Fighting Cyber Risk at Clubs

People ask me all the time, what keeps you up at night?  And I say Spicy Mexican food, weapons of mass destruction, and cyber attacks.

-Dutch Ruppersberger

Ask any security expert and they will tell you that it’s not a matter of “if”, but “when” your organization will suffer a cyberattack.  And while you might think a Country Club isn’t a huge target for hackers, the reality is that no organization is safe anymore, particularly smaller entities.  Verizon Data Breach Incident Report (DBIR) recently reported that more than 75% of all security breaches occur at organizations with 100 or fewer employees.  This is in large part due to a couple of key factors:

• The nature and sophistication of hacks are evolving – gone are the days when hackers would target one organization, do reconnaissance and specifically target and hack that organization. With the emergence of viruses like ransomware and crypto ware, attackers can blast literally hundreds of targets at once versus focusing on one organization at a time.
• The shift to PII – Over the last year or so hackers have shifted their focus away from stealing credit card data and toward obtaining personal identifiable information (PII)*. This is because credit cards are flooded on the black market right now and can be easily changed.  Plus financial institutions are pretty good about catching compromised cards so they aren’t good for very long.  PII however, is like your DNA; it’s very difficult to change.  And once a hacker has it, they can either sell it on the black market or use it to open other credit cards or online accounts.  *PII is classified as any information that is personal in nature, social security number, date of birth, previous employers and addresses, or driver’s license numbers.
• Easy targets – smaller organizations typically have less money to spend on network defense and security awareness training, making them easy targets for hackers.

When you step back and think about it, a country club is actually a pretty good target.  Clubs typically track a decent amount of PII on both their members and employees and given most clubs don’t have a robust IT security program it makes them prime targets for hackers.

Now that we are beginning to accept that cyber risk is a real threat your club should be considering, let’s talk about what your club can do to protect its members and employees.   Here are five effective ways to start securing your network.

• Vulnerability Scans – vulnerability scans are a relatively cheap and effective way to scan your network’s internet-facing devices to see what vulnerabilities hackers may be able to exploit. This can be a valuable tool in both assessing your cyber risk as well as prioritizing what patches need to be implemented.
• Centralize and control your patch management – centralizing patch management is an efficient way to manage your devices and applications connected to the network. This helps make sure all devices follow the same security structure and minimizes the risk of an attack by creating a security baseline for all devices.
• Restrict Access –The most common link in almost all breaches is human error (e.g., an employee accidentally clicks on a malicious link or downloads a file that contains a virus). This can be prevented by restricting user administrative settings so employees can’t download files to their computer.
• Security Awareness Training – as previously mentioned, the human element is the most common cause of security breaches. Having a security awareness training program is an important, and often overlooked, part of securing your network.  Teaching employees about phishing scams and social engineering is critical in today’s technology-driven world.  Consider training employees quarterly (at a minimum annually) on security awareness protocols.
• Cyber Risk Assessments – understanding what information is likely to be stolen and how it flows through your network is a critical part of understanding how to cost-effectively secure it. A cyber risk assessment involves a multi-step process of identifying key data, documenting where it is stored and flows on your network, and assessing controls in place to determine what additional controls may need to be implemented to better secure your network.  A cyber risk assessment is another valuable tool in prioritizing and budgeting cyber initiatives.

Remember this, the worst possible decision you can make for your club is to do nothing.  More than 60% of small organizations go out of business within six months of a data breach. While it is unlikely that a club would go out of business so quickly, the credibility you could lose with your members and employees could be even more damaging.  That’s because breaches can be costly – both financially and operationally.

If you are interested in reviewing your club’s risks, let PBMares help find the solution.

As previously published in Boardroom magazine by Kevin Reilly, JD, CPA, CGMA and Harvey Johnson, CPA, CGMA, CISA.