It's every organization's nightmare, discovering your network and member data have been compromised. Whether sensitive member records are disclosed, credit and debit card information is stolen, IT systems are out of service, or any other cybersecurity incident, the threat is all too real.
Cybersecurity should be of critical concern for trade and professional associations today. The increasing use of mobile devices and mobile platforms (tablets, iPads, etc.) amplifies and creates new vulnerabilities. Hackers are becoming more sophisticated and better at targeting their attacks. In a large percentage of cases, it takes victims weeks to discover an intrusion and, often, the tip-off comes from an external, rather than internal, source.
However you crunch the numbers, the cost of a breach is painfully high. According to a Ponemon study, the average cost of a corporate data breach increased 15 percent in the last year to $3.5 million. Compounding this is the reputational cost to your brand or the mistrust created in the minds of your membership, your employees, and your partners.
If there is a silver lining, it's that nearly all breaches are due to factors within your control — weak infrastructure, poor end-user judgment, third-party vendor vulnerabilities, and technology advances, such as mobile and cloud use. Therefore, with proper strategies, if you can control these factors, you can avoid the breaches.
Rather than hope your organization won't be the target of cyberattacks, assume it will. Then consider the following steps to ensure you have good controls in place to quickly detect a breach and ideally prevent falling prey to it.
Assess your riskIt's difficult to put controls in place if you haven’t identified the specific assets you must protect. For most organizations, information assets will fall into four categories: data, applications, infrastructure, and vendor resources.
A house (un)divided begins with a framework
SecuritySecuring your network and infrastructure is like dressing in layers for a day outdoors in rapidly changing weather, or like peeling an onion, since threats and vulnerabilities come from all directions, internally as well as externally.
Layers should include data classification (public vs. confidential, sensitive or private), perimeter security (firewalls, intrusion prevention/detection systems), wireless security, authentication, encryption, anti-virus detection, patch management, remote access, and network monitoring.
- Data classification – Public and confidential (sensitive/private)
- Perimeter security - Firewalls, IDS/IPS
- Wireless security – SSID, encryption, default password
- Authentication – users and passwords
- Encryption - connectivity and storage
- Patch management
- Remote access
- Network monitoring
- Annual testing – external & internal penetration testing
Strengthen user awarenessYour IT security is only as strong as its weakest link and, often, that weak link is your employees. It only takes one unaware staff member to unintentionally jeopardize your whole system by doing something apparently innocuous: clicking a link in a seemingly legitimate email, downloading a file, or using an easy-to-crack password.
If you don't already have a security awareness program in place, consider implementing one. Include regular auditing and testing to ensure employees are applying what they've learned in training to their day-to-day interactions with your IT system. Look to innovative training methods and reward systems that reinforce desired practices.