If your club’s computer system becomes corrupted or otherwise unavailable, how long could you operate without it? The answer is probably not long. Cyber criminals know and depend on that reality, which is contributing to the growing threat of malware or ransomware attacks.
Take these steps to lessen the likelihood of a successful computer attack:
- Practice the system access protocols in “Improving Your Club’s Data Security” in the December 2017 issue of Club Solutions
- Teach your employees to recognize and permanently delete spam and spoofing email that appears to be sent by trusted sources using addresses so convincing that unsuspecting recipients may launch an infected link or attachment.
- Restrict administrative access on your computers. If unsuspecting employees with administrative access launch malware on their computers, that access may be all a hacker needs to migrate from one computer to your entire system or your vendor’s system.
- Back up your computers regularly and store backup media offsite so your club’s system can be recovered and normal operations restored without significant downtime.
- If you use an IT service or application service provider for your system, make sure they employ these security practices.
In addition to email threats, educate your employees to beware of social engineering fraud. This is an evolving risk category that refers to attempted theft through a modern confidence scheme. In a social engineering attack, a criminal uses publicly available information, such as your club’s website, to learn about your key personnel, obtain their email addresses and even information about the vendors with which you do business. Next, the criminal impersonates a key vendor to request that payment, or future payments, be sent to a different address or bank account. Or they impersonate a top club employee to request a transfer of funds to a different account than usual for alleged business purposes. If your employee doesn’t question an unusual request and deposits funds as instructed, the fraud may not be detected until the actual vendor asks why they haven’t received payment.
Train your employees:
- Never accept such requests at face value.
- Always verify requests independently via contact information established for your organization instead of what is sent by email.
In spite of your best efforts, your club may still suffer a computer attack or social engineering fraud. Review your insurance program to ensure that your club has coverage to help you respond quickly, recover your operations and maintain the confidence of your customers, employees, vendors and even regulators.
This loss control information is advisory only. The author assumes no responsibility for management or control of loss control activities. Not all exposures are identified in this article.