Most association leaders take cybersecurity seriously, but few feel confident that they know how to analyze and address cyber risks. To heighten your cybersecurity awareness and bolster your protection against a breach, experts recommend three practical steps: train staff to identify attacks, assess your IT systems’ risk level, and develop a response plan for a probably inevitable intrusion.
Yahoo, eBay, Equifax, Target, Home Depot. When you hear these names together, there’s a good chance you think of one thing: data breaches.
In the last five years, each of these companies fell victim to cyber incidents, representing some of the largest breaches in history. Breaches of this scale can result in millions in lost revenue and fines, not to mention a big hit to consumer confidence and trust, which may be costlier.
It’s not just Fortune 500 companies that are susceptible to breaches. Nonprofits, including associations, can also find themselves in the crosshairs of targeted attacks. And that means organizations need to be ready.
“I believe cyber awareness is the essential thing,” says Darrell Poe, senior vice president and chief information officer at the National Association of Broadcasters (NAB). “I think we started on the defensive, and now we are quickly pivoting to the offensive.”
Still, many associations are unprepared to handle threats that grow more sophisticated and numerous by the day. Most CEOs and boards are persuaded that they need to take exposure to cyber risks seriously, but that knowledge doesn’t always translate to necessary action.
ASAE Foundation research indicates that too often cybersecurity is considered an IT problem, not an organizational one. Poe and others are working to change that thinking, making cybersecurity everyone’s responsibility.
In 2014, NAB faced numerous cyber threats that required a mindset shift focusing on cyber awareness. The organization was in the middle of a cloud migration, which moved email to Microsoft’s Office 365.
“At that time, Microsoft was still a little bit in its infancy with some of the security tools that it brought to the table,” Poe says. “We began to see a lot of social engineering and malware attempts. We saw regular phishing attempts, and the volume of it just went way up.”
In a so-called phishing email attack, a message is designed to look like it is coming from a trusted or verified source—a colleague, friend, family member, or frequently used company or service. In fact, it’s a hacker’s attempt to leverage what it knows about you through social-engineered data—personal information gathered from your digital footprint, including social networks—to trick you into clicking a link or downloading an attachment with malware.