Associations are facing increased incidents of data breaches, ransomware, and other emerging threats, thanks to the accelerating adoption of new technologies. In fact, cybersecurity is the top threat faced by all organizations today, according to experts presenting at GRF CPAs & Advisors’ second annual Cybersecurity Symposium. This article offers their practical strategies for managing these risks, integrating them into ERM frameworks, and aligning them with organizational goals.

Understanding Cybersecurity Risks for Associations

Associations face myriad cybersecurity risks, which can result in financial losses, reputational damage, legal liabilities, and operational disruptions. Common cybersecurity risks include:

• Data breaches: Unauthorized access to sensitive information such as member data, financial records, and intellectual property
• Ransomware attacks: Malicious software that encrypts data and demands a ransom for its release
• Phishing scams: Deceptive emails or messages designed to trick recipients into revealing confidential information
• Malware: Malicious software that can damage or disable computer systems
• Insider threats: Security risks originating from employees or contractors

Cybersecurity Risk Management Strategies

To effectively manage cybersecurity risks, associations should adopt reasonable cybersecurity measures—practical, risk-proportionate, and aligned with industry standards and best practices. This involves anticipating potential threats, implementing preventive measures, and preparing for swift response and recovery.

To simplify this complex process, I’ve developed a graphic called the Cybersecurity Pathway, designed to guide associations through their cybersecurity journey. This pathway helps define what is “reasonable” within the context of your organization’s unique circumstances

1. What Is Your Baseline?

The first step in the process is to conduct a thorough risk assessment to identify potential cybersecurity risks and vulnerabilities—this should be completed at least annually. Consider factors such as the association’s size, complexity, data sensitivity, and regulatory requirements. This assessment serves as the foundation for developing a tailored cybersecurity strategy.

• Identify and evaluate potential threats.
• Maintain an inventory of digital assets and resources.
• Conduct thorough vulnerability and threat analyses.

2. What Comprises a Cybersecurity Program?

Based on the information gleaned from your risk assessment, the association should at least annually update its policies and procedures. The policies should align with industry-recognized cybersecurity frameworks and standards, such as the NIST Cybersecurity Framework or ISO/IEC 27001. Some key elements to consider in your policies and procedures are as follows:

• Access controls. Implement role-based access permissions to restrict sensitive data access. Enhance security with multifactor authentication (MFA) and regularly review access permissions.
• Advanced security technologies. Deploy firewalls and intrusion detection systems (IDS) to monitor and block threats. Use encryption to protect sensitive information, implement endpoint protection for devices accessing the network, and schedule regular data backups to ensure recovery in case of an incident.
• Incident response and business continuity planning. Develop and maintain an incident response plan to respond swiftly to cybersecurity incidents. The plan should outline procedures for detecting, reporting, and mitigating breaches and restoring operations.
• Third-party risk management. Assess and manage cybersecurity risks from third-party vendors, suppliers, and partners. Implement contractual provisions to ensure third parties adhere to cybersecurity standards and collaborate on incident response planning.
• Continuous monitoring. Establish mechanisms for continuous monitoring of cybersecurity threats and vulnerabilities. Regularly update software, apply security patches, and conduct vulnerability scans to mitigate emerging risks and ensure the effectiveness of security controls.
• Integrating cybersecurity into enterprise risk management (ERM). Aligning cybersecurity with organizational goals requires executive support and defining acceptable risk levels. Embedding cybersecurity into the association’s ERM ensures that cybersecurity is not a siloed effort. Establish governance structures, including cross-departmental risk committees and regular leadership reporting, to maintain a unified approach to cybersecurity. To learn more about association ERM, review the ASAE article on Board Member Guidance for Association Enterprise Risk Management.

3. Do Your Employees Know the Risks?

Cybersecurity training is essential for protecting organizations from cyber threats, as human error remains one of the biggest vulnerabilities. Training on policies and procedures as well as top threats ensures employees can recognize risks, handle sensitive data securely, and respond effectively to incidents. All employees, from entry-level staff to executives, should receive training, with specialized sessions for IT teams, volunteers, and third-party vendors. A well-trained workforce fosters a culture of security and strengthens the organization’s overall resilience.

Encourage employees to view cybersecurity as a shared responsibility by embedding it into daily workflows and emphasizing its importance in team communications. This aligns with the principles of ERM, where everyone is a risk manager, playing a vital role in identifying, mitigating, and responding to risks within their sphere of influence.

4. Are You Keeping Up to Date?

The last part of a cybersecurity pathway is providing assurance that policies and procedures are operating effectively. Cybersecurity audits are an essential part of an organization’s risk management strategy. There are various types of cybersecurity audits, each serving a distinct purpose and scope, and it’s important to understand these differences when engaging for an audit. Below are the most common types of cybersecurity audits:

• Compliance audits: Ensure adherence to legal, regulatory, and industry standards
• Vulnerability assessments: Identify weaknesses in systems and processes
• Penetration testing: Regularly test systems to evaluate security measures
• SOC II audits: Evaluate controls related to security, availability, processing integrity, confidentiality, and privacy, particularly when handling sensitive data or providing third-party services

If cybersecurity is considered a top risk within the association, we recommend appointing an independent representative outside of the IT department to oversee the audit progress and report findings to leadership.

Cybersecurity risk management is essential for associations to protect their digital assets, maintain member trust, and achieve their missions. By adopting proactive strategies and integrating cybersecurity into their ERM program, associations can effectively manage cyber risks and enhance their overall resilience.