Short Report: Why Associations Need Cyber Security

Think your association isn’t appealing to hackers? Think again.

Associations are consistently the most at-risk organizations to be hit by cyber attacks simply due to the sheer volume of data they own, from membership and partner data to sponsor and vendor financial information. Associations are prime targets for hackers, and a cyber attack on an association can result in reputational damage, consequential costs, and loss of members. Whether you’re running a membership renewal, planning a conference, storing large amounts of data, or adjusting to temporary spikes in web-traffic, it’s imperative that your network, applications, and your Association Management Software (AMS) system are always secure and performing efficiently so that your critical information is safe.

With that said, some associations are starting to invest in a cyber security strategy. Others, not so much. Listed below are associations that have been hacked in the last year:

American Bankers Association

  • What was stolen? Shopping cart user names, passwords and email addresses
  • How many victims did the attack claim? 6,400 ABA account users
  • What was the response? The American Bankers Association identified the problem in their website’s shopping cart application and began working with a local cyber security firm to understand the crux of the issue and how to prevent future instances from occurring

Orange County Employees Association

  • What was stolen? Member names, addresses, dates of birth, Social Security numbers, driver’s license numbers, payroll information, insurance enrollment information, retirement statuses, usernames, passwords, and information concerning dependents.
  • How many victims did this attack claim? Undisclosed, but included association members, non-members, Health & Welfare Trust participants, staff, dependents of any of these individuals, and others.
  • What was the response? The attack had been underway close to two months before it was discovered in parts of the OCEA network. The victims were offered credit monitoring, identity theft restoration, and insurance services for up to one year

Direct Marketing Association

  • What was stolen? Information from debit or credit cards used on the association website’s bookstore, with information including the names, account numbers, security codes, and expiration dates printed on the physical cards
  • How many victims did this attack claim? Undisclosed
  • What was the response? After discovering malware on their association server – maintained by an undisclosed third party vendor – One year of credit monitoring services to the victims affected at no cost

Jefferson National Parks Association

  • What was stolen? Debit and credit card numbers from two stores at the Gateway Arch, namely The Levee Mercantile and The Museum Store
  • How many victims did this attack claim? Undisclosed
  • What was the response? After the malware was discovered close to six months after it was installed on point-of-sale machines at the gift shops in question, investigators were able to trace the original attack point to a terminal that was initially situated outside of the association’s purview and at a third party vendor site.

A few key points to keep in mind – third party vendors played a significant role in at least two of the four highlighted association cyber attacks. That being said, associations are just as vulnerable to the very same attacks that threaten for-profit businesses on a daily basis. Having a company such as Neovera as your experienced cyber security protection team allows for peace of mind. We have over 15 years of experience in the field and are able to identify risks and outline specific, actionable steps to improve your cyber security posture. Your association, its data, and critical systems are completely protected as we pinpoint security threats inside and outside of your environment, and implement the necessary measures to prevent breaches and data loss. Bottom line: We protect your association from cyber attacks.

Securing Data Collection for Associations

While much of the data security conversation falls into for-profit industries, more discussions should include non-profits and associations as well. The number of associations has nearly doubled in the last few decades, and in an era of “big data” and constant data collection it’s imperative to have the proper measures in place lest your organization falls victim to potential threats.

What types of data does your association collect? Perhaps the most critical is the data and information of an association’s members. This data may include such things as name, phone numbers, or addresses. Many association members pay dues or make consistent donations from a bank account or credit card. These days many associations store this information to be called later which allows them to automatically charge dues to members or keep track of donations/income. Some associations may even require a Social Security number or other private identification. This is the type of data that can be really vulnerable and valuable to a digital intruder.

Consider if your association had a data breach and your member’s credit card numbers, bank account information, and social security numbers were stolen. Your organization would suffer reputational damage, members would leave, and the cost to remedy the breach would be very expensive. What could you have done to prevent such a thing? How do you reassure members  that their valuable and sensitive data remains secure?

  • Evaluate the current state of your data’s security: Known as a security or risk assessment, it outlines the measures you currently take to protect your data, and the possible risks that are out there.
  • Understand your disaster recovery methods: Malicious software or even a heavy weather event could be a threat – completing consistent backups and having a disaster recovery plan is just as imperative as securing your data.
  • Business continuity: Determine who will be responsible for data backup and/or recovery, outline the steps to take and what other members of your team will be notified or involved.

Overall, data security and disaster recovery methods are extremely imperative to running a successful association and maintaining trust with your members and others in the community. If your association is unsure of how to move forward, consult with cyber security experts such as Neovera who can help with risk assessments and business continuity plans.

