Mark Athitakis is a contributing editor to Associations Now.
Cyberattacks are all but inevitable now for organizations large and small. That means being prepared—both before and after a breach. When it happens to you, the first 48 hours will be critical for evidence gathering and reassuring your members. Here are prep and response strategies from associations that have been there.
In early February 2015, it became clear to Dr. Khuloud Odeh that the Urban Institute had a problem. Someone, or multiple unauthorized people, had hacked into the tax-filing database run by the nonprofit's National Center for Charitable Statistics. Sensitive data like credit card information and Social Security numbers were safe, but usernames, real names, passwords, and other identifying information about users had been accessed.
A year later, the Urban Institute has a dedicated security IT staffer and a stronger action plan to respond to future potential breaches. Though it doesn't have a clear picture of who was responsible for the hack, Khuloud points out that ultimately it doesn't matter: Any association, large or small, is vulnerable, simply because it has information worth protecting. "Hackers don't really target your mission," she says. "They target your data."
Not long ago, associations might have believed they were safe from cyberattacks because hackers preferred high-profile targets like large retailers or government agencies. Those days are over. And with the rise of ransomware and an ever-expanding array of wired devices, associations need to get smarter about staff policies, security goals, and the response plan to an all-but-inevitable attack.
The first 24 to 48 hours, when you're dealing with [cyberattack] incidents, are extremely critical. It's like a crime scene: You're trying to collect evidence, so you don't want somebody to step on it.—Dr. Khuloud Odeh, Urban Institute
Cybersecurity is a pervasive enough problem—and enough of a threat to an organization's bottom line—that concern about it is no longer limited to the IT department. A recent survey conducted by the information systems association ISACA and information security events group RSA Conference (see sidebar) found that 82 percent of boards are concerned about cybersecurity.
"Boards of directors are worried about the fiscal capability of the organization," says Frank Schettini, chief innovation officer at ISACA. "We've seen an increase in terms of CEOs as well becoming much more aware in the past year or two about how critical cybersecurity is."
In the Urban Institute's case, it hired a forensic security firm to help identify when and where the breach occurred. But it also convened a group of staffers that extended beyond IT, including communications and senior leadership, to address how it would inform users and the public. The rapid response was essential on the technology level, Odeh says. "The first 24 to 48 hours, when you're dealing with [cyberattack] incidents, are extremely critical. It's like a crime scene: You're trying to collect evidence, so you don't want somebody to step on it."
But quickly reassuring people who had put their trust in the organization mattered too. "It's not just an IT responsibility. It's really an organizational responsibility," Odeh says. Hackers "are threatening the core of the business of any organization."
To that end, it's become incumbent on associations to look more closely at the protections they have in place, especially when it comes to the third-party vendors they usually hire to handle their data.
"I wish more people would ask to have their backups evaluated or reviewed," says James DeHoniesto, director of business technology optimization and cybersecurity at SSD Technology Partners, an IT firm that works with numerous associations. Backups are critical for restoring an organization's data to the point before a breach, but DeHoniesto says many backups are done less often and less successfully than associations think. "Having a backup of a time before you were infected or compromised is key, and right now there's not a lot of attention and focus being paid on it."
S. Keith Moulsdale, a partner at the law firm Whiteford Taylor Preston who focuses on cybersecurity issues, says associations need to be even more broadly attentive to what their vendors do. "Get a copy of the written information and security policy," he says. "Find out who is the person who's designated with [responsibility for] data security, information security, within the organization. Get a copy of their most recent applicable audit."
Your data is going to move around—that's inevitable in a time of smartphones and flash drives and Dropbox. DeHoniesto recommends a handful of basic, low-cost ways to mitigate the problems that stem from all this mobility: strong password policies, regularly updated antivirus software, software patches, and encrypted USB drives.
"People don't just do work in the office anymore, but in allowing that, enable the technologies that will allow you to be protected," he says.
But the issue is as much cultural as technological. Moulsdale points out that staff activities that lead to breaches often start with senior staff, not rank-and-file employees. "Data security compliance really has to start at the top," says Moulsdale. "Experience shows that if executives don't have buy-in and don't set good examples, then it's almost impossible to have an effective program. There needs to be C-level buy-in to any data security compliance program."
That's important because, as in the case of the Urban Institute, multiple staffers will need to convene to address a problem. Moulsdale says an internal response team should include one C-suite leader in addition to legal, IT, security, communications, and affected staffers. And it should be assembled with the expectation that a breach is going to happen.
"Because experts say that it is only a matter of time before your system gets breached, my best piece of advice, with respect to data security, is plan to fail well," he says.
Even if you've prepared your internal response team, vetted your tech vendors, briefed staffers at all levels about the importance of data security, and given them the tools to stay protected—well, now there's the refrigerator in the staff lounge to deal with.
In recent years, much personal-tech innovation has focused on the "internet of things" (IOT), everyday objects from clothing to appliances that can be accessed online. That's created a new bounty of information that organizations can use to market effectively and drive business results. But connected devices like the security camera on your premises, for example, are typically less protected than your laptop, which is trouble enough when it comes to data breaches.
"Those things are not being designed for security," says DeHoniesto. "They're being designed for convenience. Things like security cameras, the home automation devices, there's not a lot of security being built into it, and there's already been a record of people being able to hack into a home network through a digital device."
"What you see right now with IOT is a lot of vendors trying to retrofit that [security] capability into their product because they've realized, 'Oh, it's great, we're capturing all this information and providing unparalleled new capability to track and measure operations. ... Oops. We're not really securing that information," says ISACA's Schettini.
But even if the staff fridge isn't an immediate threat, the increasingly networked world in which your data lives means that associations will need to concentrate on this issue for some time to come.
"I think the first thing is associations should recognize that this isn't someone else's problem," Schettini says. "The reality is, all of us are being attacked on a daily basis. There's a likelihood that we're going to have our information exposed, so it's really important for the organization from top to bottom to recognize cybersecurity as serious and take appropriate actions."
[This article was originally published in the Associations Now print edition, titled "Scene of the Cybercrime."]