Association executives take cybersecurity threats seriously and understand the need to protect themselves and their members against such threats. But cybersecurity still often takes a back seat to other issues that seem more urgent. Frequently, cyber threats are seen as an IT concern rather than an organizational one.

To investigate how associations are approaching cybersecurity, the ASAE Foundation partnered with SCIPP international, a nonprofit focused on information security awareness. They convened a series of focus groups comprising chief executives and chief technology officers to explore the state of cybersecurity in the association sphere. The resulting research brief, Association Data Breach Preparedness [PDF], indicates that leaders know the threats they face but that prioritizing a response is a challenge.

Cybersecurity preparedness often falls prey to the "tyranny of the urgent over the important."

Hacks are seen as inevitable. When it comes to cybersecurity, leaders agreed that they will have to deal with a hack sooner or later. They also said they understand that they should have a plan to prepare for that eventuality. The potential damage of an attack goes beyond restoring lost data—leaders will also need to reestablish business flow, gain back their members' trust, and manage the blow to the association's reputation.

Don't wait until there's a fire. A common theme that emerged in the focus groups was that cybersecurity preparedness often falls prey to the "tyranny of the urgent over the important." Even with an understanding of the dangers to their operations, their reputation, and their member data, participants said that cybersecurity often gets bumped to the back burner until a breach has occurred.

Responsibility goes beyond IT. While CEOs recognize the danger posed by hacking and data breaches, an attitude that "IT will take care of it" is still pervasive. Cybersecurity rarely gets its own budget line, leaving IT departments to balance the comprehensive technology needs of their organization with what they spend on cybersecurity.

All organizations in the study conducted cybersecurity training for employees. The goal for association leaders and staff should be to create an organizational culture of vigilance, where cybersecurity is seen as everyone's responsibility.

Cyber risk insurance isn't simple, but it provides benefits. The focus group participants either had cyber risk insurance or were interested in such coverage. CEOs and CIOs believed one of the chief advantages of insurance is that, in the event a cyberattack, they will be able to show members and the public that their organization had done all it could to protect the organization.

Leaders whose associations did not have cyber risk insurance cited cost and the process required to obtain it as barriers. Getting cyber risk insurance involves an audit of the association's security measures with a thorough look into current practices, which can elicit defensive reactions from IT departments and CIOs. However, participants whose organizations had gone through the audit process said it gave them a greater understanding of the issues and guidance on where action needed to be taken.

To overcome the barriers to obtaining cyber risk insurance, the report suggests that smaller associations might take a collective approach, splitting the cost of an expert or consultant to guide them through the process. Organizations reluctant to undergo an audit should weigh the long-term benefits over short-term discomfort.

Cyber threats are a challenge that will not go away. To best mitigate the risks to cybersecurity, leaders need to set priorities, confront their fears, and communicate its importance to all levels of the organization.