Cybercrime is growing at a tremendous rate. According to CNBC, it has become a major business opportunity for criminals and is projected to grow to $600 billion in 2019. Cybersecurity is a growing concern for private clubs due to the exclusive nature of these clubs in attracting members who are high value targets for cybercriminals. Therefore, the personal information of club members is at a very high risk if not protected properly.
The club’s board of directors has a fiduciary duty to ensure that it is taking proactive steps in minimizing the club’s risk. Cyber hacking is a serious business now, with entire infrastructures in place to sell data. You don’t want your club or members’ data on that list of offerings. So how can you protect and defend your members’ critical personal information?
Checkups Reduce Risk
To ensure that we keep ourselves in good health, we see a doctor to get regular health checkups and we do the same for our vehicles. Clubs need to take the same diligent approach when it comes to reviewing their cyber “health.”
A report card of your current risk profile serves two purposes:
- It provides a business-focused view of risk for the board of directors and the improvement projects necessary to reduce risk to the club
- It provides club IT with a “punch list” of what should be prioritized to make the club more secure
A risk report card should verify that the club has the following security measures in place:
Assess the strength of your defense. What vulnerabilities could expose club assets to bad actors? Are the defenses effective in protecting these assets from threats? Penetration testing will show what a hacker can potentially do to a club. A professional penetration test will show club IT staff how the weaknesses (vulnerabilities) can result in potential impact before a malicious hacker actually does. This testing may be the last chance to fix flaws before a hacker finds them.
Create security policies. A security policy is a document (or set of documents) that describe security controls that govern the club’s systems, behaviors and activities. The key objective of a security policy is to help protect the club’s assets and its ability to conduct club business. An effective security policy is a written document that include details on what is appropriate and inappropriate use of the club’s resources. It will help to reduce or eliminate potential legal liability (whether it is from an employee or third-party). It is also designed to preserve and protect valuable, confidential or proprietary information from unauthorized access or disclosure. Security policies should include incident response, disaster recovery, business continuity, acceptable use and password use policies.
Train all staff. According to Computer Weekly, in 2017 nearly 84% of reported cyberattacks were due to human error. Verizon’s “2018 Data Breach Investigations Report” indicates that phishing and other forms of social engineering cause up to 93% of all data breaches. For phishing or any other social engineering attacks to be successful, the target (also known as the club employee) needs to take the bait.
Employee training is typically one of the least costly and most effective tools a club can use to reduce the risk of a cyberattack. Training can be both formal and informal. Formal training includes communication of club policies and procedures as well as specific incident response training. Informal training includes regular updates on current threats. Also consider regular testing of employee responses to simulated phishing attacks with follow-up feedback.
Leverage encryption. Clubs are no different than businesses in that they encounter (cyber) risks every day. Encryption of critical information (i.e., financial data, club member and employee personal information) will protect the critical information from being accessed and sold on the dark web to cybercriminals.
Perform backups. This cannot be stressed enough: Regular backups ensure data security and business continuity. There are many forms of storage media available for data backups. Backups are an important defense measure against ransomware and other cyber threats that are aimed at targeting the integrity and availability of the data.
Backup testing is critical to ensuring that your club remains at or can quickly be restored to fully operational level should a disruption occur. It is advised to create a documented backup testing plan.
Conduct screening for all employees. Not doing due diligence on employees prior to hiring could cost your club significantly. Key reasons for screening employees include:
- Fraud prevention: Unfortunately, it is a fact that many employees lie on their resume.
- Data security: Checking criminal records is essential to preventing intelligence and data loss.
- Reputation management: Encountering data theft can really damage the club’s reputation and, worse, could put not only jobs but also future employment opportunities at risk.
- Legal compliance: Regulations are getting more stringent.
Defend your networks. Network security is all about “defense in depth” by safeguarding sensitive and proprietary data. Common security components that should be in your network infrastructure include firewalls, anti-virus programs, intrusion detection and prevention systems (IDS/IPS) and virtual private network (VPN) secure communication.
Establish a strict bring your own device (BYOD) policy. Clubs struggle to balance BYOD risks and rewards (e.g., connecting cell phones to USB ports). Clubs should approach BYOD by creating an enforceable, security-focused strategy. An effective BYOD policy should include:
- Established standards for an Acceptable Use Policy that specifies what devices are allowed to be connected to the club’s network.
- Defined segment and segment user groups
- Policy enforcement (including noncompliance penalties)
- Support
In today’s world, clubs must be ever vigilant. They must take a proactive cyber security posture, not only because it is the prudent way to conduct business, but also it is what members expect and demand.
Fredrick Santarsiere is vice president and chief risk officer at Cino Ltd Companies. He can be reached at [email protected]. Tanja Jacobsen is director of security operations at Cino Ltd Companies. She can be reached at [email protected].