A ransom was demanded to have it unlocked.
In the end the cybercrooks wiped out the Chamber’s entire membership database and 130,000 files. In addition, the computers had to be replaced, costing the Chamber $4,000 and dozens of hours of aggravation.
What To Do Right Now
The FBI has some basic advice for protecting your infrastructure:
- “Don’t drive in bad neighborhoods.”
- “If you don’t lock your car, it’s vulnerable; if you don’t secure your computer, it’s vulnerable.”
- “Reduce your vulnerability, and you reduce the threat.”
The FBI includes the following key steps to protecting your computer from intrusion:
- Make sure you have a firewall and it is turned on
- Make sure your Anti-virus software is running and up to date
- Keep your operating system up to date
- Be careful what you download
Here are a few additional steps from the NimbleUser team:
- Make sure you have backups done at least nightly and stored off-site (smaller organizations should look at services like Crashplan
- Test your backups – this step is often overlooked and organizations sometimes find that they cannot restore a backup
- Establish a rigorous password policy. Test password strength with tools like Password Meter
- Make sure your email solution has solid spam / malware detection. Many viruses are installed from payloads distributed via email
- Develop a business continuity/disaster recovery IT plan for various types of system failures (natural disasters, human error, etc.)
- Make sure your firewall restricts access to only necessary ports. Example: SQL Port 1433 should not be public
- If possible isolate your database application to it’s own server. Isolate that Server from accessing the internet directly
- Audit user login accounts frequently; Disable accounts no longer needed (Example: Past Employees, 3rd Party Vendors)
- Don’t use the administrator / SA Password for web applications
Mitigate Your On-Premise Software Risk by Moving It Off-Premise
Is your staff equipped to take on international cyber criminals? Is infrastructure and cyber security a business your association should be in? Probably not as there are better and cheaper alternatives.
If your organization is still using on-premise software, take these intermediate steps to minimize your association’s risk:
- Have an established Managed Services provider host your software in their (better secured / better monitored) facility
- Consider services like Amazon Workspaces to virtualize your desktop computers off-site
Embrace the Cloud! The Right Solution for Professional and Trade Associations
The established Cloud providers have huge security teams, security and threat detection tools and a generally significantly more robust security infrastructure. Your Association can leverage that in many ways but the most obvious ways are the following:
- Move your Association Management System to a true enterprise cloud based solution. Nimble AMS is an excellent example of Association Software built on an enterprise grade CRM Platform. Salesforce includes unparalleled security measures with access control, physical security, environmental controls, power, network and 24/7 monitoring (full details).
- Move your email, collaboration and office productivity suites to the cloud. Move to Google Apps or Office 365. These products are significantly more secure than using similar software on-premise. Google Apps is even SAS-70 Compliant.
- Use an enterprise cloud password utility like Lastpass to store passwords. Lastpass can also set standards of password quality and perform other security audits against your passwords.
The true cloud will make your association more productive and will significantly lower the total cost of ownership of these critical software tools. And best of all, you will sleep well at night knowing that your database is as secure as it can be and backed up.