While the idea of celebrating cybersecurity awareness isn’t likely to incite too many to whoop and pull out the party hats, now is a good time to take stock of just how vulnerable your organization is to a potential cyber attack. Hint: If you’re like just about everyone else, the answer is “very.”
Don’t be lulled into thinking that cyber villains are actually just misguided youths looking to create a little mischief in their parents’ basements. Today’s cyber thieves are full-time professional criminals who use all sorts of scary-sounding tools to crack your security codes, from port scanners, vulnerability checkers, password crackers, and denial-of-service attackers, to tools to hack passwords from wireless networks and to launch brute-force attacks against Wi-Fi–protected setups to snag Wi-Fi–protected access passkeys.
Before you can even begin to protect yourself, it’s important to understand what could be hanging a big “welcome” sign on your network to cyber criminals.
Know Your Vulnerabilities
“Anything that attaches to your computer can do you harm,” said MaryAnne Bobrow, CAE, CMP, CMM, president of Bobrow Associates, during a session at the American Society for Association Executives Annual Meeting in August. So those flashdrives that your speakers want to plug into your system—what assurances do you have that they aren’t infected with malware or other computer viruses? Mobile apps are popular hacker targets—how secure is your meeting app? All is takes is one attendee to pass along your meeting’s Wi-Fi password to make it insecure—what measures do you have in place to make sure it stays secure?
One audience member shared that he only became aware that he was hacked after he got a call from a bank that wanted him to OK a wire transfer while he was on site. He had no idea what the bank was talking about, and looked into the situation. It turns out that hackers had created a website that mimicked his organization’s, spoofed his email, and send an email purported from him authorizing the wire transfer to his financial officer. He got lucky—but you don't want to have to depend on luck to guard against this type of computer fraud.
If you allow staff to bring their work computers home, or use their personal devices at work, you need to train them on cybersecurity policies and procedures that prohibit things like downloading an unapproved app or software program, said Bobrow’s copresenter Jonathan Howe, Esq., founding partner and president of Howe and Hutton, Ltd. It’s all too easy for people to unknowingly download what they think is legitimate software, but is really malware in Trojan disguise.
Also consider your vendors, said Bobrow and Howe. What information do they have access to? To protect yourself, they suggested including a clause that would ensure that vendors protect your confidential information, and that they have procedures to follow should a loss or breach happen. You also should obligate vendors to return or destroy any confidential information at the contract’s end, to cover losses if they fail to protect your information, and to carry cyber risk insurance.
What Do You Do if a Breach Occurs?
Forewarned is forearmed, said the presenters. Before you face your first attack, know what your mission-critical needs are, and develop and update regularly an action plan to combat potential breaches. Make sure you have the right technology and services in place, and that you have people authorized to monitor the network. Make sure everyone involved understands cyber-crime management, including your legal council, and that your organizational policies align with your cyber-response plan.
Developing a communications plan also is a key preparatory step. It should include how you can use social media to get the message out. You can choose to have a straightforward message—along the lines of, “We are currently under cyber attack and our website is experiencing issues”—or couch it in more conservative terms, such as saying, “High traffic is causing online and mobile issues,” said Howe and Bobrow.
While the attack is happening, conduct an initial assessment, minimize the damage that happens until you can plug the breach, and document everything.
Once it’s over, do not use the compromised equipment—and don’t get complacent, thinking cyber-lightning won’t strike twice. In fact, the presenters said, hackers often return to the scene of previously successful hacks.