The stakes are high for associations in regards to ransomware attacks—which have been rising in notoriety this year.
It’s hard to get away from ransomware these days—in no small part because of the outsize impact it can have on large organizations.
Given the data that associations have about their members and the stored data that’s vital to their continuity, associations need to pay attention to ransomware, even if it seems like something that happens to other organizations.
It’s a question of risk. Derek Symer, a partner at AHT Insurance and director of its nonprofit practice, says that in addition to presenting a financial problem (experts recently estimated that the worldwide cost of ransomware will top $265 billion by 2031, from about $20 billion this year), ransomware could be a significant deterrent for members concerned about protecting their sensitive data.
“Think of your membership,” he says. “These folks may not want their individual or corporate names associated with an association. Associations could have proprietary information about their members, competitors, an industry, or trade secrets that are sensitive. All of these risks are on the table in a ransomware attack.”
And the best way to handle risk is to mitigate it.
The Problem With Simply Reacting
One thing you should not do when mitigating risk: wait.
Some people may have an instinct to tackle ransomware issues as they occur, but Symer stresses that the scope of ransomware’s potential toll can’t be underplayed. Victims face significant costs that are both tangible—the literal cost of additional security, data restoration, and infrastructure upgrades—and intangible.
“People may need to work around-the-clock without sleep, which can exact a significant emotional toll,” Symer warns. “Strategic initiatives may be put on hold, and overall a ransomware attack will be a huge time drain. If this comes at membership renewal time or heading into a virtual conference, it could be costly, time-consuming, or worse.”
The recommended course of action is straightforward: plan ahead and budget for an attack. With that in mind, Symer says budgetary concerns must also be front of mind when discussing ransomware. He recommends that associations “be very thoughtful and analytical” about managing cybersecurity risks. That might mean more frequent backups or infrastructure upgrades.
“This can include the costs and benefits of things like cyberinsurance premiums and deductibles, as well as the spend on self-insurance and IT security costs,” Symer says. “The budget is the budget, but how these various factors impact the budget will be carefully weighed.”
Small Team Considerations
Of course, not every association is large enough to have a technology team to manage its infrastructure in a way that can help avoid ransomware issues. Associations in that position can lean on an outside vendor to help manage their technology needs.
Symer notes, however, that even security vendors are having ransomware issues at this time, so it’s important that executives understand the issues at play.
“There’s no magic wand,” he says. ”Any executive or board member today, even without a formal IT background, should be able to understand IT fundamentals, ask questions, and get answers. How are we protected? Is our cyber coverage adequate? How does our security posture compare to our peers’? Senior leadership and the board must be engaged on this.”
Prepare Your Teams
Nobody wants to have to resolve a ransomware attack, but developing a strategy in advance will save time and money down the line. Consider going through an exercise to figure out how your organization would respond to an attack—including whether your organization would be willing or able to pay a ransom.
“A tabletop ‘war room’ exercise with a ransomware scenario is a great mechanism to give you the proactive chance to think through exactly how you would respond if the worst case presents itself,” Symer says.
He also recommends that associations review their insurance policies, which probably already offer access to information on phishing, security awareness, and password education.
“Many folks need to better understand what free resources are available, tucked into insurance policies they are already paying for,” he says.
Symer emphasizes the importance of employees sounding the alarm on issues that could lead to a ransomware attack—and says that training people to spot the signs of an invasion is critical.
“Employees are truly the last line of defense,” he says. “Like in soccer, a strong back line will keep the ball safely away from the goal. If employees are educated and trained in common phishing attack vectors, basic security awareness trends, your whole organization will be safer and better off.”