There is a saying among cybersecurity experts first credited to FBI Director Robert S. Mueller at the RSA Cyber Security Conference in 2012: “There are only two kinds of companies: Those that have been hacked, and those that will be hacked.”
Some might say that is hyperbolic. Yet many organizations are hacked daily, and the risks for not preventing these attacks can be substantial. Associations are gold mines of information for hackers, often housing personal identification and payment details for thousands of members, sponsors, donors, and staff.
Think it won’t happen to you? In its 2017 State of Cyber Security Report, independent association ISACA found that of cybersecurity experts surveyed, 53% experienced more attacks in 2016 than the year before.
Small associations often believe they can fly under the radar. Yet they may be even more at risk than larger organizations. Smaller budgets and understaffing often means that cybersecurity is overlooked, and can be compromised by carelessness or human error. For example, associations that take great care to protect credit card information going through their payment systems may underestimate the value of auxiliary personal information, such as usernames, passwords, emails, and addresses to hackers, leaving that data more open to attack.
What are the most common forms of hacking?
In the ISACA report, 78% of surveyed members answered that their organizations had experienced a malicious software attack in 2016, and 62% specifically involved ransomware. Ransomware is a particularly malevolent type of invasion that locks a computer or other piece of hardware and the data on it from use unless a “ransom” is paid to the attacker.
Social engineering cyber-attacks involve taking advantage of human vulnerability, typically manipulating a user to give up personal or private information. This may involve hacking familiar email addresses to send malicious code. The receiver may trust the sender’s address and mistakenly open attachments with malicious malware, and thus infect their computer.
The percentage of surveyed ISACA member organizations that reported phishing attacks was 60.39% in 2016, up from 40% the year before. Phishing is a type of social engineering that involves tricking the user into thinking they are dealing with legitimate business, service, website, or correspondent and willingly giving up personal information to the counterfeit interface. While phishing attacks are typically administered through email, some hackers have moved to staging attempts on social media where cyber-assaults are less expected.
The 2017 ISACA report found that 10% of surveyed members had attacks that involved hacking corporate assets for botnet use. This involves attackers installing malware to hijack control of company hardware, which may later be activated for malicious reasons, or even to help the hacker stage attacks on other systems.
Advanced Persistent Attack (ATP)
Unlike typical one-off cyber-attacks, an advanced persistent attack seeks continued access to the compromised system. Rather than financial gain or damage to the organization, ATPs are typically motivated by theft of data. Given the complex, multi-stage levels to this type of attack, large associations with access to valuable information may be most at risk.
At ISG, we encourage all of our clients to keep up-to-date with cybersecurity issues. If you are concerned about protecting your systems, member data and staff, let’s talk. We work with partners that have cybersecurity expertise and are happy to make referrals.