Skip links

Creating a High Standard for Cybersecurity: Establishing Effective IT Governance

The following is an excerpt from the upcoming NCA-HFTP cybersecurity whitepaper made in consultation with leading technology and club experts. Special thanks to Noel Wixsom, founder of Country Club Technology Partners for his contributions to the whitepaper. This document provides critical resources to address the growing presence of cyberattacks on businesses, clubs and federal agencies. Clubs will be able to use the information to better protect themselves, including its members and staff, from malicious online actors online and to save dollars from responding to costly attacks. The whitepaper can be accessed on the NCA website nationalclub.org and the NCA App.

Significant cyber attacks are in the news daily, and cybersecurity for private clubs can feel like an overwhelming topic. This report shares practical and effective cybersecurity guidelines that peer clubs in the industry are using, focusing on those with limited budgets. 

Often overlooked in the cybersecurity conversation are the smaller organizations that fall under the same legislative guidelines as large companies yet find funding the cost to protect member and staff information a budgetary challenge. What cost-effective cybersecurity strategies can private clubs use to diligently protect members, staff and club data? This report offers straightforward recommendations.

Let’s start with what private clubs are responsible for protecting. Cybersecurity, in a nutshell, is a multi-armed approach to ensuring that member, staff, email, financial, physical or electronic data is not exposed or stolen illegally. This report will identify what defenses a private club should deploy to protect and secure confidential information for members, staff and the club.

Legislative and Legal Cybersecurity Responsibilities for a Private Club

Back in the mid-1990s, when the Internet was taking off, governmental bodies around the world started to raise privacy concerns over consumers’ confidential information stored on networks run by banks, insurance companies, financial institutions, credit card companies and other businesses. How were these institutions going to protect such data and disclose breaches when unauthorized users or hackers accessed their systems? What would the liability for those breaches be?

There are no official guidelines to define cybersecurity for clubs; however, there is “best practice” methodology that organizations can adopt.

The Wikipedia listing below for cybersecurity regulation is a straight-forward description of the terms and definitions that will be covered in this publication, including firewalls, passwords and other topics mentioned below. 

Cybersecurity regulation

The examples and perspective in this Wikipedia article deal primarily with the United States and do not represent a worldwide view of the subject

cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruseswormsTrojan horsesphishingdenial of service (DOS) attacksunauthorized access (stealing intellectual property or confidential information) and control system attacks. There are numerous measures available to prevent cyber attacks.

Cybersecurity measures include firewallsanti-virus Softwareintrusion detection and prevention systems, encryption, and login passwords. There have been attempts to improve cybersecurity through regulation and collaborative efforts between the government and the private sector to encourage voluntary improvements to cybersecurity. Industry regulators, including banking regulators, have taken notice of the risk from cybersecurity and have either begun or planned to begin to include cybersecurity as an aspect of regulatory examinations.

Based on the cybersecurity regulations for the United States, how does a private club or small resort/hotel go about creating a high standard for cybersecurity defenses that comply with the law and are financially reasonable?

The starting point and cornerstone is IT Governance.

IT Governance

IT Governance is the overall management of how the club’s IT systems are set up, supported and maintained. Most clubs (and other kinds of businesses throughout the U.S.) have ceded IT Governance to their outsourced IT vendors, who then set all the club’s IT policies. These polices include passwords, data backups, web browsing, and computer patch policies, among many other policies at club. Unfortunately, very few, if any, of these policies are documented, reviewed or followed.

There is a better model for IT Governance: It starts with the club’s IT Cybersecurity Committee. Proper IT governance should come from an internal, club-managed IT Cybersecurity Committee working in conjunction with the local outsourced IT company to set policy. If the current IT governance setup has the outsourced IT company making all the decisions for blocking illicit websites, creating passwords and backups, providing remote access, and monitoring other areas, there is room for improvement.

An alternative model would have the club IT Cybersecurity Committee set policy with input from the outsourced IT vendor. The outsourced IT company would carry out the policy set by the club IT Cybersecurity Committee. The club’s key IT policies should be reviewed and overhauled by the club IT Cybersecurity Committee. Then the club should engage an outside third party (possibly the auditors) to verify that the policies set by the IT Cybersecurity Committee are properly installed and documented by the outsourced IT company. This would provide needed checks and balances to the IT support structure.

In their efforts to satisfy the club auditors’ request for documented IT security, many clubs do not know where to start. Without specified guidelines, it’s unclear how to go about it. The best place to start is to form an IT Cybersecurity Committee. This committee, however, isn’t a member committee, but rather a department head committee.

Step 1: IT Security Committee (aka Cybersecurity Committee)

A private club IT Security Committee can achieve these important goals:

  • Facilitate IT governance
  • Remove IT department silos
  • Provide organizational buy-in

Who should be on the IT Security Committee? There’s no “one size fits all,” but including the following personnel often works best:

  • General manager
  • Controller
  • Head of human resources
  • Director of security/outsourced security
  • Internal IT/outsourced IT
  • Facilities manager

You may also consider including the chef, director of golf, superintendent and other key department heads.

The benefits of organizing a club Cybersecurity Committee are many, and the reality is many clubs may already be doing it ad hoc and not realize it. The critical nature of managing cybersecurity is only going to increase over the next few years. Having an IT Cybersecurity Committee is the first step to take control of club IT Governance and raise the IT standards across the board.

 A Cybersecurity Committee removes IT departmental silos. This structure, in use at a number of private clubs today, has the facilities director managing the security cameras, and the controller overseeing the data network. This is an example of IT silos. It’s rare that these two departments collaborate on the overall setup of the club’s different systems, which can cause problems.

