Preparing for a Worst-case Scenario
What should you do if you are actually attacked? First, determine the nature of the attack. Is it denial of service? Is it an orchestrated phishing campaign? The resulting steps depend on what you’re able to deduce after making the discovery.
• Gather all information about the attack that you can and keep adding information to the file as matters progress. This process can be overseen by your crisis-response team. (Don’t have one? Assemble one.) This group should be the nucleus of what may become a somewhat larger team and include your IT security consultant, CPA and attorney.
• Inform law enforcement as soon as possible, including your state’s attorney general and federal agencies such as the FBI, and provide updates as circumstances dictate.
• Notify employees of the incident, especially if personnel records have been compromised. Likewise, if the attack has co-opted members’ personal data, those members must be informed of all the facts. Avoid speculation and focus just on what is known. Advise the revision of passwords immediately. And some professionals suggest establishing a dedicated email address to which affected members can address questions and provide information.
• If the attack is a phishing incident, you can inform the perpetrator’s appropriate domain name registrar and ask that the group take down the offending website. This information, of course, should be conveyed to law enforcement as well.
It would be foolish to think that there is a comprehensive fix to cyber crime. The fact is that as the Internet becomes a larger presence new forms of crime and mischief will be created. As with so many other challenges, we can only respond as reasonably prudent people would. And in today’s world, that means ratcheting up the preventative and detection measures that will help protect your association.
It’s almost impossible to imagine life without digital technology, especially in today’s global business economy. As individuals and as associations, we’ve become increasingly dependent on it and connected as a result of it. But while we attempt to stay current with the newest trends and products available, it’s not without some misgivings. Who hasn’t had the nagging thought: How long until this is replaced by a newer version? Or, worse: How safe is this, really? Those doubts give anyone pause. And well they should. Despite the extraordinary benefits promised by manufacturers and experts, much of the technology we utilize today has resulted in terribly sinister offshoots. Let’s call it the Dark Side of Technology. Fortunately, the more you know about how to avoid it, the better off you and your group will be.
Identifying the Bad Guys. Digital threats can be divided into two very large silos. One contains an array of financially motivated schemes designed to redirect someone’s money into criminal hands. The other is filled with politically and socially inspired purposes. Who are the bad guys? Well, they generally seem to fall into one of three categories:
• Criminals who are motivated by the allure of easy money. Operating as individuals, in small groups or as a branch of a large established and organized crime syndicate, these criminals are opportunistic. They prey upon organizations and individuals who unwittingly make themselves vulnerable. Their preferred technological weapon of choice is phishing, which is masquerading as a legitimate organization in order to solicit money.
• Hacktivists are those who are highly adept at writing computer code and generally pursuing some sort of political or social agenda. These amorphous groups may be centrally coordinated or they may simply be freewheelers who just want to be identified with a countercultural organization, even if just unofficially. They often prefer to utilize malware, software that essentially hijacks a targeted computer or computer system, and denial of service (DoS) attacks, which disable the functionality of a targeted website.
• Cyber spies that may be government-sponsored or corporate operatives. The motives of these individuals are usually to steal data, especially state-of-the-art product or design specifications, or generally cause disruptions.
According to the nonprofit Identity Theft Resource Center, in 2014, cyber attacks compromised the personal data and social security numbers of 47,000 people affiliated with Sony Corp., 800,000 workers of the U.S. Postal Service, 11 million customers of Premera Blue Cross and up to 78.8 million customers of Anthem Blue Cross & Blue Shield. These are shocking numbers, to be sure, and they should raise a red flag to all groups, because if some of the nation’s biggest companies can be felled so easily by cyber attacks, it goes without saying that any association in any industry is vulnerable, too.
No Group is Immune to Cyber Attack. Nonprofit organizations, no matter their size, can be some of the best targets of cyber attacks because their events—conventions and trade shows, for example—tend to aggregate large numbers of people who are registering to meet for the same reasons, which allows the bad guys to predict stakeholder behavior.
Think about the global response to any major disaster. Contributions pour into nonprofit relief agencies worldwide and it’s just this opportunity that criminals seek to divert funds with cleverly contrived phishing expeditions. Likewise, many cause-related nonprofits have attracted criminal predators feeding upon their campaigns.
Nonprofits are increasingly becoming targets of social action as well. The Italian wing of Anonymous, for example, has been targeting Expo 2015, the Universal Exposition in Milan, with a relentless series of attacks including denial of service that has repeatedly shut down its main website and that of its ticket issuing partner, Best Union. Expo 2015 hardly appears to be a ripe target for a cyber attack, but obviously its attackers think otherwise and have created enormous disruption since it opened on May 1. The reason for the attacks, according to Anonymous claims, is that corruption by officials allowed Expo 2015 to improperly acquire the art works it is displaying.
Three years ago, Anonymous launched a similar attack against a now-defunct nonprofit, TechAmerica, a U.S. trade association of technology companies that strongly and publicly supported the passage of federal legislation designed to enhance cyber security. For three weeks, Anonymous disabled the association’s website with a withering series of denial of service attacks. Ironically, the bill TechAmerica was working so hard to enact failed to pass.
In the face of all of this, what can—and should—a typical nonprofit association do to protect itself and its members from harm? Quite a bit.
Building Barriers. As chief information officer of Experient, the global meeting-planning and event-management company that provides services to hundreds of organizations, Brian Scott spends a lot of his time thinking about cyber threats and how to prevent them. Though there have been cyber attacks launched against American associations and their events, Scott believes that, so far, those have been largely circumstantial rather than premeditated against specific targets.
One of Scott’s bigger concerns is the threat of “social engineering,” a non-technical method of intrusion that relies principally on human interaction and involves tricking people into breaking normal security procedures. Be suspicious if, for example, your organization receives strange calls or visits inquiring about how work processes are managed.
Some of the ways organizations can prevent access to their computer systems are so simple that they’re almost laughable, he said. Take the all-too-common case of an association employee writing the computer password on a post-it note and sticking it to the screen. That allows office visitors or the cleaning crew complete access to your system.
Speaking of passwords, Scott strongly recommends enforcing a policy that requires the adoption of complex passwords: those containing both numerals and letters, uppercase and lowercase, as well as randomly selected symbols like an ampersand or exclamation mark. People, including association CEOs, resist the adoption of these harder-to-break passwords because they can be difficult to remember—but that’s the point. In addition, passwords should be changed every six months. This and other advice should be included in periodic staff training programs that must become part of an organization’s routine protocols.
Associations are also found to be vulnerable because their systems lack intrusion detection or prevention software. For this and other reasons, associations should consider hiring an outside IT security consultant. A trusted IT security consultant can help stitch together preventatives that almost any organization will be able to justify. When you look at your computer screen, think of it as a ground-floor window that any criminal could break through to gain entry to your office. It’s really that simple.
Finally, nonprofits must protect their brands, trademarks, logos, properties and domain names to the best of their abilities, not just in the United States but in any industrialized nation that has copyright and trademark registrations. Adopt a no-tolerance policy for cyber intrusions and prosecute all breaches as fully as the law allows. Consider what might happen should your website become compromised, leading donors into foolishly contributing hundreds or thousands of dollars into criminal hands—the damage could be extreme and long-lasting.