The Association CEO’s Role in Cybersecurity
- Dave Coriale
- September 12, 2017
CEOs must lead a culture of security. You’re the ultimate guardians of customer (and member) data. The proverbial "buck stops here” at your desk. Do you think that’s how Equifax CEO Rick Smith saw it?
Equifax uncovered its cybersecurity breach—affecting up to 44% of the U.S. population—on July 29. A few days later, three of its top executives unloaded $1.8 million shares of Equifax stock. And the rest of us finally learned about the breach weeks later on September 7. Seems the Equifax CEO led a culture of “getting yours while the getting is good.”
Equifax will suffer the consequences. Their stock price already took a double digit hit. Investigations and lawsuits are in the works.
If a company like Equifax can be blindsided by a security crisis, what’s to keep it from happening to your association? The Equifax hackers got access to the personal information of 143 million Americans after exploiting a website application vulnerability. All it takes is one security hole.
Don’t assume your team would never let something like that happen. Assume nothing. Start asking questions and start leading a culture of security.
12 Steps Association CEOs Can Take to Avoid Becoming the Next Equifax
Take a proactive stance. Defensive and reactive tools like firewalls and other intrusion-protection technology can give you a false sense of security. You need to build a human firewall. Take a proactive stance by instilling a sense of security awareness and personal responsibility in your staff.
Educate yourself. You need to learn enough about security to know what type of questions to ask your team—our Cybersecurity Watchlist for Association & Nonprofit Executives will help. You don’t have to get into the technical nitty-gritty but you do need a basic understanding of cybersecurity threats and how your IT team protects your association against those threats.
Invest in regular risk assessments. Cybersecurity audits should be part of your operational budget every year. The threat landscape is constantly changing. You want to uncover your association’s vulnerabilities before the bad guys do. Find out if your internal IT team is capable of providing the appropriate level of security. If not, budget for outside expertise.
Plan for a security crisis. The one thing it's safe to assume is that your organization is a target—plan ahead for a cyberattack on your organization. Develop a cybersecurity crisis response plan that includes a chain of responsibility as well as internal and external communication plans. A disaster recovery and business continuity (DRBC) plan is a good place to start.
Appoint a team of data guardians. Put together a cross-departmental data team that stays on top of how your association uses, shares, and protects data. These people are your champions of data integrity and security.
Involve IT in all technology purchases. Make sure the IT department is involved in technology purchases by other departments. They alone have the expertise to ensure the level of vendor support is sufficient, i.e., software bugs are patched promptly, and your association data is safeguarded.
Talk about your association’s security policy. Don’t think that just distributing the security policy is enough. Lead a conversation about it with your staff. Make sure the policy is reviewed regularly in bite-size pieces with all staff, including your colleagues in the C-suite and department heads. Everyone has to abide by the rules and know why you have them. Everyone must understand the possible consequences to the association and its data if policy isn’t followed. When cybercrime is in the news, use it as a teachable moment.
Set an example. Some CEOs ask IT for special favors: “Turn that off for me, but turn it on for everyone else.” Don’t be that CEO—the rules apply to you too, for good reason. You’re setting the example and tone for your direct reports as well as the rest of staff.
Invest in staff training. Budget for security awareness training and participate in that training yourself. Everyone, including you and your fellow execs, must know how to spot suspicious emails, attachments, and websites. You must understand how to access and share data safely, use your phone safely, and manage your passwords safely. What else does your association need to do safely? Only a good cybersecurity assessment will help you figure that out.
Know that YOU are more likely to be targeted and impersonated. CEO email addresses are often spoofed and used in phishing attacks on employees. You’re a prized target because your bio and other information can be easily found online and your name alone commands authority. This information can be easily used to spoof your identity in phishing attacks on your employees and volunteer leaders.
Acknowledge how easy it is to become a victim. You’re pressed for time, accessing your inbox at all hours, and rushing through messages. It would be easy to click on the wrong thing, especially when you’re using your phone. Slow down and scrutinize your emails. Don’t accept anything at face value.
And, don’t assume your organization is not a target. You’re no Equifax, but ransomware bots and sociopathic hackers don’t care. Equifax has a huge security budget, but they ended up in the headlines. Do what you can to make sure your association doesn’t end up there too.
Download our infographic, Is Your Association Protected from Cyberattacks?, to review examples of threats to your data.