“I’m generally not a sky-is-falling kind of lawyer,” Jefferson Glassie told the group of 44 leaders of AAES member societies gathered for the AAES General Assembly Meeting, Nov. 5.
“But when it comes to cybersecurity,” he continued, “I think the general mantra should be: ‘The sky will fall on you.’”
It was a good line, and it got a buzz from the audience, but it also served as a stark reminder that data security is a major challenge for associations in this era of big-data breaches.
The session – featuring presentations from Glassie, partner and co-chair of the Nonprofit Organizations and Associations practice at Whiteford, Taylor & Preston LLP, Chris Ecker, chief technology officer at DelCor Technology Solutions, and Dr. Richard Schroth, a preeminent cyber security expert – provided steps that associations can take to protect themselves and their members if and when that sky does fall.
The recent Sony and Target data breaches garnered plenty of attention and refocused the way the corporate world is protecting its information. It would be foolish, though, for nonprofits to think it’s a problem limited to major companies.
“We tend to think we’re small, so we’re safe, but that’s not necessarily the case,” Glassie said.
Schroth followed the same logic in his talk: “You think, ‘Why would they target you? What would they want from me?’ The fact of the matter is they’re probably not targeting you. They’re probably targeting you as a pass-through. You become part of a list whether you’re big or small.”
The real difficulty for associations is that breach can come from a variety of different sources – opportunistic insiders, malicious outsiders, even accidental incidents, such as a misplace USB drive. It’s nearly impossible to plug every whole in the dam.
But it was not just a gloom-and-doom session. There is hope.
Glassie offered five lessons learned that can help associations better secure data and mitigate damage in case of a breach.
- Plan to fail well.
Assume the worst and have an incident-response plan in place.
- Security is a governance issue.
This is not “just an IT problem.”
- Address data security with vendors.
Sixty-three percent of data breaches are linked to a third-party component (according to the 2013 Trustwave Global Security Report).
- Choose and follow a reasonable security standard.
Get audited by a credentialed third party.
- Buy insurance with cyber coverage.
Key risk-mitigation tool.
The panel of speakers fielded questions from the audience about more issues specific to associations and societies. There is no question the issue will continue to take on increased importance as groups rely more and more on the cloud for data storage.
And while the falling-sky mantra may be scary, the session’s key theme was one of simple proactivity: Plan ahead.
- By Ben Walpole, Associate Editor, ASCE News