Skip links

Guarding Against Cybersecurity Risks

Club membership has its privileges—but with that privilege comes heightened risk for threats to the security of information about club members, who can be especially appealing as individual targets for

cyberbandits seeking access to their personal data, and to clubs themselves, as potential victims of ransomware attacks designed to compromise and disrupt an entire operation unless major payments are made.

In recent presentations to club managers, IT and cybersecurity experts offered tips for protecting the especially sensitive information that exists within club operations, by remaining diligent about the threats that can be posed not only through breaches of entire systems, but also by penetrating seemingly innocent individual e-mail messages.


As part of a presentation on technology in private clubs, Trevor Coughlan, vice president, marketing of Jonas Club Software, stressed to managers that the club industry’s connection with affluent segments of the population makes it especially attractive and susceptible to fraud and data breaches.

“Data is the new oil, and up to 95 percent of all cybersecu- rity breaches occur due to human error,” Coughlan said. “How secure is the data that you and your staff has been trusted with?”

Coughlan opened eyes in his presentation with a chart that shows how easy it is for a hacker to use “brute force” to obtain a password if it is not sufficiently safeguarded with the proper mix of numbers, upper and lowercase letters, and symbols.

Even a password that has as many as seven of all of those factors in its mix can be hacked in 31 seconds, the chart showed.

Coughlan urged managers to make sure that all of these steps are taken to protect the data a club staff is entrusted with, along with all aspects of a club’s IT system:

  • Increase the minimum complexity of all staff passwords.
  • Never allow staff to share log-in credentials.
  • Educate your staff on cybersecurity standards regularly.
  • Ensure your club is backing up data to a secure, offsite location.
  • Ensure that sensitive information is only stored in known locations with the appropriate safeguards.
  • Work closely with your club’s IT vendor to ensure your network infrastructure is secure as possible.
  • Partner with a security firm to assess your vulnerabilities and create an improvement strategy.


In a presentation on “Learning to Speak Cyber,” Patrick Hynds, CEO of Pulsar Security, told managers that the full list of “threats knocking on clubs’ doors” now includes not only physical security, but also:

  • Password management and policies.
  • Staff and member security awareness about phishing, ransomware, malware and the dangers lurking on the “Dark Web.”
  • Wireless management and policies.

The key to password security, Hynds said, is using MFA (multi-factor authentication) whenever possible. The length of a password is more important than its complexity, he noted. He recommended using to check for a possible breach when one is suspected.

E-mail phishing, described as a “social engineering attack” triggered when an email, text or instant message is sent from someone posing as a “trusted entity” to staff or members to try to lure them into responding and revealing sensitive information, is the biggest threat to clubs, Hynds said.

Hynds educated club managers on the distinction between ransomware, which encrypts and holds data until a payment is made, and malware, which seeks to disrupt a system and render it functionless. To be properly “prepared for the worst,” he said, clubs should have and test ransomware protection and response plans once a year.

“The ‘new normal’ is that boards need to understand security risks and how well the club is managing them,” Hynds said. “That requires having a strategic plan for meeting security needs and being transparent about current security risks, the current controls and policies that are in place, including replicable metrics that track trends, and also presenting a realistic roadmap for improvements that may be needed.”

General rules for not falling victim to phishing attempts:

  • Do not click on suspicious links.
  • Be vigilant to detect “spoofed” messages.
  • Use strong access controls such as multi-factor authentication.
  • Filter and block suspicious emails.
  • Back up data to protect sensitive information.
  • Ensure backups are not connected to a home network.
  • Use a reliable spam filter. Create a disposable email address.

Keys to Effective Communication with Your Board, Members & Staff

The board will want to understand the risks to the club, and how well the club is managing those risks. What to include in a communication or presentation:

  • A strategic plan that includes security needs and why security is necessary to secure club, board, member and staff data.
  • Transparency of your current security risks and a realistic roadmap for improvement.
  • Current controls and policies in place. Replicable metrics that track trends.
  • Confidence-building stories about proactive plans and threats stopped.

Board, Members & Staff Communication Best Practices

Communication essentials:

  • Know your club’s cybersecurity risks and have a roadmap for improvement.
  • Include security in your strategic plan. Communicate your club’s risks effectively. Know your security controls and policies. Communicate security needs.
  • Have a solid working plan—start with the basics. Illustrate improvement in cyber maturity.
  • Encourage tenacity.
  • Stay data-driven; use replicable metrics that track trends.
  • Include confidence-building security success stories.
  • Be transparent.