Brian Scott is president and founder of ClearTone Consulting LLC.
Managing cybersecurity risks is ever-changing and increasing in complexity. But now is a good as time as ever to assess where things stand. Some ideas for doing the work to protect your association.
It’s both amazing and terrifying how fast the cybersecurity industry has exploded over the last 20 years. It’s gone from “maybe we should add passwords to our website” to “a significant business risk” in what seems like the blink of an eye. Entire career paths have been created within the industry so that most organizations now have multiple, specialized vendors supporting their enterprise cybersecurity program.
With all this change and increasing complexity, it’s no wonder many association executives and leadership teams can struggle to understand exactly what their organization should be doing to protect their data, people, and brands.
The new year brings an opportunity to reassess the situation and to commit to some new approaches to the problem. Here are a few potential resolutions to consider going into 2023.
For the association that has some on-premise computer infrastructure still remaining (e.g., file servers, compute servers, VOIP systems, and so forth) consider having a security risk assessment performed so you’re fully aware of your cyber risks as defined against an industry standard control framework, such as CIS or NIST.
If associations don’t know where their biggest risks are, then how can they ever be sure the cyber-protection plans they are creating are truly addressing their biggest concerns? In addition, make sure to find an association- or nonprofit-oriented security vendor that right-sizes the effort to your organization.
If you’ve already had an assessment done or don’t believe your environment is complex enough to warrant one, there are a few basic “cyber hygiene” areas you want to ensure you’ve got covered. This is by no means a comprehensive list but focusing on these areas is a good way to start a conversation with your internal IT staff or support vendor.
Let’s talk about protecting yourself from your people. I know, that sounds a bit harsh, right? Most organizations like to think of their people as one of their greatest assets. This may be true when viewed through the lens of your mission, but when viewed through the lens of cybersecurity, they are your greatest risk as people tend to make mistakes.
If associations don’t know where their biggest risks are, then how can they ever be sure the cyber-protection plans they are creating are truly addressing their biggest concerns?Make sure that multifactor authentication (MFA)is turned on for every single user. Also make sure that it’s required to connect to your VPN. Far too many organizations require MFA for email access, but don’t for VPN—the doorway to your network! Ensure employee laptops are encrypted using Window’s BitLocker and that screens are auto-locking after 15 minutes of inactivity. In addition, if your association uses Microsoft 365, consider paying for the Defender for Office Plan 1 license for each user and turn on Safe Links and Safe Attachments.
First, make sure none of them are using administrator accounts as their everyday account. They should be using non-privileged accounts for their basic emailing and other work and only log in as a privileged administrator when they have specific administrative tasks to perform. Also ensure they have changed every single default account password that could be in your environment. Not taking this step basically guarantees every hacker has an entry point to your environment. Make sure they are disabling accounts as soon as people leave and checking for and disabling dormant accounts as well.
Associations should conduct a vulnerability scan for both externally visible IP addresses, as well as your internal networks, on a regular basis that aligns with your size and complexity. Short of phishing scams, exploitation of known vulnerabilities is the second-leading vector for security compromises. Not only should you have a solid and consistent backup strategy, but you must ensure your backups are being stored in a network segment that is not available to standard users. If you don’t do this, the next time you get ransomware, you can kiss your data goodbye. Lastly, please ensure all security patches are being deployed weekly. This is fundamental to the health of your organization.
While this is not a comprehensive list, it serves as a good conversation starter with your IT team or vendor. Have them explain all their cybersecurity hygiene practices against a basis set of controls. Here’s to cyber health in 2023!