Last year, phishing emails were responsible for more than 90% of cyberattacks. It’s not surprising chapter leaders take the phishing bait. Imagine them trying to keep up with chapter business while busy at work. Kim Grimm, deputy director at the National Association for Catering and Events, said:
A [chapter] treasurer will get an email from what looks like a president requesting funds to be paid.
Can you guess what might happen next? Sometimes they recognize the ploy, but sometimes they don’t. The email looks like it’s coming from the president, but it might not be. Hackers use software that allows them to “spoof” someone’s email. You usually can’t tell the difference unless you inspect the email address in the ‘From’ field or the source code in the email header. Earlier this year, DelCor Technology Solutions explained how to spot a spoofed email and how to prevent it from happening to your association and chapters.
Phishing emails don’t always request fund transfers, usually they try to trick you into opening an attachment containing malware or ransomware that will infect your computer and, if not stopped, your network. Or they fool you into clicking on an URL for a compromised website hosting malicious code that is automatically downloaded to your computer and, eventually, your network.
In the best case scenario, if someone clicks on a bad link or opens a bad attachment, only their computer is infected. To get back to work, their hard drive must be wiped and files restored from a backup—an inconvenience at best. But that’s not how it usually works because their computer is connected to a network and the malware spreads quickly. A ransomware attack usually ends up encrypting everyone’s files. The entire staff is locked out of their computer and network—an operationally and financially crippling scenario.
Files and data must be restored from backups, assuming the chapter has backups. If not, they have to pay ransom which means setting up a virtual wallet to buy bitcoins—a process that can take up to five business days. Then, keep your fingers crossed that the hackers unlock the files because sometimes they don’t.
Meanwhile, employee, customer, and member data is compromised or stolen—and you have to let them know. If chapters don’t secure payment information in a PCI-compliant manner, they can also be held in violation of PCI regulations. Cybersecurity attacks can bankrupt organizations. They never recover from the interruption to operations, financial and legal liability, damage to their reputation, and loss of their community’s trust.
Don’t let your association or chapters become a cyberattack victim. Learn how to prevent and prepare for the inevitable ransomware attack >>
Hackers get into networks because people make simple, but preventable, mistakes. But you can help chapter staff and volunteer leaders take action to prevent phishing attacks.
1. Require compliance with standard business rules
In the ASAE Collaborate discussion on chapter phishing, Sarah Maxwell, chapter administrator at the Project Management Institute, advised clarifying chapter financial guidelines, roles, and responsibilities. Beth Humphrey at the College and University Professional Association for Human Resources said:
Establish procedures for processing payment requests [to] prevent fake payments from proceeding to the point of processing them.
Instruct chapters to always follow their payment processing policy, for example, requiring two signatures for approval. They should also follow rules for sharing member or attendee lists—another common phishing request.
2. Implement safe and sound practices
Even with business rules in place, humans still make exceptions (“just this one time”) and errors. The best way to prevent human error is to create a working environment where it can’t happen. Implement chapter financial controls and technology that take the human error element out of the picture.
For example, chapters and National could use a shared system for transferring funds (dues and other payments). An email request coming from outside the system would immediately be seen as suspicious by anyone, even a busy chapter volunteer leader.
Another over-looked area in many organizations, but particularly chapters, is backups. The reason ransomware is a death knell for so many organizations is because they don’t have up-to-date, comprehensive, and restorable backups of their data and files. Too often, backups aren’t done frequently enough, aren’t stored in a secure location, and don’t contain all necessary files. And, if restoration of the backup has never been tested, how do you know it will work when you need it?
Encourage chapters to build periodic cybersecurity audits into their budget and operational plan. Besides the practical, preventative reason for doing this, financial auditors are now requiring proof that an organization isn’t at financial or legal risk due to insufficient attention to cybersecurity.
3. Provide security awareness training
Knowledge is strength. Strengthen the human firewall and cybersecurity incidents will decrease. Every association should provide cybersecurity awareness training for their own staff and for chapter staff and volunteer leaders. Make it a mandatory element in your leadership onboarding program.
Nancy Berson, director of geographic services at the American Society of Civil Engineers, teaches her chapter officers about email red flags. According to security awareness training firm KnowBe4, some of the top most-clicked phishing email subject lines for the second quarter of 2017 were:
Other social engineering red flags are:
Consider signing up for security awareness training programs like KnowBe4, or asking your technology partners if they offer security training.
4. Eliminate online vulnerabilities
Sometimes chapter staff and volunteer leaders think National is responsible for exposing their email addresses to hackers—an opinion that reveals much about the relationship and lack of trust between that chapter and National. In reality, hackers use software bots to crawl the web looking for email addresses. When those addresses are on public pages, their job is made easier.
To minimize the security risks of displaying email addresses of chapter staff and leaders, you could suggest two alternatives:
Another area of vulnerability is the type of software and website plugins used by chapters. To save money, they often choose free or inexpensive options. Unfortunately, these tools are free or inexpensive for a reason: they’re not always supported and updated (patched). Some even deliver malware intentionally or unintentionally because of poorly written code. Peggy Hoffman, chapter expert and president of Mariner Management, said:
The more connected we are, the more ‘con’nected we are.
Don’t let your chapters get conned, scammed, or phished. Help protect your chapters by being a resource, leader, and model for safe business practices and a security-aware culture.
CEX: The Component Exchange is officially on the books for October 13th! Hosted by Mariner Management & Marketing and Billhighway – Register now >>