Association Leadership TSAE: Connecting association professionals to peers, resources, information and inspiration.
ISTOCK.COM/MF3D
By
THINK THAT CYBERCRIMINALS are too busy trying to hack into the computer networks of large businesses to go after your association? Think again!
“Associations are very much at risk, even though they wouldn’t necessarily seem like a prime target for malicious attacks,” said Nate Brown, director of AMS Solutions at Naylor Association Solutions. “As associations are beginning to capture more demographic data from and about their members, including using services like membership auto-renewal, that information is becoming much more attractive to bad actors.”
The biggest mistake associations can make when it comes to cybersecurity is assuming that such a problem will never target YOUR association, he added.
Here are nine ways to help protect your association’s computer networks and data from phishing attacks, ransomware, data breaches and more.
1. Understand your risks.
Cybercriminals today operate like well-organized businesses. They are ready to take advantage of any vulnerabilities that they find in your organization’s computers and systems.
“The largest risk associations face is leaving their member data available for hackers. Any system where data is stored and access is available online is a potential risk, so the more tech systems you have in place with member data stored (for example, an AMS, LMS, career center, email marketing software, and even your website), the more vigilant you need to be,” Brown said.
Unfortunately, organizations often make it too easy for hackers to get in.
“The reality is that most security breaches happen because of users and things that users do,” said Spencer Goad, director of product engineering, Novi AMS, an association management software provider. “This is through things like phishing emails, where users click on links in emails that come from nefarious actors. Another culprit is using poor passwords, and not using multi factor authentication. Hackers will use all of those methods to access the system as if they’re you.”
The first step in your cybersecurity program should be a thorough analysis of all your systems to look for gaps in your protection. That includes checking with your vendors to see what security systems they have in place to protect your data. If the vendors don’t have good answers, it may be time to find others who can offer better security.
2. Improve password protocols.
One of the most basic steps you can take to protect your systems and your data is make sure that all staff members – and any board or committee members who might have access to your system – are following good password protocols.
Brown recommends choosing complex passwords that include numbers, characters, upper case and lower-case letters. They should be unique for every site you visit; don’t repeat. Use a phrase or a word that you can remember but insert unique characters. (For example, “a$$oCiati∗n”, is the word association complexified for security purposes.)
“Don’t share your passwords or accounts among different staff members, and definitely don’t share them with your members,” added Goad. “Give everybody their own unique account with the permissions that they need.”
One of the best ways to do this is to use a password manager like LastPass or 1Password. They enable you to generate unique passwords for every website without having to remember all of them.
Many companies are using multi-factor authentication, which requires not only a password but also a text message or a phone call that provides a code that you enter on the website. “You’re verifying that you both have your password, and that you have some physical device, like a phone,” said Goad. Multi-factor authentication makes it much more difficult for a hacker to access an account.
Never stay logged into a system on a computer that someone else may get physical access to. When employees leave – especially if there are hard feelings – make sure their access to the system is immediately cut off so their passwords no longer work.
3. Keep data segregated.
John Mitchell, chief information security officer, Nextech AR Solutions Corp., recommends siloing the information on your system. “At Nextech, we have two separate networks. One is the network to which 99% of our staff are connected, where they get their email, save or share files, where they chat – non-secure things. Our secondary network is our secured network, which contains high priority and high criticality data sets, which very few people have access to,” he explained.
Even if cybercriminals manage to get into the less secure network, they’re less likely to be able to access the more secured one with the important encrypted data.
4. Have good data governance policies.
“At the simplest level, that means don’t keep data you don’t need,” said Goad. Do you have personal information on people or organizations that haven’t been members in 20 years? How much value is that to your association, especially when you consider the risks that you could be facing if that information got out or some unauthorized person got access to it?
Implement policies that spell out when you get rid of data that you don’t need, and how you limit access to data that you need to keep.
You may also want to rethink access to your member directories if you make them publicly available on your website. It might be better for their security if you kept this data in a members-only area, where it’s less accessible.
