It doesn’t matter what industry you work in because cybersecurity hacks can happen to anyone. And depending on the industry and magnitude of the hack, you will probably find it trending all over social media and most of the news stations will be covering it (or at the minimum, it will appear on their headline ticker). For all the baseball fans out there, you’ve probably heard about the Cardinals and Astros hacking scandal.
In a nutshell, the Astros used a software for the team to discuss their strategies, and those secure conversations were leaked online for their competitors to see. The likelihood of a cyber breach happening could have been mitigated if staff had followed a few best practices.
Your association staff needs to have a cybersecurity plan in place should you ever find yourself a target. And it’s better to anticipate that it could happen rather than assuming it never will happen because “you’re just part of an association.” One aspect of your association cybersecurity plan can include practicing better password habits.
The following is an excerpt from Tony Cavicchi’s blog post “What Baseball Hacking Can Teach Us about Association Cybersecurity” from the Aptify blog.
Astros IT did the right things. They built secure software and monitored the login for brute force attacks. They kept an activity log of all users behavior inside Ground Control. They changed both the login URL and all user passwords after positive media attention made Ground Control a software buzzword in Texas.
Responsibility for enabling the hack appears to lie with three people: Luhnow, Mejdal, and someone else who came from the Cardinals to the Astros. This hack was a password behavior problem.
Not one, not two, but apparently all three reused the same or only slightly variant passwords for their Astros email as they had used at the Cardinals. Correa accessed their email and then their Ground Control accounts by looking up their passwords in the Cardinals system and then guessing those passwords at Astros login screens. By spreading his activity across three legitimate accounts inside Ground Control he decreased the chances Astros IT would flag anything as unusual. When Ground Control logins were updated he had the emailed info to login again.
People increasingly talk about creating secure passwords. Aptify has our own guide to creating high-entropy passwords that ups your association cybersecurity game.
But the other side of the coin is educating your staff to understand even the best password can be compromised. Staff need to know their password to your association's most important data on members is compromised the minute a staffer reuses that password for a new login to music streaming or to pay a monthly utility bill. Certainly, they should not reuse old passwords for their login to your email, your membership software, or your business intelligence.
At the end of the day, mistakes will be made, but what’s important is how you recover from it and what steps you’ll take to ensure that it doesn’t happen again. Make it a point to have a cybersecurity plan at your association and stay up-to-date on how you can continue to improve it.