Protect Your Association Amid Growing Concerns of Russian Cyberattacks
Government officials recently urged organizations to remain vigilant against Russian cyberattacks, especially following the economic sanctions imposed by the U.S. and its allies. Two experts explain what types of attacks are likely, what protections to put in place now, and how to respond if you do experience a cyberattack.
The government has advised businesses to prepare for possible Russian cyberattacks in retaliation for U.S. sanctions over its invasion of Ukraine. Since associations are also vulnerable to cyberattacks, two experts explained what types of attacks might be on the horizon, how to tighten up your cybersecurity efforts immediately, and what to do if your group finds itself the victim of a cybercrime.
Most Common Attacks
One area of concern is ransomware attacks, where a hacker breaks into your system, encrypts all your data, and demands a ransom to get it back.
“They say, ‘If you don’t pay me $150,000 in the next three days in Bitcoin, I’m going to make public all that data I stole,’” said Jonathan Roy, director of security and compliance at designDATA. “Your reputation will be ruined. Your members won’t want to renew. That’s a scary proposition.”
Another type of attack seeks access to your systems. This has two purposes: to steal money or information that can be used for other access.
James Stanger, CompTIA’s chief technology evangelist, said associations that interface with government servers because of contracts they have or those with government personnel data might be targeted.
“You’re only as strong as your weakest link,” Stanger said. “[Hackers] may say, ‘We can hack into a government agency through any of their partnerships.’ Or, if they can get a hold of a seemingly innocuous database that includes member data for high-level government workers. All associations need to evaluate their most sensitive and important data and think widely of its impact.”
For organizations with no links to the government, hackers may try to gain credential information for staff to steal money. “Let’s say I’m the chief financial officer, and they compromise my company email address,” Roy said. “Maybe they’ll use my email to do a password reset on the [association] bank account. Then they can log in, issue themselves new lines of credit, make transactions, etc.”
Another type of attack is a distributed denial of service attack, where hackers use association servers to disrupt Internet traffic. “We’ve seen this where companies had no idea that they were participants in a DDOS attack, because they had misconfigured their routers or hadn’t taken certain steps,” Stanger said.
Steps to Take Now
Avoiding these attacks starts with protecting one of the easiest routes of entry: staff error. Ensure staff is trained on security measures—like not opening unknown email attachments.
“End-user education is really important,” Stanger said. “I’ve seen in recent days, where organizations sent emails that said, ‘Due to the issues going on, remember your end-user training. Here’s another link that you can bone up on. And at the end of the day, reboot your PC.’” Stanger noted that it’s important to reboot so that automatic updates are installed.
Another step to take is to implement two-factor authentication, which requires more than just a password to access systems.
It’s also important for associations backup data in a way that the backups can’t be accessed, even if a hacker successfully infiltrates your system. This is crucial in the event of a ransomware attack. “If they encrypt your data and destroy your backups, you’re sunk,” Roy said. “Imagine you lose your membership database, you lose your financial records, and you have no backups of anything. How do you even continue as an organization?”
In addition, associations should share information related to cyberattacks. “The idea is that these organizations can share information about attacks that are coming at them, so that they can all make sure that they are protecting each other,” Stanger said. For example, given growing concerns around cyberattacks, CompTIA has a sharing forum it has opened to the public.
Finally, if an association has a cyber insurance policy, both Roy and Stanger say now is the time to go through it and make sure the association is doing all the compliance pieces—that will provide a good checklist of protections that will give your organization a better chance to avoid a bad outcome.
“More than likely, you will have raised the bar enough that a potential attacker will say, ‘I’ll go after someone else who doesn’t have their ducks in a row,’” Stanger said.
What to Do If You’re Attacked
If your association is a victim of a cyberattack, it’s important to have a plan.
“I suggest you have a written plan,” Roy said. “Practice that incident response plan so you will be much more thoroughly prepared.”
Some questions to answer in your plan: Under what conditions would you pay a ransom? Who in law enforcement do you contact? What is the general policy on telling your members about breaches?
Keep in mind that many states have their own laws detailing what must happen after a data breach. For example, you might need to contact the attorneys general of states your members reside in because that’s what their state law requires.
If hackers are demanding a ransom, Roy said to remember that paying the ransom won’t always get your data back. “Some cyber criminals are technically not very proficient,” Roy said. “They know how to encrypt your data and they know how to accept payment, but they don’t know how to unencrypt it. So, you pay the money and then get nothing back.”
Cyber criminals also aren’t trustworthy, so some will take the money and then, believing they’ve found a golden goose, demand a second or third payment. That’s why having a good data backup strategy in place is crucial, Roy said, so you can avoid paying.
Finally, Stanger notes that you need alternative ways to communicate, depending on what systems were compromised. “If you got hacked via email, be ready [to communicate with staff via] a phone call or a text, something that is a different form of communication,” Stanger said. “Have a plan B.”