Keep a Lock on Your Data
By: Mark Athitakis
Last year's Christmas shopping season was a decidedly unmerry one for Target. In mid-December, the retailer experienced a massive data breach that compromised up to 110 million customer credit cards. Target is still literally paying the price for that, from repairs to the free year of credit monitoring it offered to customers by way of apology. The price tag on the company's error, after insurance payments, isn't cheap: $17 million and counting, according to The New York Times.
If there are any association executives who think Target's experience is too wide-scale to be relevant to them, nonprofit technology expert Maki Kato recommends a simple exercise: Write an apology letter to your members just like the one former Target CEO Gregg Steinhafel had to deliver to customers.
"What if I were the executive director of an association, and I have to write this letter apologizing?" says Kato, chief technology officer and vice president of engineering at Matrix Group International, an association technology consulting firm. "Is that worth keeping the handful of credit card numbers the staff feels they need to hang onto to process refunds?"
Kato's question speaks to an important point about data security: While hackers unleash data-breach mayhem, association staffers too often unwittingly enable them, thanks to lax security processes that keep valuable member data readily accessible to unauthorized parties. Effective cybersecurity is about both keeping up with technology trends and managing the people who handle essential data—often all too casually.
Tobin Conley, senior consultant, technology management, at DelCor Technology Solutions, keeps a running list of obvious mistakes association staff members make that leave the organization open to data breaches or make it difficult to recover data. Overly simple passwords like "1234." Important passwords for databases and social media accounts saved in an unencrypted file in a shared folder. Backup tapes kept in the same room as the servers—ensuring that the data will be lost after a fire or other catastrophic event.
"You hear stuff that just curls your toes," he says.
Dr. Devin Jopp, president and CEO of the Workgroup for Electronic Data Exchange, an association that serves healthcare information professionals, says he experienced a data breach at a previous association, so at WEDI he's mindful about the technology systems his vendors use and the access his staff has to them. He recommends reviewing vendors' updates and processes at least twice a year to make sure they're current.
"Updating this is the critical part," he says. "A lot of places do their due diligence initially and then they forget about it."
First Steps to Better Security
Tobin Conley, senior consultant, technology management, at DelCor Technology Solutions, offers these tips for smaller associations to begin addressing data security issues. "These aren't super-sophisticated, but they knock out a good many liabilities," he says.
On the staff side, Jopp implements tight controls on who has passwords to different levels of information. The ability to export an Excel spreadsheet from the association management system, for instance, is heavily restricted. Hackers aren't the only concern. "You're probably more likely to have a staff member take your data than having your data stolen from outside," he says.
And though it's uncomfortable to think about, Conley highly recommends having a procedure in place to ensure employee access is locked down when a staffer leaves or is terminated. "You need to make sure that you don't give any lag time whatsoever, that that back door is shut," he says.
The upside for associations is that technological solutions can address many of the day-to-day concerns about data security. For example, adhering to PCI compliance standards can keep credit card transactions secure and ensure that members' credit card data never resides on the association's servers. Tools can force staff to use strong passwords, and automatic updates for antivirus software can protect data without relying on people to remember to install newer versions.
The downside is that weak links abound in all of these efforts. A meetings staffer might still keep credit card numbers in a file to please a member having trouble getting a conference refund online. Another staffer might have a strong password but keep it written on a sticky note on a monitor. Your cloud-server vendor might be top-notch, but a website plugin may not be.
"You might have a website running WordPress with Amazon [Web Services]," says Joanna Pineda, CEO of Matrix Group International. "But if you're not current with WordPress and auditing plugins and passwords, relying on Amazon's security is only going to get you so far."
Keeping tabs on passwords and necessary updates has become even more complicated as associations increasingly embrace "bring your own device" polices, which let staffers use their own computers and phones to do association work. Renato Sogueco, CIO of the Society of American Florists, manages a strict written BYOD policy [PDF] that gives SAF a great deal of control over staff data: It can set passwords, install apps and security features, and, in the case of a lost phone, wipe all data from the device.
Just as critical as writing the policy is regularly communicating its importance to staff. "I can't impose something that's just verbal to people who use these devices," he says. "I need a piece of paper to stand on."
All employees have to sign the policy, which Sogueco and the SAF executive team revisit every year. "It should be a habit," he says. "If it's not a habit, then people don't think about it, and then they're caught in an 'Oh my' moment" when the policy is enforced.
Associations, because they represent professionals and authorities, are tempting targets for criminals looking for data. But sometimes that's not even an attack on an association's own servers. In 2011, NACHA–The Electronic Payments Association saw its logo and name used by hackers in phishing scams. People who thought they were receiving an official NACHA message about an electronic payment were in fact clicking links that installed malware on their computers.
Pam Moore, NACHA's senior vice president, administrative services, and chief financial officer, says the experience put a strain on staff resources. "Our customer service department was impacted severely," she says. "More and more calls were coming in. And we needed more from our IT resources as well."
Though associations with high profiles in particular industries might hold additional appeal for hackers, every association ought to assume it will be a target, Pineda says.
"People say, 'This can't happen to us, we're so small,' " she says. "What we're finding is that everyone is a target. Every site, every hour of the day, is under attack."
Mark Athitakis is a contributing editor for Associations Now. Email: firstname.lastname@example.org
[This article was originally published in the Associations Now print edition, titled "Keep a Lid on It."]
Need a Policy?
See these samples:
- "What Target's Breach Proves: The CIO's Role Matters More Than Ever," by Ernie Smith, March 7, 2014
- "Are You Prepared to Defend Against Cyberattacks?" by Rob Stott, June 13, 2013
- "Engineering Group IEEE Hit by Member Data Breach," by Ernie Smith, Sept. 26, 2012