5. Consider bringing on a security partner.
Keeping up with cybersecurity threats is an ongoing battle, and associations don’t usually have the resources to dedicate someone full time to this work. A company that specializes in this area could be a valuable resource, but choose carefully.
“Make sure that the person that you hire is actually well versed in security, and is not just someone off the street,” said Mitchell.
Ask to see the certifications of the individuals who would be working with you. Widely accepted certificates include CompTIA Security+; Certified Information Systems Security Professional (CISSP); Certified Information Security Manager (CISM); and Certified Ethical Hacker (CEH).
6. Get members involved.
If your member companies or organizations are large enough to have their own cybersecurity staff, consider asking them for help as you’re putting together your cybersecurity plan. Their internal experts might be able to review your current security status and make recommendations on how you can make improvements.
You can also ask if these members are willing to share their expertise with other member via conferences, webinars, educational sessions, etc.
7. Have a cyberattack response plan prepared.
Even if you’ve done everything possible to build a secure system, never assume that you’re safe from a cyberattack. “If you speak to any computer security officer, they will always tell you that you can never be 100% safe. So what you can do is plan for attacks, and plan to mitigate them as best as possible,” said Mitchell. It’s much better to do this ahead of time, when you can carefully think things through, rather than when you’ve lost access to your files.
If your association was hit by ransomware, for example, what steps would you need to take? Who would you need to contact (both people in the association and systems providers? What data and files would be absolutely critical to your continued operations?
Backing up files is an essential part of mitigation planning. If cybercriminals encrypt your data in a ransomware attack, or even if your files are destroyed in some natural disaster, having offsite backups could enable your association to quickly resume operations again. (The sad truth is that even if you pay ransom, there’s no guarantee that you will ever gain access to those encrypted files again.)
“I normally recommend is that people keep a set of offsite backups, and to have multiple copies at different sites,” said Mitchell. If your files change frequently, plan on backing up every day or multiple times a day, and, to be on the safe side, back everything up every week as well.
Make a catalog of your data so you know where all your critical information is stored. Where are the files you’d need to resume operations? Where is personal identifiable information for employees and members stored?
Neglecting to prepare a cyberattack response plan and make backup files can be catastrophic if you’re hit with a ransomware attack, Mitchell said. “A lot of organizations don’t have the funds to pay the ransom, and they don’t have the money to hire experts to clean up the damage.”
8. Review your cybersecurity coverage.
Not all insurance policies offer protection from cybersecurity attacks, and even those who do are reducing their limits due to the massive increase in ransomware attacks. Check with your agent to see what your coverages are.
If your insurance company does provide coverage, make sure that you’re complying with the policy’s requirements. Some insurers, for example, are insisting that the organizations they cover are using two-factor identification for logins to the computer network.
9. Make cybersecurity an ongoing concern.
When your staff is busy responding to emails or working on projects they can get distracted and forget to follow the basic rules of cybersecurity. To keep this topic top of mind – and to remind them of the need to think carefully before they open any email or click on any link – consider working with an organization that regularly checks employee compliance with your cybersecurity rules. The company may send fake phishing emails, for example, to see who clicks on a link or opens a file that they should not have touched. That presents a good opportunity for education, and helps keep security top of mind.
Regular training and special events focused on cybersecurity for staff, volunteers and your general membership will help build good cyber security habits within your organization. Incorporate cybersecurity into any discussions about new programs or new features for members.
Look at all your activities through a cybersecurity lens. “When you’re looking to implement new systems or new IT plans or processes or software, definitely think about security as you’re evaluating them,” Goad advised. “Find out what the vendors have to say about security, and what their expertise is. What security processes that those organizations have implemented will have an impact on the association’s internal security as well.”
It can be overwhelming to think of all the cybercriminals out there waiting to grab your data. But it’s important to remember that most organizations are not affected by complex hacking.
“It’s the simple attacks that we see most, and you can cover 90% of your security by common sense,” Mitchell said. While the last 10% is a bit more challenging, paying attention to the basics of cybersecurity should go a long way in keeping your association cyber safe.
