Associations can be forgiven for downplaying the risk of a cyber-attack. After all, most of the headlines surrounding these attacks centre on major household brands, or top-end-of-town corporations. What does a mere Australian association, relatively unknown outside its industry or membership base, have to worry about?
Well, unfortunately, there’s plenty. Just think of the WannaCry ransomware attack that swept the globe in May, infecting nearly 250,000 computers in more than 150 countries! June's Petya attack similarly caused havoc to companies across the globe. Australia was lucky to miss the worst of both attacks, but there's no room for complacency. It's a matter of when and not if the next attack strikes
Associations need to be a lot more cautious when it comes to cyber security. As repositories of vast amounts of member information, they have a profile that is likely to attract interest from cyber criminals, who may view them as easier targets due to less sophisticated IT security measures.
Australia is increasingly a target for cyber criminals. In 2015 alone, security firm Norton estimated cybercrime cost the economy $1.2 billion. London-based insurer Lloyds suggests Australia can expect a bill of $16 billion over the coming decade.
Associations are not immune. But can they be better prepared? Fortunately, the answer is yes. Cyber security experts are aware of the common ways criminals gain a foothold in or attack organisations, and whether it’s technical weakness, human error, or brute force here are some risks to look out for.
Malware: today’s primary cyber threat, malicious software is constantly evolving, and now includes ransomware: a tool used to extort money out of businesses by locking them out of their devices or files and often threatening them with deletion.
Hacking: a ‘hack attack’ typically involves cyber criminals trying to modify or alter computer software and hardware, or steal sensitive information that they can later use to either damage stakeholders, or profit from on the open market.
Phishing attacks: criminals attempt to obtain sensitive information for malicious reasons through phishing attacks when they masquerade as trustworthy entities in electronic communications. Used as a first step, phishing attacks are becoming increasingly sophisticated.
DDoS attacks: through a Distributed Denial of Service Attack, cyber criminals essentially block access to a website they want to target by inundating it with traffic from multiple, compromised systems, rendering it inaccessible to users.
CEO invoice fraud: hackers assume the digital identities of C-Suite employees to influence others to break normal financial security procedures around paying invoices. This has the potential to disrupt any business that fails to follow stringent accounting sign-off processes.
All of these ‘vectors’ of cyber-attack put associations at risk of serious disruption and could end up threatening their ongoing viability. Typical follow-up actions in the event of a cyber breach include forensic IT investigation, data restoration, replacement of compromised devices, legal representation, potential privacy fines and penalties, and of course, reputational damage.
Associations can be better prepared. For example, the government’s Australian Cyber Security Centre (ACSC) is designed to make Australian businesses some of the hardest to infiltrate in the world, and offers a number of helpful resources for businesses.
The centre recommends measures such as application whitelisting, a security approach that ensures that only authorised applications – not malicious ones – can be executed. When combined with other prevention techniques, including ongoing patching of applications and operating systems, as well as the restriction of administration privileges, associations can avoid up to 85% of potential intrusions.
Risk mitigation can also be undertaken through a growing range of cyber insurance products, designed to support and compensate organisations in the event they are the unfortunate victims of cybercrime.
This insurance protection is highly recommended and will not break the bank. Just ask yourself: what information do you store, and what would you do if it got into the hands of criminals? That can be a difficult to answer, and if you don’t know the answer, you need to start planning for that eventuality sooner rather than later.
Because make no mistake, cyber criminals are probably the greatest innovators in the IT space today. Association data has value, as does your reputation, so the better your security measures and safety nets, the better chance you have of bouncing back in the event of a breach.