakeholders on the implementation of an organization-wide information security framework. 

Read on for a brief overview of the process. 

1. Business Impact Analysis

Risk mitigation plans typically begin with a business impact analysis. This process evaluates the security systems currently used by the nonprofit and assigns a financial value to key assets, including databases of sensitive information. The analysis also qualifies the potential impact an attack would have on a nonprofit’s ability to carry out its mission. 

This portion of the analysis establishes a baseline and demonstrates to nonprofit leadership the potential cost of a breach in terms of lost fundraising revenue or a temporary pause in operations. 

2. Risk Assessment

A risk assessment identifies the specific security risks that a nonprofit faces through a comprehensive analysis of three distinct pillars: a nonprofit’s people, processes, and technologies:

• People: the leadership, employees, and volunteers of the nonprofit should all be aware of their security obligations, particularly when it comes to managing sensitive information and reporting suspicious activity. 

• Processes: a data impact analysis evaluates the data a nonprofit organization captures and stores, assessing how data flows through the organization, how long it is retained, and whether regulatory requirements are being met. 

• Technologies: effective risk mitigation demands advanced cybersecurity technologies, which are lacking in many nonprofit organizations. As part of the risk assessment, these gaps will be identified. 

Following the completion of the risk assessment, it’s possible to evaluate the maturity and strength of the nonprofit’s overall cybersecurity posture and to recommend the scope of further engagements to strengthen this. 

3. Implementation of an Information Security Framework

Establishing the risks that arts and culture organizations face and showing the potential business impact of these is ultimately fruitless unless the nonprofit implements a robust cybersecurity framework to address these. 

In this stage, it’s important to align cybersecurity controls with the strategic goals of the wider organization. Using a predefined set of controls, such as the NIST Framework, is a systematic approach that effectively aligns the nonprofit with industry-standard cyber controls. 

Ongoing Risk Mitigation

Risk mitigation is not a one-off exercise. The threat landscape is constantly evolving and it’s important that nonprofits continue to invest in their cybersecurity infrastructure to maintain a robust defense. 

In this regard, conducting an annual risk assessment and maintaining a risk register is considered best practice. A risk register is a living document that details the nonprofit’s vulnerabilities. This document should be updated as security challenges are addressed and new risks are discovered. 

Cyber Risk Management + Compliance Services with Smith + Howard

Arts and culture organizations that take a proactive approach to risk management are significantly more secure in the long term. It’s often the case that nonprofit organizations fail to realize their obligations as stewards of confidential donor, employee, and partner information, and consequently, do not invest in building an effective security infrastructure until they fall victim to an attack. 

If you’re in need of guidance developing or revitalizing a risk mitigation plan for your arts and culture organization, the Cyber Risk Management + Compliance team at Smith + Howard can assist you. Our security consultants partner with nonprofit organizations across the country to quantify risk, implement proven security frameworks, and maintain data integrity. 

To learn more about developing a risk mitigation plan for your arts and culture organization, contact an advisor.