Could your organisation survive the loss of member trust for a cyber attack you had the ability to prevent? Just one incident could potentially destroy your organisation’s brand.
By Paul Ramsbottom, Managing Director at ASI Asia-Pacific
In just the past few years, the way associations communicate with members and constituents has undergone massive change — and this change is happening at a blistering pace.
More than likely, the Association Management System (AMS) or CRM you bought just a few years ago to manage your data is probably now just about obsolete because it can’t keep up with the newest technology developments and your members’ and constituents’ rapidly expanding needs. In particular, your current system is probably not equipped to defend against the very real — and very frightening — data security risks your organisation is now facing.
Security threats are everywhere — no geographic area or industry is immune (including associations).
Security challenges require more focus, planning, and resources than ever before. It’s no longer enough to simply secure your data and third-party applications — you must ensure that the data centre where your entire system is stored is secure. Data security is a proactive AND reactive process.
How do you mitigate your risk? And how do you ensure your data and your organisation’s reputation are protected?
The majority of security breaches have some sort of root cause related to employee negligence. The top 5 causes of breaches are:
1. Weak Credentials
2. System Misconfiguration
3. Service/Software Vulnerability
4. Web Application Vulnerability
5. Social Engineering
Along with the tangible financial losses that can result from a data breach, a recent survey conducted by the Ponemon Institute estimates that an organisation’s brand value drops anywhere from 17-31% after a breach. That is almost a third of your brand value that you could lose due to a data breach. And your brand value is arguably your most important asset.
Specific Threats to Associations and Not-for-Profits
Despite what some may think, associations and not-for-profits aren’t immune to security breaches. There are growing threats that you need to protect against today before your data is compromised and your organisation’s reputation is irrevocably damaged. Associations and not-for-profits need to be particularly vigilant because:
- Your mission/philosophy may be polarising and can be attractive targets for ‘hactivists.’
- Unlike larger companies, not-for-profits have fewer protections in place and are still typically on a sharp learning curve (and hackers could prey on this).
- Even though you don’t have millions of credit card transactions, you’re still at risk (hackers may see you as a weak target).
- Not all data breaches are for credit card information — your organisation may be hacked in an effort to embarrass and harass you by those who are opposed to your mission.
- As your budget/revenue continues to grow, you become more vulnerable.
- With more organisations looking to offer members and constituents online and self-service options to improve efficiency and reduce costs (and provide greater constituent convenience), there’s a greater need to protect against security breaches.
Understanding PCI Compliance/Critical PCI Basics
Your organisation probably accepts credit cards for on- and off-line membership renewals, product purchases, and event registrations. PCI compliance means you’ve taken the necessary steps to ensure your constituents’ payment card data is kept secure through every transaction and that they — as well as your organisation — are protected against data breaches.
There are two main types of PCI standards that you need to be aware of:
PCI-DSS stands for Payment Card Industry Data Security Standard and applies to service providers – such as application hosting or data centers – that store, process, or transmit card holder data.
PA-DSS stands for Payment Application Data Security Standard and applies to software applications that process credit card transactions that store, process, or transmit card holder data.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements designed to protect cardholder data. Cardholder data is any personally identifiable data associated with a cardholder, including:
- Primary Account Number
- Expiry Date
- Name
- Magnetic Stripe Data
All merchants accepting debit/credit cards must comply with the PCI DSS at all times — including associations that accept electronic payments. PCI compliance is an ongoing process, not a one-time event — so your organisation needs to stay on top of its status at all times to prevent security breaches today and in the future.
While many software solution providers claim they’re PCI-compliant, the truth is, many are not. How can you know who to trust? You can check to see which solutions have been validated on the PCI website (https://www.pcisecuritystandards.org/assessors_and_solutions/vpa_agreement). Always look for the PCI-validated logo when choosing a provider.
The maximum security you can achieve is by using a solution to manage your data that is PA-DSS Validated in a hosting environment that has been assessed as PCI Compliant by a third-party assessor.
PCI is specifically geared towards the security and protection of credit card-related data. But, because it is such a stringent and comprehensive security standard, it helps with data security in general. As an example, the latest PA-DSS standards call for stringent requirements for the creation, storage, and retrieval of User ID and Passwords.
So what can and should you be doing?
1) Educate yourself on the various security standards and perform your own security self-audits.
Organisations including the Online Trust Alliance, National Institute of Security, Open Web Application Security Project and the Payment Card Industry Security Standards are excellent sources of best practices and resources.
There are also several great resources to perform your own security self-audit, including:
- Security Self-Assessment: https://otalliance.org/resources/security-privacy-risk-assessment
- PCI Self-Assessment: https://www.pcisecuritystandards.org/pci_security/completing_self_assessment
2) Ask Your AMS/CRM Vendor about their PCI compliance
When evaluating the security of your current or future Association Management System or CRM, use the following checklist to ensure your security is optimised:
Service Providers (Hosting Centres):
Do they have an approved Attestation of Compliance (AoC) on file with the PCI Security Standards Council?
What is the current approved level of PCI PA-DSS?
- The vendor should be able to provide the approved product name, product version #, PCI PA-DSS version #, re-validation date, and the expiry date and you should confirm what they tell you by going to https://www.pcisecuritystandards.org/assessors_and_solutions/vpa_agreement.
What is their plan to get current?
Do they have a comprehensive Corporate Security Assurance Plan designed to ensure client security?
Have they engaged independent penetration testing services to ensure their systems are protected from the latest security threats?
Software Product Vendors:
Do they have a completed and approved PCI PA-DSS ‘Validation’ on file with PCI DSS — or are they simply ‘PCI-Compliant’?
What is the current approved level of PCI PA-DSS?
What is their plan to get current?
Do they adhere to secure coding and testing practices as published in OWASP security standards?
Don’t just take your vendor’s word, make sure you check with the appropriate regulatory bodies as well.
And finally, in the longer term you should look to create your own corporate data security plan and possibly seek third-party assistance in doing so.
Advanced Solutions International (ASI) is a recognised global, industry thought leader that focuses on helping associations and not-for-profits increase operational and financial performance through the use of best practices, proven solutions, and ongoing client advisement. Read the whitepaper at www.advsol.com/AuSAEnews
