Cybersecurity is Also a Big Issue for Associations

"The information we control about our organisations, and our members, is information that is highly valued by those who would use it for their own gain. As always, we should make our associations models of good organisational management and be vigilant in protecting our information." 
Association executive Mark Levin explains why even associations must put checks and balances in place when it comes to safeguarding the digital security of their operations. 

Too often those of us in the not-for-profit sector think that trends that affect our members’ businesses do not necessarily apply to our business - the association business. We must remember that “not-for- profit” is the status given to us by a government agency, it is not a business management philosophy. We have the same challenges that our members, or our members’ employers, have on a day-to-day basis as they strive to be successful. Not-for-profit organisations still need to be managed in a business-like manner We have a product to sell, and while our product may not be a manufactured product or a scientific product, we still must produce that product at a prominent level for our customers/members. We use the term programmes instead of products but in fact we are producing value every day for our members.

We need to be skilled at marketing, fiscal management, meeting planning, communications, social media, human resource development, accounting, and inventory control. If you think those skills seem like the ones your members need to have to be successful in their businesses or professions, then you are right, they are the same. We may use different terminologies for some of these same skills within the not-for-profit community, but that does not stop us from having the responsibility to use these skills to provide service to our members.

That is why it concerns me when we do not realise that one of the biggest issues in the private sector − cybersecurity – is also a big issue for our associations, Chambers of Commerce, and other membership-based organisations. In associations, we retain information about our members and other key stakeholders that is valued by those who would steal that information and use it for illegal purposes.

Sustainability in a Time of Uncertainty

We have members’ names, addresses, cell phone numbers, credit card numbers and security information, spouses or significant other names, and contact information, spending histories, checking account numbers, passport numbers, passwords, and other items that make those intent on identity theft looking closely at how they can get that information from us. In many cases, we do not have the financial ability to obtain the levels of cybersecurity that many of our member companies and member employee companies must attain to protect all the information that they gather. That makes associations even bigger targets then some of these other private sector institutions.

When members join our organisations, renew their memberships purchase educational programmes and publications, or engage in other association related transactions, they put their trust in our cybersecurity systems. In today’s world, that trust is based, in part, on what cybersecurity levels exist in their places of employment. When engaging in association activities, they are frequently required to ascertain the security levels we (associations) have in protecting their information before they will give it to us or accept communications from us.

Here are some basic things all of us need to be doing to assure our members and stakeholders that the security of their electronic data and online identities are as safe with us as they are with all the other entities with which they do business and conduct communications:

• Upgrade your staff’s cybersecurity awareness – Provide training to anyone accessing your IT environment to prevent the number one cause of cybersecurity attacks: Phishing (when an attacker sends a fraudulent message designed to trick a person into revealing sensitive information or to deploy malicious software on the victim's infrastructure, like ransomware). Humans continue to be the weakest link. You need to go beyond training and make them aware so that it will become part of the security culture.

• Back up your data daily – The best way to recover from a ransomware attack is to have backups ready to use when you are held hostage. You must ensure the backup is dependable.

• Limit the number of people who can install software – Too many cooks spoil the broth. You need to trust that people are doing the right thing when installing and updating software.

• Use a reputable antivirus software – AV is one step that will lower your chances of being attacked with ransomware.

• Security monitoring of your network must be in place – You MUST be aware of what is happening in your network and performing 24x7x365 monitoring, which will help ensure you are actively looking for the bad guys.

• Who has access to what and why must be understood – A proper identity and access management programme allows you to provide access to your critical applications by only those who should have it.

• Use two-factor authentication – Gone are the days of just a single password. Having two forms, such as a password and a biometric, to access your network is required to provide added assurance.

These measures might seem overly simplistic to an IT specialist, but what about the rest of our association staffers (and perhaps key volunteers)? Do they understand the need for enhanced cybersecurity? Are they familiar with the technology and terminology that level of security entails? Are they willing to take training and adhere to organisational cybersecurity guidelines?

The information we control about our organisations, and our members, is information that is highly valued by those who would use it for their own gain. As always, we should make our associations models of good organisational management and be vigilant in protecting our information.

No Member Left Behind

About the Author

Mark Levin, CAE, CSP has more than 20 years of experience as an association executive and is also an internationally-known speaker and consultant to the non-profit and association community. He currently serves as Executive Vice President of the Chain Link Fence Manufacturers Institute, an international trade association, and as President of B.A.I., Inc., his speaking and consulting firm.