The Strauss Blog

Cyber Attacks and Associations

Scenario: It’s late afternoon on Friday, you go to check your computer as you are expecting replies from fellow association board members regarding copies of financials that you sent out the day before. You login to your account, and you see that you have received an email from a hacker informing you that they have accessed your email. They inform you that they have been spying on you for a while; they know all your passwords and have complete control over your system. They made a full dump of your disk, meaning they have copies of member files, association financial records, and confidential board documents. They are asking for $2,000 in Bitcoin.

You have been the victim of a cyber attack. Are you protected? How is your association going to be affected by this?

What is a Cyber Attack?

A cyber attack is a deliberate, malicious attempt to breach the computer system of an individual or an organization. Cyber attacks happen every day, and they have been increasing each year as hackers continue to prey on vulnerable systems. Former Cisco CEO John Chambers once said, “There are two types of companies; those that have been hacked, and those who don’t yet know they have been hacked.”

Cyber attacks can happen to anyone or any organization; not only large corporations suffer from data breaches. Small organizations are in fact at an increased risk since they have more limited resources and a cyber attack can easily lead to data losses. Cyber attacks are carried out through the spread of malicious programs (viruses), unauthorized web access, fake websites, and other means of stealing personal or organizational information. The damage of these attacks can be far-reaching.

Common Types of Cyber Attacks

Be aware of the following strategies/approaches that hackers use to gain access to your system:

Malware – this is malicious software, including spyware, ransomware, viruses, and worms. Malware can breach a network because of simple human error. If a user clicks on a dangerous link or email attachment, the installation of risky software will be triggered. 90 percent of malware enters a computer system via email. Once inside the system, malware can do the following:

  • Block access to key parts of the network
  • Install harmful software
  • Install spyware and obtain information by transmitting data from the hard drive
  • Disrupt the system and make it completely inoperable

Hackers can drop ransomware and immediately encrypt all your files. The data will appear scrambled or unreadable and you won’t be able to access or read it. The hacker will likely demand that ransom be paid in bitcoin. Even if ransom is paid, there is no guarantee that your association will recover all its data. Since the hacker has the encryption key, they hold all the cards. They may slowly release your data over time in order to continue collecting ransom.

Phishing – the practice of sending fraudulent emails that appear to come from a reputable source. The goal is to steal sensitive data, like credit card and login information, or to install malware on the victim’s device.

Man-in-the-middle attack (MitM)- these are also known as eavesdropping attacks and occur when attackers insert themselves into a two-party transaction.

Two common points of entry for MitM attacks are:

  • Unsecured public Wi-Fi – attackers can insert themselves between a visitor’s device and the network. Without knowing, the visitor passes all information through the attacker (examples: unsecured Wi-Fi at a mall, or hotel
  • Once malware has breached a device, an attacker can install software to process all the victim’s information

Denial-of-Service Attack – this attack floods systems, servers or networks with traffic to exhaust resources and bandwidth. As a result, the system is unable to fulfill legitimate requests.

For further information on ways protect your association from these kinds of attacks, please read our other blogs: Internal Data Breaches, Human Error and No-Cost Cyber Security Tactics for Your Association and Increasing Association Cyber Security on a Budget of $0.

Now what?

At this point, you may be thinking that your local IT company can quickly get your computer cleaned up. But what about the confidential association business you were working on? Who has access to those financials now? What about all the other emails that you’ve sent with confidential association information? You may think that your general insurance policy that your association carries will cover this issue. Right?! Wrong. In order to have insurance protection for your association against a cyber attack, your association needs to specifically have a cyber risk insurance policy. A cyber risk insurance policy protects associations against digital asset loss, expenses, and reputational damage.

Regardless of external management, all associations must have their own cyber risk insurance to be covered in the case of a cyber attack. An association is responsible for its own membership data; if there is a breach, the association is liable. If there has been a breach, the first thing you should do before anything else is shut down your computer and call your lawyer. He/she will advise you on next steps.

All of this may sound very cloak and dagger, and you may be thinking that cyber attacks only happen to large organizations who are able to pay large sums of money in order to get their data back. The reality is that cyber crime is big business, and cyber attackers are in the business to make money. While a hacker is dropping ransomware on your computer, they are also dropping it on hundreds of other people’s computers.

A recent survey revealed that 22% of internet users said that their online accounts have been hacked at least once, while 14% reported they have been hacked more than once. In early 2018 Facebook was hacked, exposing the identity information of 50 million users.

Recommended Precautions

Even for associations that take every precaution, cyber crime remains a very real possibility and a serious threat. Unfortunately, cyber attacks are not 100 percent preventable; there is no system that can guarantee that your association is fully protected. Take these precautions to mitigate your association’s risk:

  • Don’t login to unsecured free public Wi-Fi
  • Pay attention to emails that you receive with attachments. Look at the email addresses closely.
  • Back up your files on your computer
  • Ensure your association has a cyber risk insurance policy