As originally published in Associations Now, May 14, 2019.
Top 10 Security Tips Every Association Executive Needs to Know
You need not be a security expert to bolster your association’s security posture.
In fact, the single most effective way to keep your data secure isn’t any sophisticated technical defense at all: it’s education.
According to research by Ironscales, 95% of all successful cyberattacks have the same root cause: a human fell for a scam, and unwittingly gave bad actors unwanted access.
This technique is called social engineering: hackers will manipulate humans into divulging sensitive information (directly or through the use of invasive malware) by way of a scam email, phone call, social media post, text message, or even face-to-face conversation.
While this means that your staff are potentially your weakest link when it comes to cybersecurity, it also presents a huge opportunity for association executives: if you educate your team on how to avoid common security threats, you can reduce your risk of a breach by up to 70%.
To give you a head start, here are ten critical security tips that you can act upon starting today.
1. Don’t put too much trust in your spam filter.
Spam filters will catch flagrantly malicious emails, but scammers know how to bypass these defenses and make their way into your inbox. Learn about common “red flags” that indicate an email might be a phishing scam here.
2. Know that identities can be deceiving.
It’s increasingly easy for scammers to “spoof” emails and phone numbers and make them appear to come from someone (or some entity) you trust. If the request comes via email, make a call to verify. If the request comes via phone, hang up and call back on a verified number.
3. Secure explicit approval before making transactions.
Make it a policy to get approval over the phone and in a new email chain before transferring money. An association client of mine nearly wired $180,000 to a scammer thinking it was their CEO in urgent need. Scammers have successfully stolen $3.7 billion this way.
4. Never click on an attachment or link you aren’t expecting.
Years ago you could identify a malicious attachment by its file extension: .exe was likely dangerous, while .pdf was probably safe. This isn’t the case anymore. If you receive an “invoice,” “receipt,” or any attachment or link you aren’t expecting, have your IT team give it a look.
5. If you find a random USB drive, don’t plug it in.
Many of us would plug a foreign USB drive into our machines out of sheer curiosity—especially if it’s labeled "payroll." But bad actors will load malicious programs onto these devices hoping we’ll do just that. If the device isn’t yours, leave it alone.
6. Avoid public WiFi, unless...
When your staff use public WiFi, they are essentially broadcasting their activity to anyone who intercepts that connection. If your organization’s policy allows this type of remote work, shield your data from prying eyes by using VPN software. I recommend Perimeter 81, but there are lots of them.
7. Implement and mandate a password manager.
Most of us have too many passwords to reasonably manage—we end up repeating weak passwords across our personal and work accounts. Using a password manager makes it possible to use strong, unique passwords, and change any that have been compromised. I recommend Keeper to my association clients.
8. Enable multi-factor authentication everywhere.
Many applications and websites (from Office365 to Google to Amazon) now offer two-factor authentication, which adds a layer of protection to your account; even if passwords are compromised, hackers still can’t gain access unless they also have your cellphone or other device. Make sure this is enabled.
9. If you think your machine is compromised, shut it down.
As these scams grow more sophisticated, there’s always a chance we will fall victim. The moment you think something malicious is on your machine, prevent the infection from spreading by turning your computer off and calling your IT team.
10. Expand your concept of data backup.
Most associations have their servers backed up, but fewer pay close attention to how their laptops are being protected. In the case of serious infections, restoring your data from backups can be your only recovery option. Make sure you won’t lose the data stored on your these devices.
About Heinan Landa
Heinan Landa is the Founder and CEO of Optimal Networks, Inc., a Rockville, MD-based IT firm that helps associations achieve measurable business results by way of thoughtful technology guidance and white-glove support. For nearly 3 decades clients have turned to Optimal when they are spending too much time overseeing their IT team, are worried about the security of their data, or are concerned their technology isn’t providing the mobility or flexibility that their staff and members expect. For more, www.optimalnetworks.com.