One in four security breaches are caused by human error, according to IBM’s 2016 Cyber Security Intelligence Index. Could one person’s error can cause a breach which would affect 100% of your association’s members?
Unfortunately, there is no way to prevent human error, but you can use these helpful tips to protect your association and its members
You can minimize the impact of a potential internal data breach resulting from human error—plus, a successful external attack on your data.
Types of Sensitive Data for Associations and Best Practices
What inspired me to write this article, was an email with over four-pages of membership list information including member names and email addresses, followed by a message three-lines long.
Unfortunately, there is no way to prevent a person from putting an electronic mailing list on the “CC” line instead of the “BCC” line. However, there is a way of protecting your association’s most sensitive data from being sent in error.
Know Your Data -What Information Does Your Association Store?
The first step in protecting your association’s sensitive data is knowing what information is stored in your association’s files.
Knowing what is stored, and where, is important because you cannot defend what you do not know, nor defend every file, database, and folder equally.
Our office uses a file sharing solution provided by Egnyte that is like Dropbox. Our Egnyte system features a great add on called Egnyte Protect, a relatively new solution that “looks for sensitive information in your files, based on what you deem to be sensitive.”
We used Egnyte Protect to create a list of files that potentially contain sensitive information and assigned a one to ten “risk level” score for each file. Almost all the types of files identified as potentially containing a high-risk level Personal Identifiable Information had a lot in common:
- Membership and contact lists with more than a name and address (for example, birthdates). The autobody shop, whose services I use too often, sends me a birthday card each year. Legally, if that list were hacked then they must advise the Office of the Privacy Commissioner and every person on that list (the cost of contacting each person is estimated by companies who offer cyber insurance at over $125).
- Older membership renewal forms and conference registration lists contained credit card numbers.
- Many miscellaneous old files.
Suggestions:
- If you use folders with dates, then password protect all older folders.
- Delete old files that you no longer need using the AMC Institute’s (formerly the Association Management Company Institute) Sample Records Retention Schedule. “This checklist is for your guidance only and should be modified to accommodate any special agreements or requirements of your organization.”
- If you are using and paying for off-site storage, then you could use the checklist to ensure the required files are destroyed which will also help to reduce your storage bill.
- If your association accepts credit card information by email, stop doing it.
Protecting Your Association’s Data
You can protect files and folders that potentially could contain Personal Identifiable Information with strong and frequently changed passwords—plus, limit access to those passwords on a need-to-know basis.
If you must send this information electronically outside of your office, then you can easily encrypt your email’s attachments. Encryption requires you to select a password and then telephone or fax the password.
No-Cost Cyber Security Suggestions for Your Association
- Change all your association’s passwords regularly.
- Change all the passwords a departing employee used/had access to just after saying “good-bye” to him or her.
- Do not write down passwords, instead use a password manager. PC World has reviewed the best 2018 password managers and the best free password managers.
- Read Kaspersky’s list of cyber security best practices.
The Harvard Business Review November 2017 article, provocatively titled, More Training Won’t Reduce Your Cyber Risk, concludes “It would be silly to aim for or promise perfect security. Instead, these suggestions…not all [of which] will be appropriate for every situation or user, but together, they go a long way towards giving the human a hand to improve cybersecurity.”