The Hidden Costs of Poor Cybersecurity Practices
A hacked system or phishing attack can be a huge financial setback for an association. So it’s important to train employees on what a security threat looks like—and to keep systems properly patched.
Cyberattacks on large companies are nothing new. Ransomware, data theft, and other attacks have become all too common in the news—and risks are even higher in the era of remote work, as connections and databases become less centralized.
But it’s not just the big guys facing problems. According to business insurer Hiscox, cleanup from cyberattacks can cost businesses $200,000 on average for the largest incident and $369,000 overall in a single year [PDF]—a rate that puts many organizations, especially smaller ones, out of business entirely.
Associations working in tight financial confines could feel the pain of a major cyberattack in similar ways.
With that in mind, the best way to avoid the high cost of cybercrime is to understand how your association can prevent an attack from happening in the first place. Here are a few considerations:
Improve employee training. Can all your employees tell the difference between a phishing email and a valid message? If not, your organization could pay the price. In recent months, such attacks have taken the form of login messages for popular apps such as Microsoft Teams and Zoom. A recent paper in the Journal of Computer Information Systems reports that proper cybersecurity awareness training is imperative to preventing phishing threats—and is more likely to be effective than depending solely on technical solutions. “Security safeguards alone will not protect a company from phishing scams,” said Dr. Mona Rashidirad of the University of Sussex Business School, a coauthor of the study, according to SC Media [registration].
Limit unauthorized access to servers. In the age of remote work, it’s all too easy for people to connect to a server they shouldn’t have access to. Associations hoping to prevent security problems should look at ways to prevent unauthorized server access. In recent comments to Associations Now, DelCor Senior Consultant Dan Brandt Lautman noted that multifactor authentication tools are one way to ensure that access is properly protected, especially at a time when remote logins are essential. “The absolute most important thing is to require multifactor authentication for all remote access, no exceptions,” Lautman said. Associations may want to look into zero-trust architecture, which is based on the presumption that no connection should be a trusted connection until it has been proved trustworthy.
Understand the risks of insider threats. An insider threat is a security issue, intentional or unintentional, that can affect an organization from an internal source. While these threats can sometimes be malicious (say, a user stealing sensitive data), they’re often accidental—lapses in judgment that make outside attacks easier. In a prominent example earlier this year,Twitter suffered an attack that affected many of its celebrity users, in part because passwords to sensitive sites were freely shared internally on networks such as Slack, according to The New York Times. By training employees to catch insider threats early, you can help prevent bad situations from becoming far worse.
Make sure infrastructure is updated frequently. Software bugs can creep into working infrastructure if you don’t keep it updated. Despite this, many organizations often leave patches by the wayside. Recently, a study from Bitdefender [PDF] found that nearly 64 percent of organizations had unpatched vulnerabilities more than two years old. These are the very kinds of vulnerabilities that outside attackers can take advantage of, and failing to promptly patch them can damage your organization. So do your homework and be ready to patch systems—both at home and in the server room—on a regular basis.
(Andrii Panchyk/iStock/Getty Images Plus)