20 Easy Ways Associations Can Secure Their Data and Systems

Posted / 22 July, 2021

Author / Enginess

Person typing on a laptop

Posted in data security

Associations, nonprofits and other member organizations far too often take comfort in the fact that the majority of reported data breaches are the result of a targeted attack on for-profit businesses and government agencies. However, frankly, that’s a false sense of security.

Associations in particular but nonprofits, in general, amass a huge amount of personally identifiable information (PII) just by servicing their members or fulfilling their mission. Credit card numbers, healthcare information, SIN numbers, and more are stored in association systems. This means that whether you like it or not, nonprofits and associations are ripe targets for cybercrime.

Which means that you better be ready.

Here’s a crash course in how you can secure data and systems without interrupting your service and without emptying the coffers.


Identify Where Data Breaches Come From

First, let’s get a little perspective. Yes, some hacks are caused by cyber criminals working through back channels for national governments. They are well trained, funded, and equipped.

If you are targeted by this kind of attack, it’s unlikely you’ll be able to prevent it. Fortunately, that is the vast minority of attacks. Most cybercrime is effectively crimes of opportunity. It’s a phishing/spear phishing attacks, an automated scam, or a hardware exploit. It’s not a matter of: "We want to hack you” as much as it’s a matter of: “We want to hack someone, and you’re vulnerable.”

Second, recognize that root cause of cybercrime. It’s usually people.

As Beauceron Security put it, “it’s not a tech problem,” citing research from IBM and Ponemom that 95% of successful cybercrime can be traced back to people. Combined, we can draw three obvious conclusions:

  • Cybercrime will happen to you, regardless of if you think what you have is worth stealing.
  • Cybercrime is overwhelmingly a crime of opportunity and one targeted at the weakest link in the security chain — the actual people involved.
  • Improve attitudes and behaviour towards cybersecurity, and you'll hugely strengthen your organization.

Let’s look at a few specific ways you can do that.

Professional Associations Ebook Call-to-Action

Changing Attitudes and Behaviour

  1. Build a risk assessment plan. Identify weaknesses, and build an action plan to solve them.
  2. Drill your staff. Run a fake phishing scam and see what happens (there’s a great podcast episode about this).
  3. Assign a cybersecurity owner within the technical team. Better yet, hire someone specifically for that role.
  4. Elevate data security to the level of the board, ensuring there’s understanding every level what the consequences are of a breach.
  5. Review any relevant legislation and ensure that you’re meeting compliance standards. It’s a great best practices starting point.
  6. Beef up your physical security. Scan in/out passes is an easy solution. Restrict access to any hardware you have. Locking the server cabinet is a simple solution.
  7. Create a company password policy. Make a password mandatory for everyone in your organization.
  8. Make expiring shared links the standard in emails rather than attachments. That way, if someone’s email gets hacked, it’s easier to contain the damage.
  9. Cut down on the number of system admins for different programs. The ideal number should be 1-2.
  10. Ensure that people have access to the data they need — and nothing more.
  11. Build a cybersecurity emergency plan. Does everyone know what to do?
  12. Getting hacked is embarrassing. Make sure you’re fostering a culture of “It’s ok to come forward” if they’ve been a victim of an attack or caused a vulnerability.

    Tech fixes (because there are some things you can do)

  13. Update all your software as soon as possible. If you can automate this, all the better.
  14. (If you’re using hardware, do the same thing).
  15. Host your data on the cloud. Ironically, the cloud is generally more secure because the hardware is better maintained and protected because the work is done by specialists, not generalists.
  16. Required VPN access only over secure networks (e.g. not public wifi) to allow users to connect to your system.
  17. Require two-factor authentication (ideally via Google Authenticator or a similar tool) on every login.
  18. Periodically review every internal system and external vendor, and map who’s accessing what data. Identify weak vendors and review/update.
  19. Move off open source software, or isolate open source credentials from the rest of your system. For example, the user names and passwords for your WordPress site shouldn’t be the same as the ones for your email registry.

Wrap Up

Cybersecurity doesn’t have to be a huge undertaking. By taking some simpler precautions like updating your software and hardware, tracking who has access to what data, and streamlining admins and vendors alike will help.

But the most important thing to remember is that at the heart of it, cybersecurity is about people. It’s about people remembering to close the door behind them, using different passwords for each system, and being on guard for phishing emails. Which means that data security is in the business of behaviour change — a much more challenging job than updating some outdated technology.

It’s about building a culture where cybersecurity is understood, threats are recognized, and the process of coming forward is clear and understood. It’s a long, slow, uphill battle. However, if you can change minds, then you’ll be secure for years to come.

Plan your project right - a step-by-step guide to ensure a successful digital project launch. Read now.
How to Make Your Association a Digital Leader

Topics

See all ≫ ≪ Hide all

Subscribe to Enginess Digital Insights


Share the insights /

Related Articles