Most association leaders take cybersecurity seriously, but few feel confident that they know how to analyze and address cyber risks. To heighten your cybersecurity awareness and bolster your protection against a breach, experts recommend three practical steps: train staff to identify attacks, assess your IT systems’ risk level, and develop a response plan for a probably inevitable intrusion.
Yahoo, eBay, Equifax, Target, Home Depot. When you hear these names together, there’s a good chance you think of one thing: data breaches.
In the last five years, each of these companies fell victim to cyber incidents, representing some of the largest breaches in history. Breaches of this scale can result in millions in lost revenue and fines, not to mention a big hit to consumer confidence and trust, which may be costlier.
It’s not just Fortune 500 companies that are susceptible to breaches. Nonprofits, including associations, can also find themselves in the crosshairs of targeted attacks. And that means organizations need to be ready.
“I believe cyber awareness is the essential thing,” says Darrell Poe, senior vice president and chief information officer at the National Association of Broadcasters (NAB). “I think we started on the defensive, and now we are quickly pivoting to the offensive.”
Still, many associations are unprepared to handle threats that grow more sophisticated and numerous by the day. Most CEOs and boards are persuaded that they need to take exposure to cyber risks seriously, but that knowledge doesn’t always translate to necessary action.
ASAE Foundation research indicates that too often cybersecurity is considered an IT problem, not an organizational one. Poe and others are working to change that thinking, making cybersecurity everyone’s responsibility.
In 2014, NAB faced numerous cyber threats that required a mindset shift focusing on cyber awareness. The organization was in the middle of a cloud migration, which moved email to Microsoft’s Office 365.
“At that time, Microsoft was still a little bit in its infancy with some of the security tools that it brought to the table,” Poe says. “We began to see a lot of social engineering and malware attempts. We saw regular phishing attempts, and the volume of it just went way up.”
In a so-called phishing email attack, a message is designed to look like it is coming from a trusted or verified source—a colleague, friend, family member, or frequently used company or service. In fact, it’s a hacker’s attempt to leverage what it knows about you through social-engineered data—personal information gathered from your digital footprint, including social networks—to trick you into clicking a link or downloading an attachment with malware.
Targeted cyberattacks rose by 10 percent in the last year, according to Symantec’s 2018 Internet Security Threat Report. The goal in most cases (90 percent) was to steal data. Phishing is one of the most common methods—71 percent of targeted attackers use it.
That trend has led to some interesting self-defense strategies. “It’s gotten to a point now where we are phishing our own staff. We’re basically wearing a white hat here,” Poe says, using the industry’s term for testing one’s own system vulnerabilities. “We have to act like the bad guys to see what our staff is doing and to see just how prone we are.”
1. Feign and Train
Many associations are using the white-hat approach to better understand their cybersecurity risks and to identify staff training needs.
At NAB, “we continue that process of phishing, training, and gauging,” Poe says. “It’s a rinse-and-repeat process.” The results have been good: After its Microsoft Office 365 migration, NAB had a baseline risk score for phishing attacks of 35 to 40 percent. Two years later, its risk level had declined to 5 to 9 percent.
Heinan Landa, founder of the IT firm Optimal Networks, likes to remind clients that human error, not technology, is the most likely cause of a data breach. That requires a renewed focus on year-round training.
“Traditionally, that training consisted of a once-a-year meeting about security protocols,” Landa says. “That’s not effective anymore.” In addition to providing annual training, the IT team should send all staff a monthly email update that discusses new or emerging threats.
“Get in the habit of communicating about threats,” he says. “It could be information on a certain type of phishing campaign that’s going around, or a reminder on how to handle phishing campaigns, or just some type of tip or trick.”
Landa recommends running white-hat simulated attacks once per quarter. “I’m embarrassed to say that even I’ve been caught. Remember that everyone inside your organization, including IT professionals, should be tested,” he says.
And when some staff members take the bait, be sure to counter their mistakes with an immediate lesson: Typically, in a simulated phishing attack, instead of malware loading onto the computer, an instructional video plays to reinforce learning.
There are business ways to respond and technical ways to respond.
2. Assess Risk
No matter how heightened your team’s cyber awareness, if your association doesn’t have its IT systems and networks buttoned up, then you’re putting your organization at risk.
“Most [organizations] probably have an outside or internal association management system, a distance learning system, event registration—everything runs through connected systems,” says Len Murphy, vice president and general counsel of the Property and Liability Resource Bureau (PLRB). “That puts a big target on the computer systems.”
And it makes risk assessment a critical piece of an organization’s cybersecurity plan. This year, PLRB undertook an organization-wide effort to gauge its exposure, enlisting the help of a cybersecurity firm. The review looked at everything from password strength for user logins, including the use of multifactor authentication, to more stringent security measures like encryption for extremely sensitive data.
“The audit came with recommendations and an overall rating,” Murphy says. “We did not receive passing scores on everything, but a lot of things we could do were implemented right away.” One step was to close old user accounts of retired and former employees, which could serve as undetected entry points for cyber criminals.
The findings were presented to the board of directors, which is where cybersecurity initiatives should begin, Murphy says. “It got us to the point of reviewing our business continuity plan more frequently and formally,” he says. “We also made individual leaders responsible for each cyber initiative. It didn’t just fall on IT.”
As a next step, PLRB is considering a system-wide vulnerability test, or “wargaming exercise,” Murphy says. By simulating a variety of cyber attacks, the organization will evaluate its exposure to major incidents.
3. Be Response-Ready
Even with staff training and secure systems in place, organizations must assume that a cyberattack will eventually happen.
“An organization’s ability to respond in a timely way to an incident matters,” says James Stanger, chief technology evangelist at the Computing Technology Industry Association (CompTIA). “Incident response planning is very important from a risk management standpoint because you have to ask: What are the most critical services? Who will respond when something goes down? And how long can it go down for?”
For systems that contain personally identifiable information, like member or customer data, your plan should include protocols not only for how your organization will recover but also for how it will notify and minimize risk to affected parties.
“All of the IT in the world may not be able to protect you from this eventuality,” Stanger says. “So, the plan prepares you to ask questions like: Do we need an insurance company to come in and write a policy that will help us recover financially? Keep in mind, there are business ways to respond and technical ways to respond.”
Simulation exercises come in handy again for crafting the technical response. CompTIA uses a simulated exercise that pits penetration testers—the “red team”—against intrusion detection analysts—the “blue team.” The analysts on the blue team look at everything from server and firewall logs to data sources and traffic. “My favorite analogy for the blue team is that if you go hiking, you need to dress for the occasion,” Stanger says. “The blue team looks at the conditions of the network and sees where they can best apply controls.” Meanwhile, the red team determines where controls and safeguards are weakest.
The exercise produces key learnings about vulnerabilities that CompTIA’s executive team uses to update its risk management strategy periodically as the threat landscape changes. Built into this strategy is an incident response plan for when the inevitable breach occurs.
Every organization should adopt the blue team vs. red team mentality, even if they don’t have the resources to conduct an elaborate simulation, Stanger says.
“Even if you have one security person and one IT person, you can train each of those people to take on the red and blue team roles,” he says. Or you can hire a consultant to provide the service.
Regardless of size, every association needs to balance upfront cybersecurity costs against the potential for lost business revenue—and damaged member and customer trust—associated with a system-wide failure.
“It’s not so much about stopping the hacker at this point,” Stanger says. “It’s about saying: When it happens, how bad will it be?”