When we walk out the front door, we lock it behind us. We double-check that our car keys are in our pockets, and we have our kids text us when they get to their friend’s house.
We do all these things because we’re concerned about our safety. Those checks, double-checks and procedures we have in place with our friends and family are ingrained in us as surely as brushing our teeth in the morning or taking the trash out. They are, essentially, routine.
So why do so many of us fail to instill the same routines when it comes to cybersecurity?
Connecting to the Internet offers those with certain skills a way into your private space just as surely as leaving the front door unlocked. We use our phones, laptops and home computers to check our bank accounts, send photos to grandparents and maintain health records — all important details about our lives that are best kept behind lock and key.
But when it comes to the data stacked on our computers and networks inside association walls, that data is no less valuable. From the home addresses, bank information from membership auto-drafts, names, birthdays and maybe even certification details from our members to the insurance information, social security numbers and other private details about our staffers, there is no association that doesn’t have something a cybercriminal would be interested in having, or cutting you off from in exchange for a hefty ransom.
A Symantec report released in February 2019 notes that one in 10 URLs are malicious, meaning you don’t even need to stumble onto a sketchy email to find something potentially damaging, though the report noted 48 percent of malicious email attachments are office files.
Association staffers might believe cyber attackers wouldn’t come after their organizations, but CPO Magazine reports half of all cyber attacks are aimed at small businesses, so having a conversation about cybersecurity is imperative for any organization.
Typically, however, we leave that conversation to the IT department — but that’s probably not enough.
The founders of the cybersecurity firm Archefact Group, Thomas Parenty and Jack Domet, made the case in a recent issue of the Harvard Business Review for why cyber safety should be looked at from an organization’s activities, thinking not how to keep anyone from breaching your digital walls but instead you can protect your data from every step of your process.
“To help companies organize and share the relevant information with a wide audience, we’ve developed a tool we call a cyberthreat narrative,” the pair advised. “It addresses the four parts of the story of a potential cyberattack: a key business activity and the risks to it; the systems that support that activity; the potential types of attacks and possible consequences; and the adversaries most likely to carry attacks out. Outlining details about all four will help companies recognize and prioritize their risks and prepare remedial actions.”
Parenty and Domet suggest that those involved in identifying a cybersecurity strategy should indeed be the IT department, but should also include leadership, operations personnel and any specialists who have an understanding of the consequences of specific types of breaches.
Regardless of who gets involved in the conversation, those conversations are required in today’s digital, well-connected world.