PHILIP NEWMAN of RSM, the tax, audit and consulting firm known in clubs for perspicacity, expresses concern that many clubs are unprepared concerning data security.
“Overall I don’t think most clubs do enough in this area—particularly in the area of employee training. Something we do as part of our internal staff training, and that I’ve seen more progressive clubs do, is launch phantom phishing emails to employees—they aren’t really harmful but are designed to see which employees click on the links (exposing the club to cyber risks). Those that click on the link are then subject to more training.”
Newman advises club directors to consider four steps that will improve the club’s defensive stance to hacking of private information and data:
- Execute a security assessment. These probes can be conducted by local IT professionals or outsourced to network management companies, and/or network security specialists. Newman notes that an effective security assessment includes an evaluation of all aspects of your club’s computer systems: servers, switches, firewalls, desktop units, server and desktop software, communications software, anti-malware software, network design and configuration.
- Maintain capable security monitoring. The shelf-life of most security is short because of the rapidly changing network threats. Thus, club directors should consider privacy and data security to be an all-the-time priority. According to Newman and RSM, monitoring includes identifying attempts
to access the network by unauthorized users, alerts when suspicious activity occurs on the network (e.g., a user copying data files or moving files off the network), the attachment of an unauthorized device to the network (e.g., a flash drive) and identifying and prohibiting malware activity or attacks.
- Educate your club’s information users. Most security breaches are caused by inattentive or undisciplined user errors. Staff and members must be taught the usage rules and regulations that protect the club’s information systems and privacy. Educating staff is easier than members as staff is somewhat captive to usage requirements. Members can be promiscuous in their usage of the club’s network by connecting devices and using unauthorized or insecure programs. Clubs should develop and enforce system usage rules and requirements for tapping into the club data systems.
- Obtain cyber security insurance. RSM clients are taught that this insurance addresses two basic risks: first,
the liability risk to the club if sensitive member information is compromised; and second, the risk (and substantial cost) of notifying members that their information has been compromised.
The greatest risk to the club is usually the damage to the club’s brand equity and trustworthiness. Newman points out that laws differ from state to state and one common factor is the obligation of the club to notify all persons whose private identity information has been—or may have been— breached. Proper cyber security insurance often covers the costs involved in hiring companies to execute formalized notifications, according to RSM.
The European Union has instituted broad policies for data usage—General Data Protection Regulation (GDPR)—which addresses the export of personal data outside the EU and European Economic Area.
“I think GDPR holds more problems for clubs than many realize. Those that have EU members during season or EU seasonal workers, really need to understand their obligations and exposure under the new rules,” Newman concludes.
Club directors are well advised to put data protections and security measures in place at their clubs. Highly discreet, affluent and prominent people are attractive targets to hackers.
Henry DeLozier is a principal at Global Golf Advisors, an international club management consulting firm that provides specialized services to more than 3,000 clients from offices in Toronto, Phoenix and Dublin (IR). He can be reached at [email protected] or visit globalgolfadvisors.com.