March 12, 2024
Note: The positions of CEOs and other executives interviewed for this story may have changed since the initial reporting of this story.
In February 2023, what began as a normal Friday morning at the Chicago Association of Realtors quickly escalated into a full-fledged cybersecurity nightmare.
“We started getting reports of people not being able to log into our server for our membership database,” said Zack Wahlquist, COO at the organization, which represents over 17,000 members from all real estate specialties. “That’s not an uncommon thing, so the team started troubleshooting.”
But by 2 p.m., the whole organization was locked out of the network.
Around that time, “one of our IT folks had stumbled across a text file on a server that we could open,” Wahlquist said. It was a ransom note.
An unknown “threat actor” had encrypted their servers and their data, and demanded a payment of roughly $800,000 in return for restoring access to the association’s own information.
It took the association three weeks to get back online and operational, and another six to eight weeks to catch up on missed work. Still, they were lucky — or, rather, they were well prepared.
Ultimately, the hacker was unable to infiltrate the association management system hosted on a separate server, and only three individuals had personal data exposed in the attack.
A subsequent third-party forensic investigation revealed that the association had taken all the right steps to mitigate their risks, including implementing day-to-day cybersecurity practices and having robust cyber insurance in place.
And while Wahlquist was responsible for leading his organization’s breach response, he credits the association’s CEO, Michelle Mills Clement, for creating the culture of safety that made it so effective.
As cyber-attacks become more common and sophisticated, it’s essential for association leaders to follow their example if they want to survive potentially catastrophic breaches — which, many say, are no longer a matter of “if” but “when” for organizations of every size and specialty.
A culture of safety
According to Diane Tomb, CEO of the American Land Title Association (ALTA), which has 6,000 members and represents the title insurance industry, “When I stepped into this role five years ago, (breach attempts occurred) maybe every other week. Now it’s multiple times an hour, not only within our own organization, but in our case, our industry.”
With attacks happening more frequently, there’s “no excuse these days for any organization not to have thought about this in advance,” added Lisa Plaggemier, executive director at the National Cybersecurity Alliance, a Washington, D.C.-based nonprofit whose mission is to empower a more secure, interconnected world.
Cybersecurity is typically viewed as a three-legged stool — people, processes and technology —Plaggemier noted. While technology often comes to mind first, getting the people aspect right is even more fundamental. Not only does human error cause the vast majority of breaches, but processes and technologies are useless without an organization-wide commitment to leverage them effectively.
“That means the CEO’s job is actually to back up your IT director and your CIO when they’re saying, ‘Hey, we need to do information security training,’ or ