No word provokes chapter nightmares like the word “hacked”—except maybe the word “fraud,” the topic of our second post in this series about chapters in crisis. When chapter volunteers (and staff) are busy, and they surely are busy, they’re more likely to make the kind of tiny mistakes that can lead to a cybersecurity disaster.
One of them is bound to fall for an email phishing scam one of these days—it’s inevitable. When they do, you want them to feel comfortable turning to you for guidance, no matter their chapter structure: independent or subsidiary. In this post, we assume chapters are subsidiaries, a situation that brings more risk to National, but also supposedly provides more control. Even if your components are independent, you’ll benefit from the advice we share.
A crisis waiting to happen: chapter cybersecurity attacks
We’ve heard countless stories about spoofed emails impersonating a chapter officer, for example:
- A chapter board chair appeared to send an email to the treasurer directing him to transfer some funds from a bank account.
- A chapter president supposedly asked another officer for the password to the bank account.
- A chapter executive director supposedly sent an email directing an employee to purchase gift cards on her behalf.
Spoofed emails are only one way for a chapter leader to get phished—tricked into revealing sensitive information or exposing their computer (and their chapter’s network) to malware.
Another common incident is receiving a legit-looking email from a service provider notifying the recipient of suspicious activity and advising them to log in to their account. Phishing emails like these are seeking your Gmail or other email credentials. Once they have these credentials, they can do all kinds of damage. The creativity of cybercriminals knows no bounds as new phishing schemes are continually unleashed.
Some phishing attacks are targeted at large organizations, but most are not. They’re made possible by inexpensive, automated software called “exploit kits” that spread malware via emails and compromised websites.
Dealing with a cybersecurity attack
The extent of your involvement depends upon your relationship with the chapter. If the chapter is a subsidiary, you might take responsibility for these tasks. But, if an affiliated component is the cybersecurity victim, you can suggest these steps.
Gather your team—IT, membership, communications, member services, and legal—and follow your data breach plan. Hopefully, your association and chapters have a data breach plan to follow. If not, schedule time with a cybersecurity consultant to develop one.
You may need to hire an IT professional to find out how the breach occurred, and help you fix any holes in your security perimeter. Once your network is secure, restore lost data from your backup. Again, this is another area where it pays to plan ahead: make sure your chapters have redundancy plans and backup procedures in place.
Every state, as well as the District of Columbia, has a data breach notification law with specific requirements for notifying anyone whose personal data has been compromised. Don’t delay action. Some state laws require you to notify data owners within 30 days.
How to prevent a cybersecurity attack
Even with the best security perimeter your budget can afford, you need a strong human firewall as your last line of defense. Ensure chapter volunteers and staff have the training they need to protect member and customer data.
Follow a two-prong strategy: teach and test. Mandate attendance or viewing of security training webinars. Provide cybersecurity training resources, such as tip sheets and sample policies. Teach chapter leaders how to safely use personal computers and mobile devices if they’re connecting to a chapter or National network.
Test their cybersecurity knowledge. An automated phishing test service, such as KnowBe4, sends simulated phishing emails to see if staff and volunteer leaders take the bait. If they do, a training video explains what to look for in future emails so they don’t make the same mistake again.
Raise the cybersecurity issue regularly in chapter leader communications so it’s kept top of mind. Use security breaches in the news as teachable moments.
Policies and procedures
Have policies and procedures in place that make it less likely for chapter leaders to fall for social engineering, for example, a clear procedure for payment and money transfer requests.
Although most security breaches are caused by human error, you must ensure your network’s security perimeter is as tight as possible. If it’s in your budget, arrange for annual cybersecurity audits to identify and fix any vulnerabilities or unsafe practices. These audits are often required now as part of regular financial audits.
Instruct chapters to do regular backups, and, for those with the IT resources, to test data restoration. If they can’t quickly and completely restore data after an incident, they’ll have trouble getting back to business.
Website contact information
Because cybercriminals can scrape email addresses and other data from your public website, don’t publish contact information for staff and volunteer leaders. Use email forms instead.
Find out if your insurance policies cover social engineering claims. Even cyberinsurance may have limitations on claims caused by phishing and ransomware attacks.