When you think about cyber attacks or data breaches, what comes to mind? Sony, where 47,000 social security numbers were compromised
(and tons of juicy emails were uncovered)? Or Target, where hackers obtained information on roughly 40 million customers, which cost the company $40 million, and kicked off a weeks-long media nightmare?
These are just two massively publicized data breaches can come to mind. Given the press coverage and scale of these cyber attacks, it’s easy to forget that smaller breaches happen all the time, to all kinds of organizations. The only criteria is that you have something attractive to a hacker. Consider two breaches that occurred in 2012 when Anonymous – a group most famous for hacking ISIS and supporting WikiLeaks – turned its attention toward two trade associations, TechAmerica and USTelecom.
The associations were targeted simply because they counted AT&T, IBM, and other big companies as members, and Anonymous was opposed to a cybersecurity bill those corporations were publicly supporting.
So, while it’s understandable that executives don’t consider themselves or their organizations as prime targets for cyber threats, there are 4 very good reasons why they’re wrong.
1. Your Members are Targets
As in the TechAmerica / USTelecom example, associations are characterized by the character of their members. The actions and positions of the association itself matter far less than those of their member companies and people. As the steward of sensitive data (personal information, financial data, etc.) for your members, you are a logical target.
As an association, you might not hold the keys to the kingdom in terms of government secrets or insider financial information, but rest assured your databases are valuable enough to be a reasonable mark.
2. You Don’t Train Your Staff to Respond Appropriately to Cyber Threats
Most Associations, but particularly those with long-tenure staff and small teams are unfortunately behind the ball on cyber security training.
For-profit corporations hold employees to standards of conduct for cyber security – most have explicit training and guidelines that force employees to behave in a knowledgeable, logical way. Some are even compelled to do so directly by governing bodies like their Board of Directors, shareholders, or even state and federal government standards. Many associations, having been lulled into a false sense of security and often convinced they sit relatively low on the target totem pole, do not effectively hold employees accountable.
3. Your Systems are Old
Staff members at associations are not the only latecomers to the technology curve; IT infrastructures and systems can also have obvious gaps. Ask yourself – when was the last time you updated your IT systems to ensure that you maintained a reasonable defense against cyber attacks? Do you perform audits and tests throughout the year to ensure your data is safe? Do you allocate a sufficient portion of your budget to security? The answers may be indicative of a larger problem.
4. They Know it Works
Unfortunately, the widespread publicity of cyber attacks provides would-be hackers with key details regarding defense systems. Big companies, even ones that haven’t been hit, are forced to beef up their infrastructure to guard against future attempts because they have internal stakeholders under heavy fire or shareholders that can cause a sizable ruckus. Do the decision-makers at your association hold staff to the same standards? The answer is probably a resounding “no.”
An association’s reputation rests squarely on its ability to maintain integrity and keep its members’ data strictly confidential. Don’t fall into a pattern of complacency and false security – you may find yourself answering to harsh tweets, nonstop negative press, and even legal and governmental inquisition about your security practices.