Are You Ready To Defend Your Club and Yourself? Cyber Threats to Clubs Are Real - Part I

09_23_14_1

Before you can develop a security strategy for your club, you need to know what the risks are. To determine risk, the organization must understand the type of external threats it faces, including the motives, means and techniques of today's perpetrators. Yet, it's becoming harder to identify these threats. In the past few years, the nature of cybercrime has changed dramatically. Once a pastime for hobbyists and amateurs, cybercrime is now within the purview of organized criminal enterprises, whose agendas and methods are significantly different from that of the stereotypical hacker.

Starting with this issue, we will present a multi-part series on emerging security risks and assess their impacts on cubs. In Part One, we'll lay the groundwork, looking at the changing face of cybercrime and its evolving web of tactics and methods. In the next issue, we will consider how cybercriminals are targeting new technologies like social media, will identify some specific technical risks faced by clubs and recommend countermeasures for thwarting attacks.

Old Stereotypes Die Hard

There was a time when most hackers could be typecast as the post-adolescent lone wolf, who occasionally ganged up with like-minded technophiles to engage in a few thrill-seeking escapades. They sought fame or infamy, along with some free merchandise and bragging rights. Their modus operandi followed some fairly predictable patterns, including the total absence of organizational structure and formal business plans. They tended to target big corporations and brand-name enterprises, so as to make a perceived political or social statement, or simply to find the most interesting stuff.

This may explain why historically, the club sector has not been a major target of hacking. Not only are many club organizations relatively small, many have little brand-name recognition, except perhaps in their local communities. There also may be the unspoken assumption that social organizations that do good things won't be targeted, assuming that hackers only target companies or industries they perceive to be the bad guys or simply faceless, bland corporations. By this logic, clubs wouldn't appear to be high-value targets for the old-school hacker.

09_23_14_2

Too small to fail
Because stereotypes die hard, clubs may take for granted that the risk of a security breach is low. They may view themselves as low-value targets that would not attract the attention of serious hackers. They also may see little chance of a security breach so serious that it would cause major damage to the organization. Assuming they're too small to fail, they may do only minimal security planning, may have outdated controls and security plans and tools that are several years out of date. From a practical standpoint, these assumptions translate into such security practices as: (1) using commercial off-the-shelf software with default settings, (2) using external technical experts, but foregoing the employ of staff security specialists and (3) not investing in advanced security technologies.

As data thieves and saboteurs have become more sophisticated, they have found other ways to morph their tactics. As previously noted, one significant trend is in the size of the organization being targeted. Traditional high-value targets – large corporations, financial institutions and brand-name companies – have generally become better at addressing their security problems and have largely plugged up the trivial gaps. As a result, hackers have moved on to easier targets, especially those they perceive might be vulnerable, i.e., not expecting to be hacked, and hence, without strong security measures in place. This would certainly include smaller businesses and organizations such as clubs.

Another reason for the shift from large to smaller size entities is cost. New methods and technologies have been developed that reduce the resource costs of hacking small, soft targets. Whereas once only a large attack with a big payday made sense cost-wise to hackers, it's now just as easy and cost-effective to pursue targeted, detailed attacks against a variety of smaller organizations. The prevalent use of automated attack kits allow hackers to farm smaller targets with very minimal oversight. Research presented by Verizon in their 2012 Data Breach Investigations Report notes that security experts are investigating more cyber attacks against small enterprises. In 2009, only 27 percent of all attacks occurred at businesses with less than 100 employees, but just one year later, that percentage had ballooned to 63 percent.

Come back next week for Part 2, where we’ll continue to discuss how cybercriminals could be targeting your club.

09_23_14_3
 
For more information on security standards and practices for your organization, please contact Daimon E. Geopfert, national leader, Security and Privacy Consulting, Technology Risk Advisory Services, McGladrey LLP, at 312.634.4523.