How to Protect Your Association From Cybersecurity Threats

Associations might assume a small size could make them far less attractive to cybercriminals and not as vulnerable to attacks — that’s a dangerous view to hold.

Fifty to 70% of ransomware attacks target small and medium-sized organizations, Secretary of Homeland Security Alejandro Mayorkas said in May. In these attacks, cybercriminals use malware to take over and encrypt an organization’s files and data — until the organization pays to have them released.

The consequences can be devastating. As of May 2021, almost a quarter of small businesses had suffered at least one cyberattack over the previous 12 months — with each attack costing an average of $25,000, according to specialist insurer Hiscox. “Small business can mean big business for cybercriminals,” Meghan Hannes, Cyber Product Head for Hiscox said in a press release. “We know the financial impacts of cyberattacks can be substantial, and small businesses are increasingly feeling ‘cyber stress.’ The good news is, there are measures businesses can take to help mitigate the risk.”

Hiscox’s recommendations are threefold: prevention, detection and mitigation. Prevention includes educating all employees and having a formal cybersecurity budget in place. Detection includes ongoing monitoring of all critical networks through tracking violations and generating alerts using both automated monitoring and manual logging. With mitigation, associations should create a plan for all incidents, according to Hiscox. That requires associations having specific roles and responsibilities clearly defined if an incident were to occur. Organizations should regularly review response plans to integrate emerging threats and revisit best practices.

Risk on the Rise

As the COVID-19 pandemic forced associations to quickly transition from office to remote work, it also created new vulnerabilities to attacks. Associations, like the rest of the business world, entrusted at-home networks to protect sensitive information, exposing the organization to phishing, invasive malware and password thefts. “Many organizations transitioned successfully and without major business impact, but there’s been a significant security risk that threat actors very quickly took advantage of,” says Simona Rollinson, CTO, ISACA, a global association that focuses on IT governance based in Schaumburg, Illinois.

For their part, cybercriminals have taken advantage of outdated VPNs and unsecured home networks. They know that smaller organizations typically have fewer resources devoted to IT security.

In the early weeks of the pandemic, cybercrimes reported to the FBI increased more than threefold. Additionally, between July and October of last year, there were over 3.3 million network attacks — a 90% increase over the same period in 2019, according to WatchGuard Technologies.

It’s not that associations face inherently different threats than other organizations, Rollinson points out. It’s that all organizations have become more exposed. “Everybody is moving to the cloud, and there are more threat actors, so sophisticated cybersecurity is the new normal,” she says. “COVID-19 really expanded the perimeter, and remote work is now the norm.”

In this new normal, associations should ask themselves what and where are their most valuable assets (“their crown jewels,” as Rollinson calls them), what are the entry points to those assets, and, crucially, what is the organization’s risk appetite.

There is no magic number for the right cybersecurity budget, Rollinson says. Instead, the association needs to identify both its risk appetite and how much it’s willing to spend to defend it.

Boards tend to put pressure on associations around metrics, asking how much other associations like theirs are spending on cybersecurity, Rollinson notes. “But that’s most likely not the right question,” she says. “It all starts with prioritizing the assets you’re protecting — the people, the intellectual property, the reputation — and how much you’re willing to spend to protect each.”

For example, one of ISACA’s crown jewels is its frameworks. “If somebody were to question the credibility or value of this intellectual property, that would be detrimental to ISACA and our products, so this risk has a higher value than other types of risks. That is why we heavily prioritize safeguards to mitigate legal, privacy and other risks that could impact our reputation as a world-class learning organization.”

Organizations, like individuals, tend to answer the question of risk tolerance in extremes: Either they don’t want to accept any risk at all, or they accept all risk. An association’s board and senior leadership must do the hard work of determining their assets and their risk tolerance. “It’s not an easy or straightforward process. If it were, everybody would do it,” Rollinson says. “It’s about identifying the risks as they’re related to the assets (tangible or intangible) and figuring out the controls that will protect them.”

Developing an Action Plan

There are some controls that every association should have to build a strong, consistent security foundation. These include mobile security, end-user computing and the systems that protect network, gateway and cloud security. All associations need foundational security hygiene such as security patching, VPN upgrading and basic blocking and tackling. Writing in Inc., business consultant Larry Alton advised smaller organizations to take similar steps and outlined others such as having multiple data backups, and segmenting and limiting employee access to systems and data. With cloud computing, for instance: “It’s all about keeping cloud-based infrastructure, applications and data secure,” he wrote. “It’s important to choose cloud platforms and applications that offer the highest level of security available and have built-in safeguards to protect against vulnerabilities.

However, the tools are the easy part, Rollinson cautions. “The more difficult part is the processes and the people that will implement those tools. Who will use those tools, and are they going to use them in a repeatable fashion?”

This points to one of the most critical and perhaps most underlooked aspects of cybersecurity: It’s not just about technology, it’s also about people.

Associations tend to rely on individuals who use manual processes that they often keep in their heads. Those processes aren’t automated or repeatable. “Many times associations, because they’re so small, don’t invest enough in automation,” Rollinson says. With limited resources, associations also tend not to invest in trusted IT advisers.

That can lead to what Rollinson considers the largest risk: “not doing it consistently.” If an association implements controls on 85% of its endpoint computers, for instance, it leaves the other 15% exposed. “Doing a lot of things but none too well is the biggest danger of cybersecurity,” she says.

Associations should ramp up security awareness and education, Rollinson advises. “Especially when you have remote workers and users, I recommend increasing the amount of security education because the biggest vulnerability is actually people, not tools,” Rollinson says.

A related question associations should answer is whether they want to take on cybersecurity themselves or outsource it. Managed services can work well for SMBs, Rollinson notes, but that requires its own set of skills, like how to manage third-party vendors and form legal agreements with them.

“There is no panacea,” Rollinson says. “I am generally a fan of utilizing managed security service providers (MSSP) for small and midsize enterprises due to the shortage of cybersecurity talent. Having said this — this strategy is not without difficulty. There is no one-size-fits-all cybersecurity vendor. Most likely there will be a mix of areas where a MSSP can replace existing internal programs and hone some vendor management skills to limit liability by including good service-level agreements.”

Whether they handle cybersecurity in house or not, all associations must have one thing in place: someone at the leadership level who has formal responsibility for security. “It can’t be something you do in your spare time,” Rollinson says. “You need to have a commitment to security within the organization, and you need to have this responsibility at a fairly high level.”

Check out Simona Rollinson’s 2020 SmartTech Opening Keynote session on how technology isn’t a substitute for strategy.