ASAE Annual Meeting

Things That Go “Bump” in the Night: A Cybersecurity Town Hall

By Association Adviser staff • August 17, 2021

Securing your organization’s digital assets has never been more complicated or essential today. Almost half of attacks are aimed at small and medium-sized organizations, including associations. These attacks cause data and revenue loss. COVID increased risks as everyone started working remotely. What can be done to protect your association against cyber threats? Dan Brandt Lautman, consultant for network systems & support at DelCor Technology Solutions, asked three association executives about the cybersecurity questions that keep them up at night, and how they work to resolve those fears.

The Business Perspective: Christina Lewellen, MBA, CAE

What keeps CEOs up at night?

As of August 2021, the pandemic is still happening and changing the way we work. Going from centralized to decentralized opens up a chance for errors. Associations having to spread out their networks when people went remote, as well as relying on additional software or online processes to complete work that would normally be done under one roof opened up more security risks. Associations that were already remote didn’t miss a beat. But the pandemic disrupted others, and resulted in the creation of remote networks that connected everyone and kept them working together. 

Christina Lewellen, MBA, CAE, executive director of the Association of Technology Leaders in Independent Schools, recommends asking your IT team these critical questions about the state of your organization’s cybersecurity: 

  • Have we reviewed our privacy policies in the wake of COVID?

Many associations are asking these questions in retrospect after shifting to remote work so quickly in 2020. They may be finding that current practices don’t align with traditional association policies. It might be time to update those policies, or time to implement practices that align your team with your management policies.

  • Do we really understand what our cyber insurance covers?

Cyber insurance is still a relatively new form of insurance. What cyber insurance includes differs from company to company. Your policy may not cover current threats that didn’t exist or weren’t common a couple years ago. Make sure you have a knowledgeable broker who knows your needs and crafts a policy that caters to them.

  • Do we mandate multifactor authentication? 

This is foundational when it comes to security. You can’t get money from an ATM without a PIN. Don’t let hackers attack your infrastructure or get access to your systems without multiple defense mechanisms standing in their way. Multifactor authentication should not be viewed as an inconvenience but as a standard guard against business interruptions and data loss (which often leads to revenue loss). 

  • What irritates our staff about technology? 

Especially if you’re a larger organization, ask our tech team what irritates the staff about your association’s technology. This will reveal where your inefficient processes are while uncovering the best ways to get your staff to comply with tech security standards. It’s a good bet that if a tech-related process is making the staff mad, they’re not complying as they should. That should be your cue to fix the problem and close up any security gaps.

  • What are other associations doing that we should consider? 

Your peers can be a deep source of useful technology security information and best practices.

  • If we did a phishing test, how would we fare? 

Phishing is still rampant. Teach your staff to be aware of the hallmarks of a phishing email: fake email address, harmful attachments the sender wants you to open, garbled links that open malware on the recipients’ device. Try sending fake phishing emails to your staff and see who takes the bait. This question isn’t meant to put anyone in a ‘gotcha’ position but a teaching tool that shows your staff first-hand how easy it can be to fall for a sophisticated phishing scheme. 

  • What data do we have that we aren’t leveraging? 

We have to know what data we have and where it is before we can protect it. Complete a data map to better know your business and your data security needs.

  • If we had standing meetings, what info could you provide me?

It’s important to have regular opportunities for your stakeholders to go over the good, the bad, and the ugly of your current technology practices. Encourage your IT team to frame security risks in terms of the benefits to the association’s mission.

The Technology Perspective: Todd Tolbert, CAE

CIOs oversee the IT teams that actively research security tools and implement them. Todd Tolbert, CAE, COO/CIO of VSTI Partners, Inc. explained how an IT team can proactively manage an association’s cybersecurity risk.

What’s keeping CIOs up at night?

Update Your Association’s Risk Profile

Cybersecurity comes down to how much risk you’re willing to take on. What would happen if someone unauthorized gained access to our data? What would we lose? How much harm, and what kind, would happen to our stakeholders? How long would it take to recover?

A risk profile is a statement of the assets an association wants to guard and the consequences that could happen if those assets fall into the wrong hands. It is something the CIO and their team should work with the rest of the executive team, volunteer leaders, and the public relations team. The more perspectives contributing to the risk profile, the more thorough it will be. 

Know your risk appetite. How much room can you make for the chance that you’ll be hacked? Are you going to dedicate enough resources to cybersecurity that you’ll never get hacked, or will you meet industry standards which are stringent but generally don’t guarantee 100% defense against the ever-changing attack surface. You will need to decide the balance you’re going to strike between proactive defense and the funds, time and effort that go into your defense. 

