Today’s Threat Landscape: What Associations Need to Know
Diligence, documentation, and accountability can make your association less vulnerable to today’s evolving online security and privacy concerns.
By Amanda DeLuke, Security Analyst—Assurance, Higher Logic
The online security and privacy space is complex, nuanced, and always evolving. But there’s an unwavering truth that executives should always remember: It only takes one.
Make one cybersecurity mistake, and adversaries could take control of your network. Receive one privacy complaint, and the authorities may come knocking. Fail to educate one employee on the dangers of phishing emails, and malicious software could make its way into your IT environment.
Putting risks like these into perspective is extremely important considering the devastating impacts of today’s cyberattacks. Currently, the average cost of a data breach in the U.S. is $9.4 million—more than double the global average of $4.4 million. These costs stem from several sources, including mitigation efforts, reputational damage, legal counsel, fines, customer turnover, and reduced productivity.
Unfortunately, cybercriminals are only getting smarter. Today, they’re leveraging tools like machine learning and artificial intelligence to automate attacks at scale—an alarming prospect considering the potential impact of just one mistake.
It’s important to remember that these attacks aren’t limited to sprawling corporations. The association space is equally vulnerable; in fact, smaller associations are often seen as low-hanging fruit in that their systems may be easier to infiltrate.
For example, hackers often target smaller businesses and associations with business email compromise (BEC) attacks. These financially damaging attacks exploit email to trick victims into an ultimate goal, such as transferring funds. They’re structured like chess games in that adversaries are frequently four or five steps ahead in researching information and priming victims.
In such an attack, a scammer might compromise or spoof an email address to request confidential information, such as an employee’s cell phone number. The attacker might then send a text message to the employee that appears to be from a trusted association official.
The text message could be used to convince the victim to complete a reimbursable business transaction, like buying multiple gift cards for an internal contest, scratching off code labels, and sending photos of the cards back to the scammer. By the time the victim realizes they’ve been scammed, the cybercriminal has already secured the funds.
What You Can Do
While attack methods are constantly evolving, the common denominator is that they seek to exploit human nature—making an association’s online community a desirable target.
While best-of-breed software providers play a large part in protecting associations and their members through strict security controls, risk management programs, third-party audits, and vulnerability scans, it’s also essential to educate users and members on privacy policies, rules of use, and popular/emerging online scams. To that end, associations should focus on three areas of concern:
- Diligence. Smaller associations may not have a chief information security or privacy officer on staff, but they’re still expected to perform their due diligence. If an incident does occur, association executives need to demonstrate that they understand the full scope of the sensitive information their association handles and have worked to meet cybersecurity standards in accordance with laws and regulations in applicable jurisdictions. For example, if you’re handling data from members in the EU, consult your lawyer to make sure you’re adhering to General Data Protection Regulation (GDPR) requirements. Data privacy and spam compliance are other important legal considerations.
- Documentation. Association executives should carefully document the ways in which they performed their due diligence. Be sure to keep records such as proof of consent for processing members’ personal data, internal security procedures, and privacy policies, among other items. Ensure you’re transparent with members about how you’re processing their data and whether third parties may access it.
- Accountability. Can you prove that you’ve taken the actions outlined in your documentation? Did you ensure your members and staff are educated on policies and procedures? Association executives should be able to prove that they’ve followed the requirements outlined in their documentation.
Other Best Practices
The best way to run a secure and private online community is to scrutinize your environment so much that you essentially assume it’s under attack.
Knowing that hackers target login information, require staff and members to use complex passwords with multiple characters and numbers, and ensure they change passwords frequently. Login methods like single-sign on (SSO) allow users to access multiple services and applications with one centralized password, limiting potential points of attack and making it easier for IT to cut down on weak passwords. Multi-factor authentication (MFA) also makes stealing information more difficult by requiring two or more pieces of information to verify a user’s identity.
If you’re onboarding a new member, it’s a good idea to run their posts and comments through a moderation queue of some sort. Or, if you discover an emerging threat centered on downloading email attachments, consider allowing members to post links to legitimate URLs rather than attachments. A simple list of community dos and don’ts goes a long way. Remember: It only takes one mistake to put your association in an extremely vulnerable position.
Amanda DeLuke, CIPM, is a security assurance analyst at Higher Logic and certified in privacy management. Her deliverability expertise turned into a curiosity and passion for all things privacy and security. She is a program chair for M3AAWG (Internet Anti-Abuse working group) and a member of the International Association for Privacy Professionals (IAPP). While she’s not busy at work, she is a mom to identical twin boys and a volunteer mentor and cycling coach for young girls.
Higher Logic Thrive is a member experience solution that provides a powerful but simple approach to community, marketing, and member engagement. For more information on how Higher Logic’s years of experience, research, and feedback can solve your challenges, visit thrive.higherlogic.com.
(Handout photo)