Butler Cooper attended the Mid-Atlantic Society of Association Executives (MASAE) annual meeting in December and summrized the breakout session from Brandon Cavanaugh and Christopher Sanders (CYGRU).
This presentation focused on the current and future cyber threat landscape and provided strategies that associations can utilize to protect their members’ data. More than 80% of U.S. companies have been hacked and small companies, that have fewer than 1,000 employees, are most vulnerable. Associations can take the following actions to secure their members’ data and reduce the threat of cyber-attacks:
- Identify what is at risk (data and systems) – Associations must review their files to determine what information is most sensitive and could compromise the organization if accessed by hackers. Association staff should avoid saving personal data (email addresses, usernames, passwords) in shared spreadsheets. If data must be stored, it should be protected by a complex password. Association staff should avoid sending any information in emails that they would not published on the front page of the New York Times (“Newspaper Test”). Associations should follow all applicable laws and regulations regarding credit card data, PII, PCI compliance, etc.
- Assess security of systems – Association staff should challenge their IT staff, technology vendors, and venues to demonstrate security measures. For more in-depth testing, a third-party security firm/professional can be contracted to provide an independent assessment. Most contractors can perform entire review remotely.
- Continuous system hygiene – Cyber security is a continuous process. Associations can take the following steps to strengthen their data security:
- Application whitelisting – IT administrators can limit access to an association’s network to trusted applications. If an application is not whitelisted, it will not be allowed to run.
- Operating system and application patches – Association staff should make sure that the latest patches or system upgrades are installed to ensure bugs and security vulnerabilities have been fixed.
- Restrict admin privileges – Associations can protect their network by reducing the number of users with administrative access. For example, requiring admin authorization to download new programs to association computers can prevent malware.
- Web and email filtering – Programs can be used to screen incoming web pages and emails to determine if there is a security threat.
- Strong password policy – Associations can require staff to use strong passwords, password managers, and/or two-factor authentication
- People, process, and technology – Association professionals must understand that there is no technology “silver-bullet.” Expensive solutions are not always the best remedy. Instead, staff should challenge their IT staff and vendors to become security problem-solvers. Non-IT staff should be trained/educated regarding security best practices.
- Get ready to be hacked – Associations can prepare for security breaches by drafting an incident response plan, including messaging to members and to the public. Cyber insurance and contingency vendors can also be utilized to hedge against risk. Most importantly, all critical data should be regularly backed up offline.