Governance

The Board's Role in Technology, Data, and Cybersecurity

You don't need to understand your firewall. You do need to know whether a ransomware attack could end your organization tomorrow, and who's on the hook.

The Board's Role in Technology, Data, and Cybersecurity
Photo by Taylor Vick on Unsplash

Somewhere in your organization there's a spreadsheet, or a donor database, or a case-management system holding the names, addresses, and sometimes the deeply personal stories of the people you serve. If that data leaked tomorrow, or got locked up by ransomware, or simply vanished because nobody had tested the backups, it would be your board's problem. Not because you configured anything, but because oversight of the organization's biggest risks is exactly what you signed up for. The trouble is that most boards treat technology as "an IT thing" and never ask about it until something's already on fire.

You don't need to become technical. You do need to stop treating cybersecurity as overhead and start treating it as what it actually is: a governance, insurance, compliance, and reputation issue that happens to involve computers. Here's how to do that without pretending to be an engineer.

Why This Lands on the Board, Not Just the IT Person

Every other part of your organization now runs on technology. Finance runs on accounting software, fundraising runs on a donor database, programs run on client-tracking tools, and communications runs on your website and email. A technology decision is almost never "just IT." It's a decision about mission, money, donor trust, and legal exposure.

Consider what a single breach costs you. Exposed donor data means broken trust and lost gifts. Locked-up client records mean you can't deliver services. And if your cyber-insurance carrier discovers you didn't have the basic protections you claimed on the application, they can deny the claim entirely, leaving the organization to absorb the whole loss. That last one is the quiet killer, and it's squarely a board-level concern.

There's a myth worth killing right now: that small nonprofits are too small to be targets. The opposite is true. Automated phishing and ransomware don't care how big you are. Attackers go after small organizations because their defenses are usually weak. Being under the radar is not a security strategy.

What "Good Oversight" Looks Like Without Micromanaging

Your job is to make sure the right protections exist and someone owns them, not to choose the antivirus product. The distinction matters. The board sets expectations and asks for evidence; staff (or a contractor) does the actual work.

There's a short list of protections that have become genuinely non-negotiable, most of them now required by cyber-insurance carriers and many grants:

  • Multi-factor authentication (MFA) for every user and every administrator. A password alone is no longer a lock. In security circles, "identity is the new perimeter."
  • Tested, immutable backups. A backup you've never restored is a hope, not a plan. Backups should be verified with a restore test quarterly and protected so ransomware can't encrypt them too.
  • Modern endpoint protection on every device, beyond basic antivirus.
  • A written incident-response plan — even three pages — naming who gets called internally, who calls legal, who calls the insurer, and who talks to the public if data is compromised.

If your organization can't confidently say it has those four things, that's your Year One agenda. You don't need to fix it in the boardroom; you need to make sure it gets fixed and then confirm it did.

The Board Dashboard: Six Numbers, No Jargon

The healthiest arrangement is a short, plain-language report to the board on a regular cadence, quarterly is fine. Ask your executive director or IT lead to bring you six things:

  1. A cyber-risk rating (a simple 1 to 5).
  2. What percentage of users have MFA turned on.
  3. What percentage of devices have endpoint protection.
  4. The date of the last successful backup restore test.
  5. When the incident-response plan was last updated.
  6. When cyber insurance renews.

That's it. If those numbers are trending the right way, you're doing your job. If the backup-test date is blank or two years old, you've found a problem before it found you. This is oversight: you're not running the systems, you're confirming they exist and holding someone accountable for them.

When a director asks "Are we okay?", the answer should be six numbers on a page, not a shrug or a wall of technical vocabulary.

Data Is a Trust, Not Just an Asset

Cybersecurity protects the data you hold. But the board should also care about what you collect and how. The constituents you serve didn't consent to being turned into an open-ended data mine. Good practice, and increasingly good ethics, means collecting only what you genuinely need, being transparent about why, and protecting it as carefully as you'd protect financial records.

This gets sharper with artificial intelligence. Staff everywhere are quietly pasting text into free AI tools to save time, and some of that text is donor data, health information, or board-sensitive material. Once it's in a consumer AI tool, you've lost control of it. The board doesn't need to ban AI; it needs to ask whether there's a simple acceptable-use policy that keeps sensitive information out of non-enterprise tools and keeps a human reviewing anything the AI produces. AI can draft. People still approve.

Plan Over Years, Not in a Panic

The organizations that overspend on technology are usually the ones making reactive, last-minute purchases when something breaks. A better pattern is a simple multi-year roadmap the board can understand as an investment story: Year One, stabilize and secure (get the non-negotiables in place); Year Two, optimize (consolidate duplicate tools, automate, claim the nonprofit pricing and credits you're probably leaving on the table); Year Three, scale (use technology to extend the mission).

You don't build that roadmap. You ask to see it, you make sure the highest-risk gaps get closed first, and you review it once a year. One practical nudge worth making: nonprofits qualify for real money in discounted and donated technology, from free or reduced software licenses to cloud credits, but those benefits lapse when nobody's assigned to claim and renew them. Asking "who owns that?" is a very board-appropriate question. Tools like NonprofitBOD can help keep these oversight items and renewal dates from slipping between meetings.

The goal here isn't perfection or technical fluency. It's awareness and accountability. Ask for the six-number dashboard at your next meeting. If nobody can produce it, you've just learned the single most important thing about your organization's technology posture, and you've started the conversation that protects everyone.

Rejoining the server...

Rejoin failed... trying again in seconds.

Failed to rejoin.
Please retry or reload the page.

The session has been paused by the server.

Failed to resume the session.
Please reload the page.