October is National Cyber Security Awareness Month.
The purpose of this article is to make you aware of prioritized doable and no-cost steps to make your association’s computers and computer system “safer” from cyber-attack.
Learning from the Equifax Hack
One-half of adults in the United States, and 100,000 Canadians, had their personal identifiable information (PII) stolen when Equifax’s cyber security was breached.
PII includes a person’s Social Insurance Number (SIN), date of birth, log-in information for your association’s website including the password—a password that may be used to log-in to other websites.
It has been reported that the Equifax attack was successful because not all of Equifax’s hardware was updated.
Getting Started
The following are some no-cost and high impact cyber security practices:[1]
1. Educate you and your staff about cyber security threats.
Kaspersky has published online a list of “Top 10 Tips for Educating Your Employees About Cyber-Security” that focuses on threats inside your association.
Your first step should be to talk with your staff regularly about cyber security. My recommendation for the first session is how to recognize phishing emails.
“PhishMe tested about 1,000 of its customers worldwide by sending them more than 40 million simulated phishing emails over the course of 18 months, it concluded that phishing causes the vast majority of cyberattacks — an estimated 91% of them.”[2]
2.Make a list of all internet connected devices used by your association. You can do this using a multipurpose network scanner, such as ZenMap.
If a wireless router is on this list, then check your router to see what devices are connected to it and that access to your router is protected by using a “strong” password that uses a random set of letters, numbers, and special characters. Make sure to change it regularly.
If you have a visitor, you can provide him/her with secure Wi-Fi by sharing your association’s network as a “guest”, i.e. its password is different. You can set different access options for Guest Network users, which is very effective to ensure the security and privacy of your main network.
If the Wi-Fi router you use cannot support two different passwords, then do not give visitors the equivalent of a set of master keys to all the doors in your office.
3. Create an inventory of all software that is running on your systems and on the web/in the cloud.
Having a list of the software being used will help to ensure patches and updates are installed.
AppLocker is a no-cost Microsoft Widows tool that “helps you control which apps and files users can run. [It can also] dictate the use of only licensed software, so you need to prevent users from running unlicensed software and restrict the use of licensed software to authorized users—[plus, it can reduce] the threat of malicious software being introduced into your environment.”[3]
Prepare for a cyber-attack recovery, because it’s no longer if you are going to have a cybersecurity event, it is when.
- A recovery plan includes making and managing back-ups. Back-ups are one of the best ways to secure your data and recover after a cyber-attack.
“A Dropbox Basic account is free and includes 2 GB of space. You can download free apps to access Dropbox from your computer and mobile device.”
- Regularly test to ensure that every computer is being backed-up and that you can restore your system from the back-ups.
Our office uses Egnyte to automatically sync our files. One of the features of this $8.00US per month per user solution is that you can receive daily reports of when a computer is not being backed-up.
- Having a system in-place of who to contact if an incident occurs.
Parliament recently enacted the Digital Privacy Act; its provisions are not yet in force.
“The primary objective of the new data breach reporting and notification framework in PIPEDA is to prevent or mitigate the potential harm to individuals resulting from a breach… [It will require that] organizations to notify third parties of a potentially harmful data breach if the organization making the notification believes that the third party may reduce or mitigate the potential harm…”
When these provisions come into force, [you] will be required to notify individuals if there is a real risk of significant harm as a result of a breach of an organization’s safeguards.”[4]
As an association management company, we present the above article for informational purposes only. It constitutes general information and does not constitute legal, insurance, or other professional advice.
[1] Adapted from the Center for Internet Security’s Guide to the First 5 CIS Controls, (retrieved September 29, 2017).
[2] xantrion.com/blog/training-your-employees-to-recognize-phishing-emails-works (retrieved October 2, 2017).
[3] docs.microsoft.com/en-us/windows/device-security/applocker/applocker-overview (retrieved October 2, 2017).
[4] ic.gc.ca/eic/site/smt-gst.nsf/end/sf11177.html#s3.5 (retrieved October 2, 2017).