Cybersecurity: Real strategies for real threats
It's every organization's nightmare, discovering your network and member data have been compromised. Whether sensitive member records are disclosed, credit and debit card information is stolen, IT systems are out of service, or any other cybersecurity incident, the threat is all too real.
Cybersecurity should be of critical concern for trade and professional associations today. The increasing use of mobile devices and mobile platforms (tablets, iPads, etc.) amplifies and creates new vulnerabilities. Hackers are becoming more sophisticated and better at targeting their attacks. In a large percentage of cases, it takes victims weeks to discover an intrusion and, often, the tip-off comes from an external, rather than internal, source.
However you crunch the numbers, the cost of a breach is painfully high. According to a Ponemon study, the average cost of a corporate data breach increased 15 percent in the last year to $3.5 million. Compounding this is the reputational cost to your brand or the mistrust created in the minds of your membership, your employees, and your partners.
If there is a silver lining, it's that nearly all breaches are due to factors within your control — weak infrastructure, poor end-user judgment, third-party vendor vulnerabilities, and technology advances, such as mobile and cloud use. Therefore, with proper strategies, if you can control these factors, you can avoid the breaches.
Rather than hope your organization won't be the target of cyberattacks, assume it will. Then consider the following steps to ensure you have good controls in place to quickly detect a breach and ideally prevent falling prey to it.
Assess your risk
It's difficult to put controls in place if you haven’t identified the specific assets you must protect. For most organizations, information assets will fall into four categories: data, applications, infrastructure, and vendor resources.
For each asset category, determine criticality. Identify all the confidential, sensitive, or personal data residing on your network or with a vendor — member payment card information, employee social security numbers and home addresses, for example — and decide which requires a higher degree of protection. What are the dependencies, functions, and impact of the applications you use? The function and complexity of your infrastructure in place and with your vendors?
Evaluate the probability of an attack and factor in the impact to your organization in order to understand your inherent risk. The controls you have, and continue to put in place, lower that risk. The risk that remains is your residual risk. Upon completion of the evaluation of cybersecurity threats for each category of information and assessment of controls, your organization will know the areas of focus for reducing security compromises. Moreover, upon completion of the risk assessment, the organization will then have a road map detailing the areas where security needs to be improved and it will also highlight where the organization is relying on people, processes, and technology for information security-related controls.
A house (un)divided begins with a framework
Security
Securing your network and infrastructure is like dressing in layers for a day outdoors in rapidly changing weather, or like peeling an onion, since threats and vulnerabilities come from all directions, internally as well as externally.
Layers should include data classification (public vs. confidential, sensitive or private), perimeter security (firewalls, intrusion prevention/detection systems), wireless security, authentication, encryption, anti-virus detection, patch management, remote access, and network monitoring.
Monitoring should be ongoing – weekly or monthly – and, in addition, you should have an independent annual assessment to validate your practices and findings to ensure your organization has strong controls in place.
- Data classification – Public and confidential (sensitive/private)
- Perimeter security - Firewalls, IDS/IPS
- Wireless security – SSID, encryption, default password
- Authentication – users and passwords
- Encryption - connectivity and storage
- Anti-virus
- Patch management
- Remote access
- Network monitoring
- Annual testing – external & internal penetration testing
Strengthen user awareness
Your IT security is only as strong as its weakest link and, often, that weak link is your employees. It only takes one unaware staff member to unintentionally jeopardize your whole system by doing something apparently innocuous: clicking a link in a seemingly legitimate email, downloading a file, or using an easy-to-crack password.
If you don't already have a security awareness program in place, consider implementing one. Include regular auditing and testing to ensure employees are applying what they've learned in training to their day-to-day interactions with your IT system. Look to innovative training methods and reward systems that reinforce desired practices.
Consider all the parties to whom your organization grants access: full-time employees, part-time employees, contractors and vendors, customers, members, and visitors. For each, consider what access you're granting and how you are granting and removing it. Also, look at how your organization currently monitors access. Do you look at user access logs only when an issue is noted, or do you conduct real-time system-wide monitoring to detect unauthorized access and use?
Conduct due diligence with vendors
In the rush to get problems solved and new applications up and running, it's tempting to skip key parts of the due diligence process. But better to take time on the front end than pay for it later with a breach.
Check the references vendors provide and conduct background checks of company principals (employment, criminal, financial, etc.). Look at the company's internal controls environment, security history, and SOC (Service Organization Control) reports. Check for litigation or regulatory actions. Ask for proof of insurance coverage, and ensure coverage is adequate. Confirm that the vendor can meet disaster recovery and business continuity requirements and that it has the financial stability to maintain security and available resources.
Communicate, communicate, communicate
No organization wants to be the subject of a news article about a breach that exposed sensitive information. That's one of the reasons rapid detection is so important. If there’s a story to tell, you want to be the one telling it.
We often talk with clients who are proud of their disaster recovery and incident response plans, yet the communications piece is often lacking. Proactively create communication plans when times are good, so they’re approved and ready to go in the event of an incident.