Club Trends sat down recently with Joseph Saracino, Jr., CEO of Cino Limited Companies, which provides cybersecurity education and risk management services. The private club industry is an important segment of the broader market that Cino serves.
Jim Fisher (JF): What trends are you seeing in the cyber security space?
Joseph Saracino (JS): Compliance issues. Many states have agencies focused on compliance. Here in New York, the Department of Financial Services has just enacted privacy and data compliance as of the first of March, which means that all of the banking industry that deals in New York state—all the banking industry, real estate agents, mortgage brokers, financial brokers, insurance companies, agencies and agents—all come under the Department of Financial Services. They now have compliance standards that require them to demonstrate that their data is being protected.There are certain processes that everyone has to perform in order to make sure and then attest to the fact that they are doing the necessary things that come under this compliance regulation. Vulnerability assessment is now part of the compliance. People need to know what level of security they are at and where they stand as an entity.
JF: Does your firm go into clubs and conduct a vulnerability assessment?
JS: Yes, we’ve done that for a variety of clubs. A vulnerability assessment is our first step to let you know where you stand.
We have our own hacking teams that are certified ethical hackers that do what’s called a penetration test. They act like a hacker and you are subjected to an attack.
JF: Most private club websites are password protected. Would your team of hackers see if they could breach that first layer?
JS: Yes. We do that not only externally, but we also conduct an internal penetration test, an internal scanning. In our vulnerability assessment program, we examine the entire environment.
JF: What do you mean “internally”?
JS: Let’s say you have a disgruntled worker who wanted to get into the adminstrative sectors or financial sectors of your organization. There are ways to do that because they often have administrative rights and email access. We test vulnerabilities to determine if there are weaknesses that an internal worker could get to. We want to expose that.
JF: I am at a university and we have to change our network password every six months. We also practice two-factor authentification, in which if I sign in from a remote location onto the network, I have to access a code from my cell phone. Is that now a best practice?
JS: Passwords should be changed more frequently than every six months. We recommend every 90 days. I call this the inconvenience of cybersecurity.
Two-factor authentification is definitely a best practice. We look at a range of best practices from NIST (cybersecurity framework) and ISO (27001), two leading resources for managing information security. There are a lot of agencies that have set up best practices, and we take a cross section of those so we can keep on top of that experience curve. The landscape on cyber changes every day.
JF: What about physical security?
JS: That’s part of our assessment as well. We always look at the environment—the access points. We look at what organizations are doing, including how they shred paper and position cameras.
There are a lot of different elements. For example, you’ve got to have a good camera. Some people just do it for appearances, what we call security theater. Security theater is essentially saying, “Well, we got them up there, so it looks pretty good, and we’ve covered that base.” But it doesn’t really do the job. You have to make sure you’re able to capture a clear image because if you can’t see it, then what’s the sense?
JF: What else do you consider in assessing physical security?
JS: We look at people—obviously the end user—whether it’s an employee at a desktop or an employee that’s coming in and out of the liquor cabinet. You always have to look at who you’re hiring and how you’re hiring. Most clubs see the value of background checks and do that on a fairly consistent basis. Drug testing is increasingly part of the rules and regulations related to how you set up club HR policies.
JF: What about facilities and grounds?
JS: Access is important. We will look closely at access roads, whether or not you have a guarded facility or security measures using access control cards. We see biometic systems that identify individuals that should or should not be on the premises. Arming security guards is now on the table.
JF: With so many issues at play, where does a club start or continue to move forward?
JS: The key is to address it on a consistent basis as part of the fabric of club life. Club safety should be addressed or assessed periodically—at the very least once a year. The costs are often more affordable than what clubs expect. I would rather have someone start somewhere, than never start because they feel it’s out of reach or they didn’t know where to start.
Club Trends Summer 2017