Did COVID-19 Eat My Information Security?

Take a deep breath… Your organization has survived the shift to Work From Home (WFH), your team did a good job implementing your Business Continuity Plan, and you are starting to think about what the ‘new normal’ actually looks like for your association.

As you contemplate the next steps, information security should be top of mind.  Why? Because recent events are challenging our assumptions about where and how to protect the confidentiality, integrity, and accessibility of information assets.

Rethinking Information Security

It is easy to think of data as something we can store in a safe location, build a fence around, and post a guard at the gate to keep out the bad guys. Cloud computing, software-as-a-service, and remote work have redefined where data is stored, who guards it, and where boundaries do or don’t exist.

The actors have also changed. Our perceptions about hackers are often driven by cartoonish and oversimplified caricatures of lone actors locked in dark rooms in distant locations. Nothing could be farther from the truth. The hacking ecosystem has evolved from the lone actor to cottage industry to fully operational online marketplaces on the Dark Web.

It is also inaccurate to think of information security as solely driven by the potential for financial gain.  Yes, much of hacking activity is targeted at emptying your bank account, but there are other existential threats in cyberspace. Cyber threat motivations run the gamut from political to social to economic.

COVID-19 did not start this conversation, but it does amplify the need for thoughtful planning, policy development, and education about information security management throughout your organization.

Here are some things you should put on the ‘re-entry radar’ as you define the new normal of information security for associations:

1. Cyber Security is Risk Management – it is impossible to eliminate all risks.  It is critical to identify, assess and control which threats you can effectively manage.
2. Good Governance begins with Good Policy – policy establishes the rules of the road. Adopted broadly, policies establish the basis for procedures, tactics, and enforcement.
3. Classification is a Crucial Conversation – all information is not equal.  We think of ‘classified’ as a term of art for security geeks, but classification is an important element towards managing the risk of improper use of information assets.
4. Cyber Security is not an “IT problem” – data governance and risk management are organizational issues.
5. An informed worker is a Safer Worker – social engineering remains the top tool for hackers attempting to breach your systems (think phishing).  Teaching your staff to recognize and avoid these deceptions can help to eliminate significant cybersecurity risks.
6. Small organizations are targets for cyber-attacks – as the hacking ecosystem has become commoditized, it is easier and cheaper to mount an attack.  Associations generally ‘punch above their weight’ in terms of data entrusted to them (members, volunteers, donors).  This means that your lists and back accounts are legitimate targets.
7. Compliance is complicated – the headlines are rife with stories about data breaches. Governments are now codifying policies with real teeth in them. If you are breached, you may be liable. Consider the legal, technical and risk management experts that should be part of your team when addressing cybersecurity compliance and risk management.

Check out our free ebook The Ultimate Guide to Cybersecurity for Associations to learn the ins and outs of how to implement a rational information security plan today to keep your organization and member data safe.