Know About Available Resources for Cyber Security 

Know the services available to associations to secure their systems. If you work with a managed services provider, ask what they can do to protect your organization’s assets as well as the authentication practices they implement to keep unauthorized users out. 

Accept that the likelihood of facing a hack is high. People want to work as efficiently as possible. Decide how many resources you’re going to dedicate to cybersecurity knowing that the “attack surface” is now very large with so many association staffs geographically spread out. 

Decide what your trade-offs will be. You might decide to keep a VPN for financial information but move to the slightly-less-secure cloud for other data because you need the convenience of anywhere access the cloud offers. 

Questions to ask a potential tech security vendor, especially if you are a small association relying upon software as a service vendors:

  • How critical is the particular service? 
  • What’s the service level agreement? 
  • Just how secure can you make our data? (How many “nines”, 99.9%, 99.99%…)
  • What happens if a breach still happens? 
  • Who on the vendor side has access to your data? 
  • Does the vendor have someone responsible for cybersecurity in the C-suite?

These questions are a start. Work with your IT team to develop other questions specific to your association’s needs to ensure a good technology partner-association fit.

Incident Response: 

It’s not if, it’s when. The whole organization must know what the next steps are if/when your association’s systems go down. Have the IT team, working with others, develop a response plan for incidents small and large. Know who will drive it when it needs to be implemented. 

Why create a detailed cybersecurity incident response plan? You don’t want to make up a response as you go. Even if you think IT is capable, when things need to happen fast, it’s easier to have a script to follow. Plus, you don’t want to leave any aspect of your operations out. You want to cover all scenarios. Know who takes ultimate responsibility for the response, and what role everyone will play: calling insurance, your tech vendors, and your bank. In some cases, you’ll want to call the authorities to warn that there is criminal activity going on. They may know of similar incidents happening at other organizations. Your reporting could help stop the source.

Add a post-mortem report to your response plan. You might not face the same situation again, but placing a report in your organization’s official record can inform the response to future similar incidents. A post-mortem report can be useful for future auditing purposes, too—it removes any doubts about discrepancies in your financial records. Consider writing and studying an after-action report as well. Try to find out what the cause was—not to fire anyone, but to uncover the people, processes or technology that led to the breach, and what back doors need to be closed. 

The Operational Operational Perspective: Carlos Cardenas

All of this information is great. But once you’ve taken it all in, these are the first steps Carlos Cardenas, director of information technology for the National Board of Certification & Recertification for Nurse Anesthetists, recommends taking at your association. 

What keeps the “techies” up at night?

First, make sure your risk assessment plan is up to date. What are your weak areas that you need to protect? What resources do you want to devote to that protection? Choose your highest priorities to work on first. 

Enact multi-factor authentication immediately if you don’t already use this for your tech systems. MFA is the single most effective step you can take to protect your data. 

Consider the risks of on-premise systems vs. cloud-based. Private networks, or VPNs, are often more secure. But cloud-based systems are more convenient and necessary for remote staffs. There must be a balance between usability and security of your systems. You could set up highly sensitive systems, like an AMS, on VPN and other, less sensitive systems like email on a cloud-based platform.

Look at your tech contracts and examine what they do with your intellectual property. Now is a good time to inventory what data you share with your vendors and what their contracts promise in terms of security. What happens when someone at their company leaves? What are they doing to stay current about security threats and responses? Should they be in charge of your cybersecurity at all? There are companies that specialize in wading off cybersecurity threats. They may be able to protect your organization better than a managed services provider whose main focus is on improving their main product and supplying an excellent user experience. 

Implement cybersecurity training for everyone in your company. Everyone has a part in securing your organization’s information. Ongoing training is necessary to give your people the tools to smartly navigate technology. Incorporate it into staff meetings, or hold private meetings to give extra help as needed. There’s no need to shame anyone, but it is important that staff members know what to look out for and how to protect the organization.

A related cybersecurity trip for everyone: Stay away from social media games! Posts that encourage you to share a ton of information about yourself, such as your favorite teacher in high school or the model of your first car may seem like fun, innocent games, but they’re actually getting you to reveal the answers to common online security questions. Don’t fall for the trap. Reminisce over your childhood best friend’s name and your first pet with your friends in person.

In conclusion

Multifactor authentication is going to be the best way to start protecting yourself against tech attacks. Brush up on your risk profile and risk tolerance when it comes to your electronic data. Create an incident response plan, because cybersecurity threats will happen to you. Engage all stakeholders with an ability to help protect your organization. And stay vigilant – the cyber landscape is constantly evolving and new threats crop up every day. The best way to not lose sleep over cyber issues is to stay aware.