It's every organization's nightmare, discovering your network and member data have been compromised. Whether sensitive member records are disclosed, credit and debit card information is stolen, IT systems are out of service, or any other cybersecurity incident, the threat is all too real.
Cybersecurity should be of critical concern for trade and professional associations today. The increasing use of mobile devices and mobile platforms (tablets, iPads, etc.) amplifies and creates new vulnerabilities. Hackers are becoming more sophisticated and better at targeting their attacks. In a large percentage of cases, it takes victims weeks to discover an intrusion and, often, the tip-off comes from an external, rather than internal, source.
However you crunch the numbers, the cost of a breach is painfully high. According to a Ponemon study, the average cost of a corporate data breach increased 15 percent in the last year to $3.5 million. Compounding this is the reputational cost to your brand or the mistrust created in the minds of your membership, your employees, and your partners.
If there is a silver lining, it's that nearly all breaches are due to factors within your control — weak infrastructure, poor end-user judgment, third-party vendor vulnerabilities, and technology advances, such as mobile and cloud use. Therefore, with proper strategies, if you can control these factors, you can avoid the breaches.
Rather than hope your organization won't be the target of cyberattacks, assume it will. Then consider the following steps to ensure you have good controls in place to quickly detect a breach and ideally prevent falling prey to it.
Assess your risk
It's difficult to put controls in place if you haven’t identified the specific assets you must protect. For most organizations, information assets will fall into four categories: data, applications, infrastructure, and vendor resources.
For each asset category, determine criticality. Identify all the confidential, sensitive, or personal data residing on your network or with a vendor — member payment card information, employee social security numbers and home addresses, for example — and decide which requires a higher degree of protection. What are the dependencies, functions, and impact of the applications you use? The function and complexity of your infrastructure in place and with your vendors?
Evaluate the probability of an attack and factor in the impact to your organization in order to understand your inherent risk. The controls you have, and continue to put in place, lower that risk. The risk that remains is your residual risk. Upon completion of the evaluation of cybersecurity threats for each category of information and assessment of controls, your organization will know the areas of focus for reducing security compromises. Moreover, upon completion of the risk assessment, the organization will then have a road map detailing the areas where security needs to be improved and it will also highlight where the organization is relying on people, processes, and technology for information security-related controls.
A house (un)divided begins with a framework
An alphabet soup of frameworks exist for creating controls and managing IT security: NIST, COBIT, HITRUST CSF, ISO/IEC, to name only a few. Your industry, location, product and service offerings, risk and threat profiles, and history of prior security events all will influence which framework your organization follows.
When clients ask us about cybersecurity, we use the analogy of a house, one that incorporates common themes among the various frameworks. People, processes, and technology comprise the triad of controls supporting prevention, protection, detection, response, and recovery. Together, those controls ensure your organization handles data in ways that maintain the four pillars of information security: data confidentiality, integrity, availability, and compliance.
Underlying the pillars is your foundation: IT security policies and procedures and designated security funding. While not an insignificant cost, the price of not making security a separate line item in your budget and funding it adequately is likely much higher as evidenced in recent cyberattacks. It's not only your data; you're also responsible for data belonging to your members, employees, and partners, and that impacts the reputation and credibility of the brand you're trying to protect.
Finally, someone has to own the house. Technology leaders should designate a security officer. The roles of this individual (or group) can vary, from approval of all system configurations to review of and response to security alerts. Don't have a full-time employee dedicated to security? A board or audit committee charter that supports the role is a good start.
Layers should include data classification (public vs. confidential, sensitive or private), perimeter security (firewalls, intrusion prevention/detection systems), wireless security, authentication, encryption, anti-virus detection, patch management, remote access, and network monitoring.
Security
Securing your network and infrastructure is like dressing in layers for a day outdoors in rapidly changing weather, or like peeling an onion, since threats and vulnerabilities come from all directions, internally as well as externally.Layers should include data classification (public vs. confidential, sensitive or private), perimeter security (firewalls, intrusion prevention/detection systems), wireless security, authentication, encryption, anti-virus detection, patch management, remote access, and network monitoring.
Monitoring should be ongoing – weekly or monthly – and, in addition, you should have an independent annual assessment to validate your practices and findings to ensure your organization has strong controls in place.
- Data classification – Public and confidential (sensitive/private)
- Perimeter security - Firewalls, IDS/IPS
- Wireless security – SSID, encryption, default password
- Authentication – users and passwords
- Encryption - connectivity and storage
- Anti-virus
- Patch management
- Remote access
- Network monitoring
- Annual testing – external & internal penetration testing
Strengthen user awareness
Your IT security is only as strong as its weakest link and, often, that weak link is your employees. It only takes one unaware staff member to unintentionally jeopardize your whole system by doing something apparently innocuous: clicking a link in a seemingly legitimate email, downloading a file, or using an easy-to-crack password.If you don't already have a security awareness program in place, consider implementing one. Include regular auditing and testing to ensure employees are applying what they've learned in training to their day-to-day interactions with your IT system. Look to innovative training methods and reward systems that reinforce desired practices.
Consider all the parties to whom your organization grants access: full-time employees, part-time employees, contractors and vendors, customers, members, and visitors. For each, consider what access you're granting and how you are granting and removing it. Also, look at how your organization currently monitors access. Do you look at user access logs only when an issue is noted, or do you conduct real-time system-wide monitoring to detect unauthorized access and use?
Conduct due diligence with vendors
In the rush to get problems solved and new applications up and running, it's tempting to skip key parts of the due diligence process. But better to take time on the front end than pay for it later with a breach.Check the references vendors provide and conduct background checks of company principals (employment, criminal, financial, etc.). Look at the company's internal controls environment, security history, and SOC (Service Organization Control) reports. Check for litigation or regulatory actions. Ask for proof of insurance coverage, and ensure coverage is adequate. Confirm that the vendor can meet disaster recovery and business continuity requirements and that it has the financial stability to maintain security and available resources.
In addition, deploy a secure remote access solution for both employees and vendors, and control it in-house. Each vendor should be granted unique access credentials.
Communicate, communicate, communicate
No organization wants to be the subject of a news article about a breach that exposed sensitive information. That's one of the reasons rapid detection is so important. If there’s a story to tell, you want to be the one telling it.We often talk with clients who are proud of their disaster recovery and incident response plans, yet the communications piece is often lacking. Proactively create communication plans when times are good, so they’re approved and ready to go in the event of an incident.
Under the best of circumstances, recovering from a cyberattack can take organizations weeks (and sometimes months or years). That's why you want to mitigate as much of the risk as possible. Don't be a victim of opportunity; force the attackers to find easier targets.
Not sure where to start? Ask your CIO, security officer, or IT support what controls and plans are in place related to cybersecurity and how they are being tested. Review your organization's annual IT risk assessment. Ask questions. Learn what your group is currently doing — and still may need to do — to assess the real risks and protect your invaluable information assets.