Cybersecurity: Upping Your Game to Ensure Your Association Stays Safe

Cybersecurity is one of those things that we all know we need to care about even if we struggle with the upkeep, like dental hygiene. When we neglect it, it can go bad. And when it goes bad, it can really bring a world of pain and headaches. Much like dental hygiene, cybersecurity is all about prevention. If you find yourself needing to take active measures to mitigate harm, you’ve already missed the mark.

It’s important to form good habits that protect your organization and keep cybersecurity breaches at bay. So, in order to motivate associations to form better habits and improve their cybersecurity, it is important to clarify what exactly threatens cybersecurity and what strategies best prevent or mitigate a cybersecurity breach. In order to do so, we will examine the who, what, why, where, and how of cybersecurity as well as what constitutes basic prevention measures and advanced prevention measures.

The Who and The Why

Cyberattacks occur when hackers attempt to gain unauthorized access that can be used for some sort of (often financial) gain. Cybersecurity threats can originate from a variety of bad actors in the ever-evolving hacking industry, and so long as there is financial gain in extorting data or committing fraud, there will always be a threat. This is why it pays to remain vigilant and protect your organization.

The What

The “what” of cybersecurity is often simply data–or system access to data. This includes proprietary information about the organization’s business, or Personally Identifiable Information (PII) of members that can be used for identity theft or credit card fraud sought by hackers.

Sometimes, a threat might compromise a workstation as part of a larger plan of attack. For example, a hacker might want to hijack a workstation in order to perform a denial-of-service attack (DoS) in which a machine or network resource is made unavailable to the intended users. Such an attack can be used to ransom something from the victim in exchange for returning access to their workstation. 

The Where

Cyberattacks can come from a variety of places. While a great many threats may come from those on the outside, they may also be perpetrated from within your organization if committed by an employee or anyone who may have access to the physical building (such as a cleaning crew), or access to key systems (a partner who provides technology tools or services). Far too often, organizations have a blind spot to the threat from within.

The How

While it’s important to know the who, why, what, and where, that doesn’t get us anywhere without the how. We need to understand how hackers gain access to our information and systems to do their damage so that we can identify the best strategies for prevention. It’s important to note that while methods of attack, and subsequently methods of prevention, may evolve, the principles behind cybersecurity will largely remain the same.

Social Engineering

The weakest link in cybersecurity is people. It is estimated that at least 90 percent of the potential threats your organization faces will involve some level of social engineering (Webtribunal, 2023). So it’s important to prepare your staff for threats of this kind through training, simulated phishing campaigns, and other follow-up conversations.

The goal is to develop an organization-wide culture of security awareness so that your staff is prepared to make the proper judgment calls to maintain the organization’s security posture in the face of cyberattacks. Staff should be trained to hover over all links contained in emails, avoid visiting suspicious websites, protect sensitive information over an open line, and call or email the organization separately to confirm whenever they are in doubt.

It’s worth noting that social engineering may be the avenue through which hackers can enlist other strategies to harm an organization. For example, a hacker might gain access to an organization’s network through the negligence of an employee, after which that hacker might install ransomware or a virus to carry out their planned attack. So, while your organization will need to have other forms of defense to protect against such attacks, it’s absolutely essential to employ staff training to avoid such gaps in your organization’s cybersecurity. At the end of the day, cybersecurity is everyone’s job—having a strong policy to provide guidelines and keeping staff educated about potential threats goes a long way toward shoring up your digital defenses.

Cracking

While cracking passwords is a far less effective method of attack, it’s important to take the proper precautions in password protection. Users need to be educated to avoid making passwords out of common, identifiable information. The creation of strong, unique passwords is among the most important actions end users can take. Using a solid password management application can help your staff more readily maintain such passwords.  Additionally, users should avoid using the same password for any two platforms or accounts.

Organizationally, you should implement multi-factor authentication where possible to provide an additional layer of security and subvert a majority of such issues. You should also implement lockout timers for multiple failed attempts and a notification system to provide alerts when logins fail for users with greater access such as network admins. 

Ransomware And Other Malicious Software

Hackers can install ransomware and other malicious software through a variety of means. Whether they gain access to a network through social engineering or cracking user credentials, hackers can install software on a device within a network to extract data, interrupt access to the network, threaten to restrict access or publicize data, or a variety of other nefarious means. Again, fostering a heightened sense of awareness among your staff, combined with standard technical tools (antivirus/endpoint protection, strong spam filters, routinely tested backup protocols) will help keep things safe.

The keys to strong cybersecurity: prevention, mitigation and mediation

Associations should strive to create a strong culture of threat awareness among staff, provide a clear cybersecurity policy to follow, and maintain effective and up to date cybersecurity tools. However, sometimes even the best defenses can be breached; that’s why it’s important to have cybersecurity insurance to help mitigate risk.

Associations should be aware that insurance companies have tightened requirements for obtaining coverage. In addition to world-class technology defenses (as mentioned above), companies are required to establish and maintain a number of policies to show that access controls are in place, systems are routinely updated or patched, and backups are regularly tested. They may also require that elements of an association’s disaster recovery plan provide detailed responses to various cyber threats. Giving thought beforehand to how best to respond to an attack-related crisis will not only help prepare you should the unthinkable happen, it will also prove to your insurance carrier that you are ready to act if need be.

While cybercrime isn’t going away anytime soon, there are certainly steps you can take to ensure that your organization’s data assets remain protected. By engaging in an ongoing effort that involves both technical tools and human effort, you can protect your organization against the multitude of threats it faces every day. However, like flossing, it’s by no means a “one and done” exercise—it requires constant vigilance and attention.