Did COVID-19 Eat My Information Security?

Rick Bawcum, CEO, CISSP – Cimatri

Take a deep breath… Your organization has survived the shift to Work From Home (WFH), your  team did a good job implementing your Business Continuity Plan, and you are starting to think about what the ‘new normal’ actually looks like for your association.

As you contemplate next steps, information security should be top of mind.  Why? … because recent events are challenging our assumptions about where and how to protect the confidentiality, integrity, and accessibility of information assets.

It is easy to think of data as something we can store in a safe location, build a fence around, and post a guard at the gate to keep out the bad guys.  Cloud computing, software-as-a-service, and remote work have redefined where data is stored, who guards it, and where boundaries do or don’t exist.

The actors have also changed. Our perceptions about hackers are often driven by cartoonish and oversimplified caricatures of lone actors locked in dark rooms in distant locations.  Nothing could be farther from the truth.  The hacking ecosystem has evolved from the lone actor to cottage industry to fully operational online marketplaces on the Dark Web.

It is also inaccurate to think of cyber risk as solely driven by the potential for financial gain.  Yes, much of hacking activity is targeted at emptying your bank account, but there are other existential threats in cyberspace.  Cyber threat motivations run the gamut from political to social to economic.

COVID-19 did not start this conversation, but it does amplify the need for thoughtful planning, policy development, and education about cyber risk management throughout your organization.

Here are some things you should put on the ‘re-entry radar’ as you define the new normal for cyber security at your association:

  1. Cyber Security is Risk Management – it is impossible to eliminate all risks.  It is critical to identify, assess and control which threats you can effectively manage.
  2. Good Governance begins with Good Policy – policy establishes the rules of the road. Adopted broadly, policies establish the basis for procedures, tactics, and enforcement.
  3. Classification is a Crucial Conversation – all information is not equal.  We think of ‘classified’ as a term of art for security geeks, but classification is an important element towards managing the risk of improper use of information assets.
  4. Cyber Security is not a “IT problem” – data governance and risk management are organizational issues.
  5. An informed worker is a Safer Worker – social engineering remains the top tool for hackers attempting to breach your systems (think phishing).  Teaching your staff to recognize and avoid these deceptions can help to eliminate significant cyber security risk.
  6. Small organizations are targets for cyber-attacks – as the hacking ecosystem has become commoditized, it is easier and cheaper to mount an attack.  Associations generally ‘punch above their weight’ in terms of data entrusted to them (members, volunteers, donors).  This means that your lists and back accounts are legitimate targets.
  7. Compliance is complicated – the headlines are rife with stories about data breaches.  Governments are now codifying policies with real teeth in them.  If you are breached, you may be liable.  Consider the legal, technical and risk management experts that should be part of your team when addressing cyber security compliance and risk management.

Learn More about how to develop a rational cyber security plan for your organization.

#cybersecurity #riskmanagement #securitypolicy #associationmanagement #securityassessment