The IT security threat landscape for associations
- Chris Ecker
- April 9, 2015
Although an increasing amount of data is moving between networks, mobile devices, and the cloud, IT departments don’t always have the information they need to protect their association’s network and data from malicious attacks. Associations Now highlighted this disconnect with a sobering statistic from the Cloud Security Alliance:
Just 8 percent of more than 200 IT and security professionals surveyed worldwide know the number of unauthorized apps currently being used within their companies – a phenomenon often called shadow IT.
Security Threats are a Concern for all Associations
Shadow IT is just one security challenge that IT staff must address. Since 2013, there’s been a 27.5% increase in data breaches, according to a report by the Identity Theft Resource Center. The Sony hack is one of the more recent headlines, but news-making IT security attacks date back to the early days of office desktops. Unfortunately, the entry points exploited by security threats in the ’80s, ’90s, and ’00s are still concerns for all organizations.
Maybe you remember The Brain virus from 1986? It was the first of many Microsoft OS viruses that got into desktops and then networks when people copied files from infected floppy disks. Infected USB drives cause the same problems today.
The next big scare came from the Morris worm in 1988 that exploited unpatched systems, in this case, a popular email server.
From 1995 to 2000, an epidemic of infected attachments spread viruses through email contact lists, like obnoxious chain letters raining bad luck down on all the recipients.
In 2008, we first saw hijacked web links downloading malicious executable files.
In 2012, millions of Yahoo email addresses and passwords were stolen in an SQL injection attack. Because a Yahoo web application wasn’t written in a secure manner, malicious code was injected into it that allowed access to the application’s database.
Since 2013, ransomware has become increasingly common. Victims of these extortion attempts may have to resort to paying a ransom to the attacker to get an encryption key that allows them to decrypt their files. It sounds like a sick online game, but it’s a serious cybercrime. It even made its way into primetime storytelling on an episode of “The Good Wife.”
The 3 most common security threats we see today:
- Malware infections – malicious software that’s installed without your consent, for example, viruses, worms, and Trojan horses. The Sony, Home Depot, and Target breaches were caused by malware.
- Denial of service attacks – the inundation of a network or server with external communication requests with the intent of bringing it down and making it unavailable to its users.
- Spam injections – code is injected into custom-written contact forms resulting in thousands of emails being sent out anonymously.
The Home Depot and Target breaches are illustrations of what can happen when the security of a third party is compromised. In those cases, hackers stole and used vendor log-ins on extranet sites to get inside the companies’ networks and install malware that stole millions of credit card numbers and email addresses.
If Sony, Home Depot, Target, and other Fortune 500 companies can be hacked, you can too. Your members have a transactional relationship with the companies they do business with. But they have different expectations for the relationship they have with you. They trust you with their data and privacy, but is that trust truly warranted?
On the other hand, can associations trust that their members won’t become the entry point for malicious hackers like the Home Depot and Target vendors were?
I know this all sounds overwhelming and depressing, but stick with me. In my next post, I provide suggestions for improving your organization’s security readiness.
Can’t wait for the next post? Read about the delicate Balancing Act of IT security versus flexibility in Associations Now.
Looking for more information about information security? We’ve got you covered. Check out our eBook The Cybersecurity Watchlist for Association and Nonprofit Executives for more information on threats to your organization’s security and how you can prevent your data from being compromised.
Flickr photo by EFF Photos