Case Study – Maximizing Uptime and Profits in a Highly Secure Custom Application Environment

CLIENT OVERVIEW
Proponix is a financial services consortium that consists of Wells Fargo, Australia New Zealand Bank (ANZ), Bank of Montreal, Barclays UK, the Union Bank of California, and CGI-AMS. Proponix provides trade finance processing in an IT outsourced model. One of Proponix’s key services is to provide letters of credit – documents issued by a financial institution assuring payment to a seller of goods and services during a business transaction. As an international financial conglomerate with billions of international trade transactions annually, Proponix built, hosted, and managed a custom application to process these letters of credit transactions.

THE CHALLENGE
The Proponix environment is a complex infrastructure consisting of hundreds of servers and network devices that must be highly secure, given all of the internal financial processing. These include multiple systems and technologies, ranging from Cisco, Juniper BMC, F5, Windows, Solaris, Oracle, EMC, and NetApp. Proponix elected to seek outsourcing assistance in the monitoring, managing, and developing of their critical banking application that processes $6.5 billion in international trade transactions annually. As such, the cyber security requirements were extensive due to the number of international banks involved, the sensitivity of the data, and the volume and dollar value of trade transactions.

NEOVERA SOLUTION

Neovera, a trusted provider of managed security services, developed a custom cyber security solution to manage, operate, and monitor the client’s environment. Multiple vendor firewalls were used to provide network security from intruders and to create multiple internal network segments internally for additional security. Several intrusion detection systems were used to secure the entire Network Intrusion Detection system (NIDs), Host Intrusion Detection system (HIDs), and network/security correlation tools to secure the client’s servers. Remote access to servers was secured with stand-alone IPSEC hardware virtual private networks (VPNS) and multi-factor authentication using hardware tokens. Neovera also used trusted operating system technology developed for the U.S. Department of Defense to secure some of the core servers.

Proponix was originally architected on Solaris (Sparc, including Trusted Solaris) and AIX on multiple database platforms – Oracle and SQL Server. Neovera performed multiple Oracle migrations, upgrading both database and clustering technologies. SQL Server upgrades were also performed. As part of the CGI acquisition and data center move to Canada, Neovera migrated all Solaris systems to Linux and also performed the database migrations from Oracle on Sun Solaris to Oracle on Linux.

BOTTOM LINE RESULTS
The Proponix project is an excellent example of Neovera’s in-depth expertise of cyber security, threat intelligence monitoring, and custom application management. Neovera successfully architected, implemented, and managed production and disaster recovery operations on a 24×7 basis for Proponix for five years. During this time, Neovera successfully maintained 100% scheduled uptime in an environment that consists of over 300 servers and network devices, while ensuring the security of all systems. In a situation where application uptime was directly proportionate to profits gained, Neovera was able to deliver consistent results and exceed client expectations.

Neovera and 20twenty Strategic Consulting Announce Partnership to Provide AMS Hosting

10/17/14 – Neovera and 20twenty Strategic Consulting have partnered to offer comprehensive hosting, managed services, and application development to the AMS community.

With clients such as AFP, ACS, TEI, NRF, and National Geographic Society, Neovera has extensive experience providing infrastructure platform and managed hosting solutions to associations and non-profit organizations. With over 70 AMS clients, 20twenty provides consulting, implementation and development services. Together, Neovera and 20twenty are the Gold Standard in providing enterprise-class managed hosting to the associations community – helping them achieve cost-savings and greater levels of service availability.

The expert team alleviates the challenges of supporting the infrastructure by assuming maintenance and support tasks including:

  • 24×7 Monitoring and Remediation
  • Application Management
  • Database Administration
  • Backup Management
  • Disaster Recovery
  • Storage Management
  • Hosting Support Services

To complement hosting support, the team also offers the following specialized AMS services:

  • System Audits
  • System Upgrades
  • On-Going Patch Management
  • Best Practices, Training and Development

With Neovera & 20twenty’s AMS hosting and managed services, organizations will be able to achieve the following:

  • Focus on their members and core mission, not technology and IT maintenance.
  • Eliminate the disruptions and resources required to upgrade their AMS.
  • Reduce costs through an outsourced infrastructure model.
  • Access technology experts to augment capabilities of internal staff.

Click here to learn more about AMS managed services by Neovera & 20twenty, or contact us at:

(866) 636-8372
sales@neovera.com

Importance of Maintaining Proper Data Security for Associations

Data security is not just a factor for major corporations and other businesses. Its importance also lies with associations. Many associations are collecting just as much, if not more, data than for-profit entities; and the number of associations continues to rise each year. As we talked about in a previous post, the number of associations has nearly double in the last few decades, and in an era of “big data” and constant data collection it’s imperative to have the proper measures in place to secure this data from potential threats.

