If you’re responsible for running your association or nonprofit’s network, you probably have the following in place:
- A properly-configured firewall (including a software firewall for your mobile users)
- Intrusion detection/prevention system
- Centrally-managed anti-malware software
- Centrally-managed OS and third-party patching
- Rock-solid backups for all mission-critical servers, files, and databases
- Idiot-proof disaster recovery and incident response SOPs
- Network monitoring and analysis tools
If you don’t, find someone to help you build the security perimeter your association needs—right now.
If you do, great, your network is invincible…or it would be, if not for those darn users!
Even the best spam filters will let some CEO fraud messages slip through, and as long as people have Internet access, they will inevitably download something they shouldn’t.
Security training leads to security ownership
I hear IT people say things like, “My users are so clueless.” Or, “I can’t believe they didn’t know better.” Here’s the thing: they’ll continue to be “clueless” until you encourage ownership of cybersecurity at all levels. Non-technical staff especially have to take ownership. And you won’t get them to do that without providing training, training, and more training.
Security is everybody’s responsibility, and the IT department’s job is to provide the tools to make that responsibility less onerous. You can’t say your users are “clueless” if you throw them in the deep end without swimming lessons.
You already have the training and tools. Checking email headers is second nature to you because you live and breathe email. Noticing the website you’re on isn’t encrypting traffic is obvious to you because you’ve spent years paying attention to that stuff—and you’re probably using a browser that alerts you to that, and you have HTTPS Everywhere installed (maybe even Tor), etc. Does everyone else on staff have sufficient training and tools?
Your colleagues have different levels of cybersecurity awareness—what you think is obvious may not be so obvious to them. But they still need to learn how to do their part to keep your association’s data secure. It’s your job—the network administrator—to give them the tools to do that: antivirus, patching, backups, and training.
Staff needs to know what red flags to look for so they don’t blow by them quickly. More importantly, they have to feel empowered and compelled to question suspicious emails.
For example, at our ASAE Technology Conference session on cybersecurity, someone in the audience shared a story about their association’s finance director who didn’t question an email supposedly sent by their CEO. As a result, the finance director ended up wiring money to someone else entirely. Meanwhile, the CEO is sitting right in the next office, but the finance director didn’t even ask if the email was legit.
One of our clients avoided the same attack because the email recipient was tipped off by a seemingly innocent typo—an error that the CEO, who happened to be an excellent writer and published author, wouldn’t normally make.
The financial loss outlined in the first example could have been avoided with proper training—and policies!—in place. Everyone should understand how bad actors take advantage of human nature, be able to identify warning signs, and have procedures in place to mitigate cyberattacks.
Get security buy-in from leadership
If the executives in your C-suite believe the IT department, and the IT department alone, is responsible for cybersecurity, it’s only a matter of time before someone on staff slips up and causes a cybersecurity nightmare. Everyone in the C-suite and on senior staff should be delivering the same message: cybersecurity is everyone’s job.
The implications of a serious data breach can range from a bad PR day for your association to a business-ending event. If leadership can’t get behind you and hammer home the security ownership message, staff will get lackadaisical, and you’ll take the blame when someone cryptolocks their laptop.
You must evenly enforce security standards. No exemptions for anyone, including the C-suite. Everyone takes the training, including the C-suite. Nobody gets a pass on password complexity requirements, not even the C-suite. Everyone needs to put a PIN on their smartphone, including the C-suite.
And, nobody gets to log in as admin just because it’s easier, and this time I’m talking about you, you network admins who stay logged in as domain admin all day even if you’re just checking email. No exemptions.
Deploy cybersecurity training tools
Associations have many options for cybersecurity training services. I’ve been very satisfied with KnowBe4, a low-cost and highly-automated service. Other options include Webroot, CompTIA CyberSecure, and ESET.
Whatever you pick, make sure the training content is easily digestible by staff, and you can track who’s using the program. Follow up their training with an in-person coaching session if needed.
Encourage staff to discuss security with you, others on the IT team, and colleagues. There are no stupid questions, so make sure no one feels stupid asking even the most basic ones. Show your appreciation for their curiosity.
When someone correctly identifies a phishing email, give them kudos, and brag about them to their boss too. Incentivize these new security-aware habits by entering your phishing sleuths in a contest. Pick a winner every quarter for lunch on the house or a gift card.
Your job will become much easier if you can help your colleagues understand how to do their part in protecting the association from cybersecurity attacks. Sure, they may forget to backup their files or need the occasional password reset, but they will no longer be “clueless” about cybersecurity.
With our free ebook, The Cybersecurity Watchlist for Association & Nonprofit Executives, no one has to be "clueless" anymore. Download and share it with your leadership. Together, you can make cybersecurity a priority in your organization.
A version of this article originally appeared on my personal blog
Flickr photo by Kelly Michals