Data Security: Keep A Lid On It

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://associationsnow.com/2014/06/data-security-keep-lid/

Last year’s Christmas shopping season was a decidedly unmerry one for
Target. In mid-December, the retailer experienced a massive data breach
that compromised up to 110 million customer credit cards. Target is still
literally paying the price for that, from repairs to the free year of
credit monitoring it offered to customers by way of apology. The price tag
on the company’s error, after insurance payments, isn’t cheap: $17 million
and counting, according to The New York Times.

If there are any association executives who think Target’s experience is
too wide-scale to be relevant to them, nonprofit technology expert Maki
Kato recommends a simple exercise: Write an apology letter to your members
just like the one former Target CEO Gregg Steinhafel had to deliver to
customers.

“What if I were the executive director of an association, and I have to
write this letter apologizing?” says Kato, chief technology officer and
vice president of engineering at Matrix Group International, an association
technology consulting firm. “Is that worth keeping the handful of credit
card numbers the staff feels they need to hang onto to process refunds?”

Kato’s question speaks to an important point about data security: While
hackers unleash data-breach mayhem, association staffers too often
unwittingly enable them, thanks to lax security processes that keep
valuable member data readily accessible to unauthorized parties. Effective
cybersecurity is about both keeping up with technology trends and managing
the people who handle essential data—often all too casually.

If you’re not current with WordPress and auditing plugins and passwords,
relying on Amazon’s security is only going to get you so far.

HUMAN ERROR

Tobin Conley, senior consultant, technology management, at DelCor
Technology Solutions, keeps a running list of obvious mistakes association
staff members make that leave the organization open to data breaches or
make it difficult to recover data. Overly simple passwords like “1234.”
Important passwords for databases and social media accounts saved in an
unencrypted file in a shared folder. Backup tapes kept in the same room as
the servers—ensuring that the data will be lost after a fire or other
catastrophic event.

“You hear stuff that just curls your toes,” he says.

Dr. Devin Jopp, president and CEO of the Workgroup for Electronic Data
Exchange, an association that serves healthcare information professionals,
says he experienced a data breach at a previous association, so at WEDI
he’s mindful about the technology systems his vendors use and the access
his staff has to them. He recommends reviewing vendors’ updates and
processes at least twice a year to make sure they’re current.

“Updating this is the critical part,” he says. “A lot of places do their
due diligence initially and then they forget about it.”

On the staff side, Jopp implements tight controls on who has passwords to
different levels of information. The ability to export an Excel spreadsheet
from the association management system, for instance, is heavily
restricted. Hackers aren’t the only concern. “You’re probably more likely
to have a staff member take your data than having your data stolen from
outside,” he says.

And though it’s uncomfortable to think about, Conley highly recommends
having a procedure in place to ensure employee access is locked down when a
staffer leaves or is terminated. “You need to make sure that you don’t give
any lag time whatsoever, that that back door is shut,” he says.

TOOL MANAGEMENT

The upside for associations is that technological solutions can address
many of the day-to-day concerns about data security. For example, adhering
to PCI compliance standards can keep credit card transactions secure and
ensure that members’ credit card data never resides on the association’s
servers. Tools can force staff to use strong passwords, and automatic
updates for antivirus software can protect data without relying on people
to remember to install newer versions.

The downside is that weak links abound in all of these efforts. A meetings
staffer might still keep credit card numbers in a file to please a member
having trouble getting a conference refund online. Another staffer might
have a strong password but keep it written on a sticky note on a monitor.
Your cloud-server vendor might be top-notch, but a website plugin may not
be.

“You might have a website running WordPress with Amazon [Web Services],”
says Joanna Pineda, CEO of Matrix Group International. “But if you’re not
current with WordPress and auditing plugins and passwords, relying on
Amazon’s security is only going to get you so far.”

Keeping tabs on passwords and necessary updates has become even more
complicated as associations increasingly embrace “bring your own device”
polices, which let staffers use their own computers and phones to do
association work. Renato Sogueco, CIO of the Society of American Florists,
manages a strict written BYOD policy that gives SAF a great deal of control
over staff data: It can set passwords, install apps and security features,
and, in the case of a lost phone, wipe all data from the device.

Just as critical as writing the policy is regularly communicating its
importance to staff. “I can’t impose something that’s just verbal to people
who use these devices,” he says. “I need a piece of paper to stand on.”

All employees have to sign the policy, which Sogueco and the SAF executive
team revisit every year. “It should be a habit,” he says. “If it’s not a
habit, then people don’t think about it, and then they’re caught in an ‘Oh
my’ moment” when the policy is enforced.

NOBODY’S IMMUNE

Associations, because they represent professionals and authorities, are
tempting targets for criminals looking for data. But sometimes that’s not
even an attack on an association’s own servers. In 2011, NACHA–The
Electronic Payments Association saw its logo and name used by hackers in
phishing scams. People who thought they were receiving an official NACHA
message about an electronic payment were in fact clicking links that
installed malware on their computers.

Pam Moore, NACHA’s senior vice president, administrative services, and
chief financial officer, says the experience put a strain on staff
resources. “Our customer service department was impacted severely,” she
says. “More and more calls were coming in. And we needed more from our IT
resources as well.”

Though associations with high profiles in particular industries might hold
additional appeal for hackers, every association ought to assume it will be
a target, Pineda says.

“People say, ‘This can’t happen to us, we’re so small,’” she says. “What
we’re finding is that everyone is a target. Every site, every hour of the
day, is under attack.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!