What types of data does your association collect? Perhaps the most relevant to data security is the data and information of an association’s members. This data may include such things as name, phone numbers, or addresses. If these are stolen or hacked, it might not be that big of a deal – yet still not a good thing. A name, address, or phone number are fairly easy to obtain of course, and probably not the target. We need to think a little bigger here.

Many association members pay dues or make consistent donations from a bank account or credit card. These days many associations store this information to be called later which allows them to automatically charge dues to members or keep track of donations/income. Some associations may even require things such as a Social Security number or other private identification. This is the type of data that can be really vulnerable and valuable to a digital intruder.

Imagine if your association had a data breach and your member’s credit card numbers, bank account information, and social security numbers were copied or stolen. How would your association look to not only your constituents but the rest of the community? Your organization would likely lose a lot of trust, and could ultimately find itself in an even more precarious position. What could you have done to prevent such a thing? How do you ensure that valuable and sensitive data remains secure?

The first step is evaluating the current state of your data’s security. This is often called a security or risk assessment. This outlines the measures you currently take to protect your data, and the possible risks that are out there. Furthermore, this may also outline what steps to take should an attack occur or a threat imminent, and will determine what types of compliance may be necessary as well.

To take this a step further beyond data security, you also want to be able to recover your data if anything is lost. Disaster recovery methods are just as important as securing your data. Malicious software or even a heavy weather event could be a threat to taking down your database or losing important changes you’ve made. Completing consistent backups and having a disaster recovery plan is just as imperative as securing your data.

The first step to creating a solid disaster recovery plan is determining who will be responsible for backing up your data, and who will be responsible for recovering it should things go awry. Then you can outline the proper steps to completing these tasks and what other members of your team will be notified or involved. This falls into the category of business continuity, or “association” continuity if you will.

Overall, data security and disaster recovery methods are extremely imperative to running a successful association and maintaining trust with your members and others in the community. If your association is unsure of how to move forward with proper data security and/or disaster recovery we suggest consulting with IT experts like Neovera who can help with risk assessments and business continuity plans.

The Potential of IT for Associations & Non-Profits

When most of us think of IT we tend to associate it with a business or a for-profit entity. The truth of the matter is IT is everywhere – from large businesses to small, major associations to local non-profit organizations, and everything in between. Associations need reliable and scalable IT as much as the next organization or company, and as the association landscape continues to change, the importance of IT resources and expertise continues to grow. However, so do the challenges. We’ll explore how the association industry has evolved and how IT can prepare associations for the future.

According to a recent study in the Public Administration Review, non-profit organizations are “working in an era of heightened scrutiny, greater demands, fewer resources, and increased competition”. To expand a bit further, in the last three decades the number of NPO’s has nearly doubled and these organizations are now in direct competition with other NPO’s as well as for-profit companies. The non-profit sector has somewhat struggled to meet the challenges of increased competition while striving to provide better services. One area that has slowed this growth is IT.

The simple fact is most NPO’s are facing ever-decreasing budgets with a need to get more out of the resources they already have. Another problem is that NPO’s simply don’t have the IT expertise and resources needed to be the best they can be. Given this, it’s important that associations not only provision the talent needed to take advantage of newer technologies, but do it wisely.

Before we can talk about possible solutions, it’s imperative to outline what the goals for different organizations are and how IT plays a part. Of course, for-profit goals are to strategically gain profits and market share leading to shareholder wealth. For NPO’s, it’s to fulfill a social mission or increase membership – and money is simply a means to fulfill these goals more successfully. Now, how do NPO’s and associations achieve these goals using IT as a springboard?

Seeing as how IT resources are at a premium, it’s increasingly important to use use these resources the best way possible. The problem is many NPO’s simply don’t have the talent (or can’t attract the talent) necessary to ensure their mission is completed at the highest level. These days most associations have a website, or a method of electronically taking donations/dues, or use email to stay in touch with members and constituents. What they don’t have is a secure, scalable IT infrastructure. A solution to this problem is outsourcing their IT environment.

We’ve all heard the term “Leave it to the experts”. What are most NPO personnel good at? They’re good at finding donors or new members, allocating funds to their mission, and putting together events to foster the growth of the organization. Companies like Neovera are experts in IT. Leaving IT infrastructure and security up to an expert can alleviate IT headaches and help organizations reduce cost, time and risk, allowing them to focus on achieving business goals and ensuring end-user satisfaction

An IT expert can assess and accommodate the needs of any organization, whether it’s completely outsourcing the IT environment, provisioning of cloud services, application deployment, disaster recovery, or database management. They can determine an organization’s IT needs and provide a scalable solution that enables future growth, allowing organizations to not only keep up with the competition, but keep up with the newest technologies and use it to their advantage.

The IT needs of an NPO or association are critical to its success, and a trusted IT partner like Neovera can provide the support and expertise necessary to achieve that success.