One of my core messages in Managing Your Nonprofit for Resilience was that we must integrate risk management into everything we do, and cybersecurity is no exception. Rather than see it as a standalone technical issue, nonprofits should embed cybersecurity into their overall strategic planning and continuity planning. This is exactly how we approach resilience with our clients at Risk Alternatives, tying cybersecurity into broader frameworks like Business Continuity, Lean Strategic Planning, and our Foundations for Growth program:
- Business Continuity Planning (BCP): A cyber attack is a modern disaster. Just as you’d plan for a fire or flood, you need a plan to continue operating during and after a cyber incident. A solid BCP will include scenarios for technology outages or data breaches, for example, how to serve beneficiaries if your CRM is down, or how to communicate with donors if email is compromised. Investing time in continuity planning pays off immensely during a crisis. It can be the difference between a brief disruption versus an existential threat. If you haven’t developed a BCP, start small: identify your critical processes and figure out manual workarounds or backup arrangements. We even offer a free template to help nonprofits create practical continuity plans, because this is such a cornerstone of resilience.
- Foundations for Growth (FFG): This is our framework for instilling a risk-aware, continuous improvement culture in nonprofits. It blends contemporary risk management and lean principles to create a “See Something / Say Something / Do Something” mentality across the organization. How does that help cybersecurity? It means everyone, from the frontline team to the CEO, is encouraged to identify potential risks, to speak up about them, and to take action or elevate the issue. FFG engagements assemble cross-functional teams to brainstorm risks and solutions, often identifying cybersecurity gaps that leadership wasn’t aware of. By the end of the engagement, the organization has a prioritized risk register and team buy-in to tackle those issues. It’s powerful to see nonprofits thrive after adopting this mindset. They become not only cyber safer but also generally more resilient and proactive. In essence, FFG builds the internal capacity so you’re not constantly in fire-fighting mode. Instead, you’re anticipating and mitigating risks like cyberattacks before they grow large. It turns cybersecurity from a scary unknown into just another challenge you’re ready to meet.
- Lean Strategic Planning: Traditional long-range plans often overlook emerging risks, but our Lean Strategic Planning model bakes in an “early warning system” for threats and opportunities. When you adopt lean planning, you regularly scan your environment, both internally and externally, and adjust your strategy in real-time. This means cybersecurity considerations are reviewed as part of strategic updates, not set aside for 5 years. For instance, if ransomware becomes a heightened threat this year, a lean plan will prompt leadership to allocate resources or change tactics now, rather than waiting for the next strategic planning cycle. Lean planning keeps your objectives aligned with reality and ensures that initiatives like improving IT security get prioritized appropriately alongside programmatic goals. It’s about being agile and proactive, exactly what’s needed in cybersecurity. Integrating cyber risk into strategic planning also signals to your whole team that resilience is a strategic imperative, not just an IT checkbox.
In practice, these offerings complement each other. For example, through a Foundations for Growth process, you might identify cybersecurity as a top risk; Lean Strategic Planning ensures you integrate that into your organizational goals and Business Continuity Planning prepares you to handle the worst-case scenario if it happens. The common thread is resilience – the ability to absorb shocks, adapt, and continue your mission. Cybersecurity efforts strengthen resilience, and a resilience focus in turn strengthens cybersecurity.
Look, I know firsthand that many nonprofit leaders feel overwhelmed by cybersecurity. You’re juggling fundraising, programs, HR. Now you have to be an expert in cyber threats too? My message is: You’re not alone, and you can do this. Cybersecurity is manageable when approached as part of overall good management. You didn’t get into the nonprofit world to worry about firewalls and phishing emails, but this is part of stewarding your mission in the 21st century. Just as you safeguard your clients’ privacy or your organization’s finances, you must safeguard your digital assets and data. The steps we discussed are not expensive or highly technical. They are well within reach of even the most modest organizations, and they work – they have prevented real-world incidents and saved nonprofits from catastrophe.
In closing, I encourage you to take one step today. Maybe schedule a cybersecurity training session for next month or bring up cyber risk at the next board meeting or download our continuity plan template. Small actions, over time, lead to big improvements. My team and I are here to support you in this journey, whether through planning workshops, risk assessments, or just sharing insights. Together, we can ensure that a cyberattack, or any crisis, doesn’t derail your vital mission. After all, resilience is not about avoiding storms; it’s about learning to weather them and keep moving forward. Let’s fortify your nonprofit to face whatever comes and keep your important work thriving safely in the digital age.
