How would your nonprofit respond to a cyber incident? How should you create a nonprofit incident response plan?
Incident response plans are a valuable component of strategic nonprofit cybersecurity. Unfortunately, many organizations don’t have a robust plan in place – or, really, any plan at all. NTEN reports that 68% of nonprofits don’t have documented policies and procedures in case of a cyberattack. That’s the bad news.
The good news is that with a plan in place, your organization can drastically reduce cybersecurity risk. We’re here to help. In this article, we’ll discuss answers to four of the most common questions around incident response plans:
With this information, you should be able to update (or begin crafting) your plans to improve your cybersecurity stance. Let’s dive in.
Incident response plans are documented protocols and steps that are designed to help organizations effectively respond to cybersecurity incidents. Basically, they give organizations a game plan to make addressing cyber incidents easier.
Cisco defines an incident response plan this way: “An incident response plan is a set of instructions to help IT staff detect, respond to, and recover from network security incidents. These types of plans address issues like cybercrime, data loss, and service outages that threaten daily work.”
As that definition alludes, your nonprofit may craft a generalized incident response plan, but it should also deal with specific scenarios directly. It’s best to be prepared.
The answer to this question is straightforward: incident response plans help organizations to minimize cyber damage.
Plans help organizations to be prepared. Just as pro sports coaches spend time crafting game plans in preparation for opponents, your organization should spend time crafting plans to respond to incidents – because proactive, strategic thinking tends to be better than reactive thinking.
If a cyber incident happens and no plan is in place, you’ll probably respond less effectively. You may be disorganized. The consequence is that your organization may face more damage.
Here’s what nonprofit incident response plans should entail.
Plans should document and clarify the roles of response team members, noting the responsibilities and decision-making powers of these parties. This may go as far as naming individuals (i.e. “Veronica will function as the Internal Incident Manager”), but more likely it will define roles at the positional level (i.e. “The acting CISO will function as Team Leader”).
Clarify who will organize internal communications, who will communicate externally, and who will take specific containment and mitigation steps. With clear role definition, response will be far more efficient.
Communication protocols should be outlined, too, so that team workflows are smooth and efficient. You should define channels you’ll use; if your network is compromised, for example, you probably shouldn’t be corresponding using the organization’s email platform. You may want to look into secure communication platforms for this purpose.
Additionally, your plan might include communication scenarios for multiple breach or incident types. Communication might flow differently in the event of a data breach than it might in the event of a ransomware attack.
This is where things start to get practical – and a bit technical. You should define the steps you’ll take in the event of various incident scenarios to contain risk and minimize damages.
For instance, in the event of a data breach, what steps would you take to harden uncompromised systems? Would you shut systems down in the event of an incident – and how would you make the decision to do so?
Working through containment and mitigation strategies proactively can allow for more intelligent decision-making before you’re under the pressure of a real response.
You’ll also want to include external considerations in your plan – security incidents often affect parties who aren’t part of your organization.
Your plan should identify any external or regulatory reporting requirements and establish action steps. This might include payment card industry requirements, HIPAA reporting requirements, or other regulatory protocols, depending on who your nonprofit serves and the nature of your work.
Plans should account for any external assistance that may be needed in the event of an attack and develop those lines of communication proactively.
If you’ll need to work with third-party vendors in the event of a data breach, for example, develop a list of possible partners and open up dialogue with them before a breach ever occurs. In the event that an incident occurs, you’ll have a shortlist of contacts to turn to.
This is the after-action stage of incident response planning, and it involves two main action items:
Incident response plans should be updated as contexts change (for instance, as internal players and external contacts change, or as new technologies emerge.) This should certainly be done after an incident, as you can analyze what worked and what could have been improved.
If there are no incidents, you should schedule regular periods of review to keep plans up to date. At the very least, plans should be updated on an annual basis.
It’s also important to test plans to ensure that they work effectively and that individuals are ready to fill their roles. Testing helps to build preparedness so that plans remain top-of-mind.
Creating and maintaining an effective incident response plan can reduce the amount of cybersecurity risk your nonprofit faces. If you want to take the next step toward better cybersecurity, and create a nonprofit incident response plan, get in touch with us.
At Community IT Innovators, we’ve found that many nonprofit organizations deal with more cybersecurity risks than they should have to after settling for low-cost IT support options they believe will provide them with the right value.
As a result, cyber damages are all too common.
Our process is different. Our techs are nonprofit cybersecurity experts. We constantly research and evaluate new technology solutions to ensure that you get cutting-edge solutions that are tailored to keep your organization secure. And we ensure you get the highest value possible by bringing 25 years of expertise in exclusively serving nonprofits to bear in your environment.
Incident response plans are a vital part of any robust cybersecurity stance – but working with us can reduce the likelihood that you’ll experience an effective attack in the first place. If you’re ready to gain peace of mind about your cybersecurity, let’s talk.
CTO Matthew Eshleman, Director of IT Consulting Steve Longenecker, and IT Business Manager Team Lead Norwin Herrera hold a lively and specific discussion of all things nonprofit tech for 2025 and beyond. January 22 at 3pm Eastern, Noon Pacific.
Fill out the form below to request a quote. We’ll be in touch shortly to discuss your needs and take the first step toward better nonprofit IT.