“It’s no longer if you are going to have a cybersecurity event, it is when.”
This grim prediction comes from the co-author of the Guide for Cybersecurity Event Recovery published by the US Department of Commerce’s National Institute of Standards and Technology.
What is Cyber Risk
“Cyber risk means any risk of financial loss, disruption or damage to the reputation of an organization from some sort of failure of its information technology systems,” according to the Institute of Risk Management.
“Any risk” means that your association is responsible if a cyber event impacts it:
- Directly, such as business interruption, damaged systems; this is called first party liability
- Indirectly,such as an angry member who sues for the loss, misuse or breach of personal data; this is called third party liability
“Any risk” also literally includes events such as conferences, meetings where information is gathered about attendees—including events where your members are invited to bring a guest.
Who Needs Cyber Insurance
Your association may need cyber insurance if it:
- Stores personally identifiable information about your members on a computer; a computer does not have to be connected to the Internet for information to be stolen or misused;
- Uses association management software where personally identifiable information about your members is stored.
If the software solution provider’s site is hacked, then your association can be sued; cyber insurance will cover the legal fees;
- Allows members to make payments using, what you believe to be, a “secure” payment processer;
Again, your association can be sued.
If your association allows members to fax or telephone-in credit card information, and does not immediately destroy the information, then either stop this practice or invest $50 in a cross-cut paper shredder or contract with a shredding service.
Allowing or encouraging members to send credit card information using messaging technology (email, instant messaging, etc.) violates the agreement your association has with your credit card processor. This means that if the credit card information is used improperly, your association has no insurance of any kind.
Educate Your Employees Now
It is estimated that 95% of security incidents are caused by human error—these “humans” are your employees—educate your employees and volunteers now, to protect your association from a cyber event.
The Government of Canada has a website dedicated to cyber security where you can “learn about the potential risks of your online activities and how you can stay safe when you are connected.”
One of their downloadable publications is Cybersafe, a Cyber Safe Guide for Small and Medium Businesses.
Small Business Information Security: The Fundamentals, published by the National Institute of Standards and Technology, is a “reference guideline about cybersecurity for small businesses. This document is intended to present the fundamentals of a small business information security program in non-technical language.”
This guide has easy to understand chapters on:
- How an information security program can be implemented;
- Key actions that your association can take to develop or improve their information security and cybersecurity ;
- Identifying several key practices directed towards users that can be implemented immediately to protect your association’s hardware systems and your members’ information.
The publishers of the “Dummies” series of books offers a no-cost special edition e-book Cybersecurity for Dummies.
Don’t Forget to Educate Your Volunteers Too
Often the registration desks at your association’s meetings, conferences, and professional development events are staffed in-whole or in-part by volunteers.
So, don’t forget to educate them—and ideally set-up registration systems that limit their access to your event management software data.
If people who register onsite complete handwritten personal information that a volunteer inputs into a computer, you might also want to have a portable paper shredder, instead of a garbage can.
Tactics to Reduce Your Cyber Risk
Nothing you do is guaranteed to prevent cyber risk, but the following prevention tactics will increase your level of protection:
- Obtain a Certificate of Cyber Insurance for any contracted-out computer applications to third party service providers (e.g. cloud services, payroll services, web hosting, etc.)—plus, make sure that you ask for this information every year.
- If a third-party service provider has this insurance, then it is likely that they have demonstrated to their insurance provider that they have network security policies and procedures in- place.
The following are examples of the type of policies and processes a cyber insurance provider requires:
- A formal program and place to test and/or audit network security controls;
- A documented procedure in place detailing the creation and regular updating of passwords used by your staff and your third-party service providers (e.g. third-party IT service providers—plus, but not limited to—cloud-based and third-party software providers).
- Examples of these procedures include automatically expiring passwords, preventing the reuse of passwords and the requirement for passwords to contain the minimum number of letters, numbers and special characters;
- Terminate computer access and user accounts whenever a person ceases to be an employee;
- Firewall technology for all servers and desktop computers;
- Intrusion detection software to detect unauthorized access to internal networks and computer systems that are tested regularly;
- If remote access can your network, then it is allowed only by way of a Virtual Private Network (VPN);
- Encryption of confidential, personal, financial or health information about the members of your association—not only on networks and servers, but also on portable storage devices.
As an association management company, we present the above article for informational purposes only. It constitutes general information and does not constitute legal, insurance, or other professional advice.