No technology topic is hotter in the private club industry than cyber security. Articles, conference and chapter meeting education sessions, vendor presentations–all are addressing the topic from a variety of angles. Sadly, the swirl of information often creates more confusion than clarity.
The purpose of this article is to lay out the four elements of cyber security that should concern your club. We call those elements “legs of the cyber security platform.” Imagine that a complete cyber security program is the platform that your club’s technology rests upon. Supporting that platform are four legs–all equally important in keeping the platform steady. Remove one leg and the platform topples.
Leg #1 - Security assessment. This is where it all should start, and sadly, where it often prematurely ends. An effective security assessment includes an evaluation of all aspects of your club’s computer systems: servers, switches, firewalls, desktop units, server and desktop software, communications software, anti-malware software, network design and configuration–and a host of other elements that combine to represent your system’s infrastructure. Security assessments can be provided by many sources–local IT individuals, outsourced network management companies, network security specialists. Costs start as low and go up from there depending on the depth of the assessment, and size and complexity of the club’s infrastructure. A proper security assessment will pinpoint vulnerabilities and recommend effective remedies. Depending on the condition of your club’s infrastructure, costs to remediate could be a few thousand dollars to tens of thousands, again depending on the scope of your environment. While these assessments are highly recommended and should serve to shore up any security holes in your club’s infrastructure, their value is short-lived. That’s because the security landscape is continually evolving. So a clean bill of health this week doesn’t guarantee protection next week.
Leg #2 – Security monitoring. Once your club’s infrastructure is up to par, you have to keep it there. Security monitoring does just that by installing devices and software on your club’s network that continuously monitor performance and user activities. Any suspicious activity is detected through this monitoring and reported to the security outfit to alert that there is a problem. Monitoring includes identifying attempts to access the network by unauthorised users, alerting when suspicious activity occurs on the network (i.e., a user copying data files or moving files off the network), the attachment of an unauthorised device to the network (i.e., a flash drive), identifying and stopping malware activity or attacks, etc. Security monitoring picks up where a security assessment leaves off and helps to ensure that the club’s infrastructure is kept in top condition.
Leg #3 – User education. Study after study shows that internal users are the unwitting accomplices in a majority of business security breaches. Innocently clicking on a phishing email, providing network access information to a convincing hacker posing as a credible source, transferring monies to “the bank” or other “trusted source” when the receiver is actually a hacker using a believable impersonation–these and other unsuspecting behaviors are the “door openers” hackers now focus on to steal valuable personal information and monies. Why waste time trying to break through a firewall when you can send a phishing email out to a thousand business networks and quickly hook some innocent employees? Fortunately, effective online employee education is available to teach users how to recognize and avoid these debilitating scams. Courses are provided for management as well as line employees, and are intended to sharpen employee awareness of the full spectrum of attack methods. Reasonably priced, this education is a critical part of any effective cybersecurity program.
Leg #4 – Cyber insurance. Almost unheard of just a few years ago, cyber insurance is now front and center in security discussions. This insurance addresses two basic risks: first, the liability risk to the club if sensitive member information is compromised, and second, the risk (and substantial cost) of notifying members that their information has been compromised. While many clubs worry about potential lawsuits by members stemming from a breach of the member database, the likelihood of such litigation is actually rather small. The major risk is the cost (in damage to the club’s image and in dollars) in managing such a breach. Laws in each state differ, but they all have in common some requirement to notify all parties whose personally identifying information (PII) has, or may have been, compromised. Well-crafted cyber insurance policies include reimbursement for costs associated with employing specialists to handle the notification tasks.
Your key take-away from this article should be: All four legs of the cyber security platform are needed to support a robust and effective cyber security program at your club. If just one leg is weak or missing, the entire platform becomes vulnerable to collapse.