A Hole In One (Club After Another)
This is a variation of the article published in The BoardRoom magazine, Sept/Oct 2017
As a cybersecurity and risk assessor in the Club space, time and again I find Clubs' cyber defenses are practically non-existent, and they don't even know it. They've got the framework, but it's not being leveraged. We've got a firewall; we're solid, right? "Cyber" is this distant intangible--and it's the IT department's job to handle anyway.
Without fail, when I'm invited to give a wake-up-and-smell-the-cyber seminar to overview the kinds of real problems I find at nearly every Club I visit, Club representatives come up to me afterward stammering things like, "I never knew the risks!" or, "I never even thought a computer breach could allow a hacker to do that." They feel compelled to go tell others; so do I and that is why this is what I do.
When It Finally Hits Home
When I brief a Club's board of directors at the close of a vulnerability assessment, the abstract risk they saw at my seminar becomes real life. Imagine your face as I show you video footage from your own security cameras which my hacking team was able to access from anywhere in the world… or a copy of your member database. How does your stomach feel as you contemplate mass identity theft becoming the legacy of your Club? Just lookup "Chicago Yacht Club Hacked" and read quotes from former members. Really. Or, right now, go lookup "Country Club Hacked" and find current results--the hackers are leaving their signatures on Clubs' websites. Make sure your Club isn't on that list.
But How Did It Get This Way?
Clubs often have just an IT guy. Unless specifically tasked with security, the primary focus of that IT "department" is to keep things working. That makes sense, because convenient, functional information systems for workers allow fast service to members. Unfortunately, convenience and security are inversely related; if one increases, the other necessarily decreases. Without additional resources (personnel, training, or outside support), the existing IT department can usually only trade one for the other. Like an old radio-tuner slider. Increased security measures may result in scenarios such as a helpdesk call for a password reset while a member has to stand, waiting. For some, this is untenable.
Simply opting for convenient system operation is by default a forfeiture of security, which is a notion that hasn't occurred to most Clubs—or even most other small organizations in general. Additionally, existing IT departments often lack either the manpower or the expertise to implement reasonable levels of information security in their Clubs. Without an infusion for the IT department (whether more IT staff, better educating current staff, or augmenting the department by bringing in a team of outside experts with a fresh set of eyes to conduct a vulnerability assessment), this paradigm won't change.
What About Cyber Insurance?
Cyber insurance is one of the fastest growing segments in the insurance industry, however it's not the safety net many people think it is. Many insurance policies are based on subjective questionnaires, focusing on the existence of policies and procedures, without verifying whether the insuree follows through with its own policies.
Without objective risk profile analysis, insurance policies tend to vary wildly in cost, cover very specific incidents, and have sweeping exclusions. Many organizations have a very hard time making a collectible claim on cyber insurance after an incident. Insurers don't exist to be a safety net for organizations who don't care to take basic steps to secure themselves against events.
Wake Up and Smell the Cyber
The fact is this: Clubs have an incredibly high hack value, and most seem not to have taken reasonably prudent measures to secure their systems and their members' confidential data against a breach. Club members already trust you to protect their personally-identifiable-information (PII). If they didn't they wouldn't be members. Is that trust misplaced?
Prudent managers no longer dismiss cyber security, saying, "Oh that's the IT department's job." They're asking themselves, "How, and from whom do I want to find out how vulnerable my club is?"