Skip Navigation 
Associations Now

Keep a Lock on Your Data

ASSOCIATIONS NOW, May/June 2014, Feature

By: Mark Athitakis

Summary: Every association faces data-security threats. The appropriate fix has as much to do with keeping staff smart as it does with keeping hackers at bay. The right tools and best practices can help prevent your data from landing in the wrong hands.

Last year's Christmas shopping season was a decidedly unmerry one for Target. In mid-December, the retailer experienced a massive data breach that compromised up to 110 million customer credit cards. Target is still literally paying the price for that, from repairs to the free year of credit monitoring it offered to customers by way of apology. The price tag on the company's error, after insurance payments, isn't cheap: $17 million and counting, according to The New York Times.

If there are any association executives who think Target's experience is too wide-scale to be relevant to them, nonprofit technology expert Maki Kato recommends a simple exercise: Write an apology letter to your members just like the one former Target CEO Gregg Steinhafel had to deliver to customers.

"What if I were the executive director of an association, and I have to write this letter apologizing?" says Kato, chief technology officer and vice president of engineering at Matrix Group International, an association technology consulting firm. "Is that worth keeping the handful of credit card numbers the staff feels they need to hang onto to process refunds?"

Kato's question speaks to an important point about data security: While hackers unleash data-breach mayhem, association staffers too often unwittingly enable them, thanks to lax security processes that keep valuable member data readily accessible to unauthorized parties. Effective cybersecurity is about both keeping up with technology trends and managing the people who handle essential data—often all too casually.

Human Error

Tobin Conley, senior consultant, technology management, at DelCor Technology Solutions, keeps a running list of obvious mistakes association staff members make that leave the organization open to data breaches or make it difficult to recover data. Overly simple passwords like "1234." Important passwords for databases and social media accounts saved in an unencrypted file in a shared folder. Backup tapes kept in the same room as the servers—ensuring that the data will be lost after a fire or other catastrophic event.

"You hear stuff that just curls your toes," he says.

Dr. Devin Jopp, president and CEO of the Workgroup for Electronic Data Exchange, an association that serves healthcare information professionals, says he experienced a data breach at a previous association, so at WEDI he's mindful about the technology systems his vendors use and the access his staff has to them. He recommends reviewing vendors' updates and processes at least twice a year to make sure they're current.

"Updating this is the critical part," he says. "A lot of places do their due diligence initially and then they forget about it."

First Steps to Better Security

Tobin Conley, senior consultant, technology management, at DelCor Technology Solutions, offers these tips for smaller associations to begin addressing data security issues. "These aren't super-sophisticated, but they knock out a good many liabilities," he says.

  1. Have unique passwords. Change them regularly, and never share them. Password management tools like KeePass and Norton Identity Safe can help protect passwords.
  2. Use encryption tools to protect sensitive data.
  3. Keep multiple backups of data, and ensure that backups are stored in different places.
  4. Invest in a good antivirus program, and encourage staff to use common sense when confronted with phishing scams, questionable websites, and other methods hackers use to access internal data.

On the staff side, Jopp implements tight controls on who has passwords to different levels of information. The ability to export an Excel spreadsheet from the association management system, for instance, is heavily restricted. Hackers aren't the only concern. "You're probably more likely to have a staff member take your data than having your data stolen from outside," he says.

And though it's uncomfortable to think about, Conley highly recommends having a procedure in place to ensure employee access is locked down when a staffer leaves or is terminated. "You need to make sure that you don't give any lag time whatsoever, that that back door is shut," he says.

Tool Management

The upside for associations is that technological solutions can address many of the day-to-day concerns about data security. For example, adhering to PCI compliance standards can keep credit card transactions secure and ensure that members' credit card data never resides on the association's servers. Tools can force staff to use strong passwords, and automatic updates for antivirus software can protect data without relying on people to remember to install newer versions.

The downside is that weak links abound in all of these efforts. A meetings staffer might still keep credit card numbers in a file to please a member having trouble getting a conference refund online. Another staffer might have a strong password but keep it written on a sticky note on a monitor. Your cloud-server vendor might be top-notch, but a website plugin may not be.

"You might have a website running WordPress with Amazon [Web Services]," says Joanna Pineda, CEO of Matrix Group International. "But if you're not current with WordPress and auditing plugins and passwords, relying on Amazon's security is only going to get you so far."

Keeping tabs on passwords and necessary updates has become even more complicated as associations increasingly embrace "bring your own device" polices, which let staffers use their own computers and phones to do association work. Renato Sogueco, CIO of the Society of American Florists, manages a strict written BYOD policy [PDF] that gives SAF a great deal of control over staff data: It can set passwords, install apps and security features, and, in the case of a lost phone, wipe all data from the device.

Just as critical as writing the policy is regularly communicating its importance to staff. "I can't impose something that's just verbal to people who use these devices," he says. "I need a piece of paper to stand on."

All employees have to sign the policy, which Sogueco and the SAF executive team revisit every year. "It should be a habit," he says. "If it's not a habit, then people don't think about it, and then they're caught in an 'Oh my' moment" when the policy is enforced.

Nobody's Immune

Associations, because they represent professionals and authorities, are tempting targets for criminals looking for data. But sometimes that's not even an attack on an association's own servers. In 2011, NACHA–The Electronic Payments Association saw its logo and name used by hackers in phishing scams. People who thought they were receiving an official NACHA message about an electronic payment were in fact clicking links that installed malware on their computers.

Pam Moore, NACHA's senior vice president, administrative services, and chief financial officer, says the experience put a strain on staff resources. "Our customer service department was impacted severely," she says. "More and more calls were coming in. And we needed more from our IT resources as well."

Though associations with high profiles in particular industries might hold additional appeal for hackers, every association ought to assume it will be a target, Pineda says.

"People say, 'This can't happen to us, we're so small,' " she says. "What we're finding is that everyone is a target. Every site, every hour of the day, is under attack."

Mark Athitakis is a contributing editor for Associations Now. Email: mathitakis@asaecenter.org

[This article was originally published in the Associations Now print edition, titled "Keep a Lid on It."]

Need a Policy?

See these samples:

Read More

Rate this item: Comments:
Rate this item:
  • one star
  • two stars
  • three stars
  • four stars
  • five stars

Please Sign in to rate this.




 

Community Education Resources Career Advocacy About Us Join Shop
Collaborate
Volunteer Groups
Calendar
Face-to-Face
ASAE U Online
Associations Now
Models & Samples
Research
Find a Job
Post a Job
CAE

Press
Board of Directors
Standards of Conduct
Get Started
Get Connected
Get Involved
Bookstore
Buyers' Guide
Endorsed Business Solutions

border

American Society of Association Executives™ (ASAE), 1575 I St. NW, Washington, DC 20005
P. 888.950.2723, F. 202.371.8315 or P. 202.371.0940 (in Washington, DC)
© Copyright 2011 ASAE. All rights reserved.

Social Media | Advertise | ASAE Foundation | Site Map | Contact Us | Privacy Notice
Supplier Partner Corner
X
Find:  Resources  |  Events  |  Jobs  |  ASAE Staff  |  Endorsed Business Solutions  |  Buyer's Guide  |  Members  |  Give Back   |  Help  |  Home
linked in Twitter Feed Facebook Group Flickr Group YouTube Channel Collaborate