There’s a cautionary tale for association leaders and managers in the Wall Street Journal describing how “spies” have successfully penetrated the US electrical grid and other infrastructure systems in recent years. Interestingly, many of the penetrations were not uncovered by the companies in charge of the infrastructure, but rather by the U.S. intelligence community. WSJ writer Siobhan Gorman reports that U.S. National Director of Intelligence Dennis Blair has told Congress “over the past several years we have seen cyber attacks against critical infrastructures abroad and many of our own infrastructures are as vulnerable as their foreign counterparts.”
Which led me to wondering about how many organizations in the non-profit community have taken the time to identify their own “critical cyber assets”? And how many have created management structures and protocols to properly protect and test them from time to time? No, I’m not talking about making sure you have a back-up of your computer database and critical files stored off site (it is stored off-site and tested for functionality time-to-time right?) although that’s important to be sure. No, I was really pondering the notion of what might comprise the “critical cyber assets” of your organization? Perhaps databases, with suspects, prospects, customers and members. Check. The financial data system, including system backups, accounts receivable, tax filings, and payroll records. Check. Are the customer database and financial systems segregated by a firewall or other barrier? If someone hacked your member database could they walk through your financial system too? How about the inventory of periodicals, publications and articles that comprise the intellectual property of the organization? Check. Convention, conference and seminar registration data, speaker resources, submissions, contracts, venue agreements, and planning documents? Check. Where’s the back-up for governance records of the organization such as Board and committee minutes, bylaws, articles of incorporation, IRS determination letters and related correspondence? Got it. Good. Check. What’s your plan to assure your organization’s new social media assets such as FaceBook, Twitter, MySpace, LinkedIn or Plaxopages could be resurrected were they to be hacked or lost to some sort of cyber-glitch?
I’m sure you and your team can come up with a more comprehensive list than what’s here and that’s exactly my point. If you haven’t already done so, now is a great time to get started and if you’ve already walked this path, now could be a great time to re-check your steps. Have you overlooked anything? Are your firewalls and external and internal intrusion detection systems up to date and secure? Sure there may be bigger and juicier targets for hackers than your organization, but the threat can arise from within, too. The Wall Street Journal story describes an incident in 2000 when a disgruntled employee in Australia rigged a computerized water control system to let loose a stream of 200,000 gallons of sewage flooding parks, rivers and a local hotel. So, about those critical cyber assets?