The best I can advise my fellow association folks is to do everything you can to secure your website.
Lessons from a cyberattack.
One Sunday in late January, Dave Grulke got an email that no organizational leader wants to receive. That morning, before heading out of town for a tradeshow in Las Vegas, Grulke, executive director of the Cabinet Makers Association, discovered that the group’s website had been hacked and would be shut down indefinitely.
In the email from CMA’s web host, Grulke learned that malicious code had been attached to several dozen of the core files that operated cabinetmakers.org—a breach that sparked a nearly three-day ordeal to get the site back up and running.
“I felt violated,” says Grulke. “It’s not a lot different from someone breaking into your home or into your car.”
From the large-scale data breach that exposed the personal information of millions of Target customers to the more recent cyberattack on Sony Pictures, hacks seem less and less an anomaly and more a matter of course for anyone operating on the internet.
“It’s not an ‘if’; it’s a ‘when,’” says Grulke, who is fully expecting CMA will get hacked again in the future.
Fortunately for CMA, the association didn’t have sensitive member information stored on its website. “The worst anybody could steal would be name, address, and telephone information that they could probably get anyplace else on the web,” says Grulke. He hasn’t heard from any members or website visitors whose computers were subsequently infected after they visited CMA’s site.
The biggest headache was getting the site back online. With no IT staff, Grulke turned to the web developers who created the site to help fix the problem. They suggested using a service provided by the web host to disinfect the site, but what was expected to take 24 to 48 hours instead took closer to 60 because of the complexity of the attack.
“Aside from losing two days’ worth of stuff and [missing out on] promotions and directing people to the website, which caused us a little bit of angst, we were uncomfortably down for 60 hours, not knowing what to expect next,” Grulke says.
Grulke says he’s unsure if CMA will ever determine the identity of the hackers. The association beefed up its security measures with additional software—something Grulke encourages other associations not to be lax about. “The best I can advise my fellow association folks is to do everything you can to secure your website and stay up to date on whatever security issues or security programming you have in place,” he says.