Association Leadership - September/October 2015 - (Page 18)
FE AT u R E
Is Your Website Safe?
Safeguards to keep you and your members' data secure
by nick weynand and stephen tidmore
I
n early July, we learned
that the U.S. Office of
Personnel Management
suffered two major data
hacks that led to the
distribution of more than
21.4 million Americans' sensitive
personal information. The depth
and detail of the information
stolen is unprecedented. But,
while it is the largest single
cyber theft in American history,
the OPM breach isn't nearly the
first - nor will it be the last.
Cyber security failures have
become so popular, in fact, that
U.S. News and World Report
tagged 2014 the "year the hack
went viral." As technology
extends further into our daily
lives, and as more data is put
into the cloud, the steps you take
to secure your members' data
is critical.
And while most hackers
will continue to exploit larger
organizations in possession of
sensitive and actionable data,
associations are not immune to
the nefarious intentions of these
anonymous (and often foreign)
digital thieves. In fact, a couple of
TSAE member associations have
been victims to cyber attacks in
the last few years.
ThE BENEfIT Of
ONLINE SECUrITY
Despite what Hollywood
suggests, hacking encrypted
data isn't a simple task. The OPM
breach was actually two breaches
conducted over the course of
months by what is assumed to be
a large team of hackers sponsored
by the Chinese government.
Think of it this way: You're
a burglar. Not wanting to get
nabbed by the cops, you prefer
a quick in-and-out job with low
risk. So you drive up and down
a residential street looking for
candidates, finally settling on
two large homes sitting side by
side. They both appear empty
and their size and style imply a
lucrative haul waits inside.
The only difference between the
two houses? One has a sign in the
front yard that reads "This Home
is Protected by XYZ Security" and
the other doesn't. Which house
will you decide to rob?
Hackers tend to operate the
same way. They'll cruise the
Internet looking for "open
windows" through which they
can easily slip. If they see that
your association site has an
easily exploitable gap, they're
much more likely to give it a go.
However, if you adopt some basic
cyber security tools and policies,
the would-be thieves will stroll
down the Internet superhighway
to the next site.
So what can your association do
to discourage would-be hackers
from stealing your members'
data? We'll start with the simplest
tactics before digging into the
more complex options available.
Even if you don't have a dedicated
IT professional working on your
website, you should be able to use
many of these recommendations.
USE hTTPS WITh AN
SSL CErTIfICATE
Let's start by wrapping our
head around a couple of terms:
* "HTTP" stands for "hypertext
transfer protocol," which is a
technical way of describing
how data is transferred over
the Internet - and how you see
and interact with websites in
your browser.
18 September/October 2015/Association LEADERSHIP
* "SSL" stands for "secure socket
layer" and is the tool by which
Internet communications are
encrypted and, thus, secured.
* "HTTPS" (with the extra "s"
for "secure") uses the SSL to
securely transfer data from
your Web server to your
users' browsers.
When security isn't a
concern - such as when you
share a blog post - HTTP is
perfectly acceptable. But when
the sensitivity of data must be
protected, you want it to be on a
secure site (i.e., HTTPS). At the
very least, the sections of your
association's website that contain
personal member data need to
be secured by an SSL certificate.
If you don't currently have an
SSL certificate for your site,
getting one is a relatively simple
process. The Secure Sockets
Layer website offers an article
titled, "How do I get SSL on my
website?" (info.ssl.com/Article.
aspx?id=10694) that gives you
step-by-step instructions. Your
quickest and easiest option,
though, is to purchase and install
the SSL through your current
Web host (or a third-party). If you
do nothing else to secure your
website, make it the acquisition of
an SSL certificate.
Another reason to secure
your site is Google. The world's
dominant search engine is
beginning to consider HTTPS
status in its search ranking
algorithm. In other words, secure
websites will get more visibility
than non-secure sites.
UNIqUE PASSWOrDS
This one seems to go without
saying, but you'd be shocked
how many organizations - some
http://info.ssl.com/Article
Table of Contents for the Digital Edition of Association Leadership - September/October 2015