The club IT Cybersecurity Committee brings all the departments together, which fundamentally changes the overall IT structure from a departmental view to an organizational view. Going forward, an organizational approach would give the club a global view of the current and future IT systems. A benefit of this setup would be buy-in from members of the IT Cybersecurity Committee as a group. This is a significant change from the departmental approach. Department heads often complain that new IT systems are selected without their input. Basically, the organizational approach proactively brings the department heads to the table, to get their input and buy-in on new IT platforms.

Step 2: IT Policies

In addition to IT Governance, the IT Committee would also review and approve IT policies. There are several key areas for which polices need to be set. Below are a few that club auditors specifically look for, including:

It is important for the IT Cybersecurity Committee to be wary of creating too many IT policies. If you create a policy, it must be followed. The five policy areas listed above are good ones to focus on first.

Another benefit of creating these polices is accountability. Documenting the referenced policies forces the outsourced IT company to follow them. In the event of a data breach, the outsourced IT company would be liable for any damages if the club’s policies were not followed. These policies, for the first time, hold outsourced IT organizations accountable for the management of the club’s systems.

This IT management model will help clubs; the reality is that auditors’ IT security requests are not going away. In fact, they will probably increase over time. The auditors asking about IT security and data protection is a positive influence to help raise cybersecurity awareness in the private club industry. The club is going to have to rethink older IT management practices. Taking an organizational approach to managing the long-term IT security for the club is a practical way to solve this problem.

According to Matt O’Dell, a partner with Condon O’Meara McGinty & Donnelly LLP, auditors became involved in making IT recommendations during the audit.

“It has almost been a decade now, since we started noticing clubs experiencing various IT issues related to phishing schemes and cyber attacks. These early attacks helped raise awareness that the club industry needed to improve IT security procedures and setups. We began asking a few basic but critical questions around IT security and recommended IT specialists who focused on clubs. The discussions around IT have certainly escalated over the years with a number of clubs establishing policies, educating employees and assessing insurance coverage and IT vulnerabilities.”

Instituting policies is also a low-cost way to raise the cybersecurity standards of the club. This report will share sample policies so that clubs have a blueprint of what a solid IT policy looks like. An outsourced IT company should be able to implement these IT policies for a club.

Passwords

One of the first tasks a club should undertake is to develop a list of all the club’s master administrator passwords. It’s surprising how few small businesses in America today have control of their master passwords.

The master passwords are critical to the network file server (e.g., Jonas, Clubessential or Northstar) and internet structure. They also include the Microsoft administrator password, firewall password, Office 365 email password, and onsite/offsite backup passwords, to name a few. These master administrator passwords are the keys to your data network kingdom. It’s rare to see private club leadership have any idea where to find all their master administrative passwords.

Generally, the outsourced third-party IT company has control of these passwords. This is not a bad thing, but the club should also have a physical list that’s independent of the third-party outsourced IT company’s list. Have you ever tried to change IT companies and not have the list of master administrator passwords? It can be embarrassing and difficult in the event of switching vendors. This is a simple, low-cost piece of information that every small business in America should have. A best practice—having control of your master administrative passwords—elevates cybersecurity standards.

Brian Walshe, general manager of Round Hill Club in Greenwich, Conn., explains how they handle IT policies and cybersecurity:

“In 2017, our auditors asked us how we protected club, member and employee digital information from external internet threats. In response, we engaged in process that was called network analysis at the time. The analysis was a third-party company that tested our backup systems, firewall set-up, password verification process, website security, workstation security, including patching and a number of other sensitive areas. We received a detailed report from the third party with recommendations on areas to improve and further protect. As part of the remediation, we implemented a number of IT protocols and policies that we still have in place today.”

Sample Master Administrator Password Request Letter/Email

Below is a sample letter/email for clubs (usually the controller) to send to the third-party outsourced IT vendor requesting master administrator passwords. Please use this as a template for your club to request its master administrator passwords for critical network infrastructure access. This is the starting point for higher cybersecurity standards for your organization.  

To: XYZ IT Support Company                                                                         

From: ABC Club

RE: Request for Passwords & IT Information

XZY IT Support Company,

ABC Club would like XYZ IT Support Company to provide all the passwords relating to its data and Wi-Fi networks. Below is a list of passwords that we are requesting; this is not a final list, but a starting point. Please include all the passwords for ABC Club’s IT setup.

Please Note: Do not email these passwords. We would like a physical printout of the passwords, or a USB drive that has the information. The purpose of the physical password list is for the club’s controller to have an updated list of all ABC Club IT and Wi-Fi passwords stored in a secured area of the club. This is for cybersecurity and control purposes.

Initial Passwords Request:

  • Microsoft Administrator Password
  • Golf Maintenance Building Firewall
  • Other Firewalls
  • Backup Device – Onsite
  • Backup Device – Offsite
  • Internet Router
  • Layer 2 and Layer 3 Switches
  • Spam Filtering
  • Wi-Fi Access Point & Controller
  • VMware Hosts
  • NAS Device #1
  • NAS Device #2
  • Local Administrator Account Passwords
  • DNS Documentation
  • Office 365 Email configuration & Passwords

Every private club should have a secure list of its master administrative passwords.

Note: The club should also have master administrative passwords for the phone system and security camera systems. These systems may be supported by vendors other than the outsourced IT organization. It’s important to control the master administrator passwords for all the club’s IT, voice/VOIP, Wi-Fi, security cameras and building management software platforms.

X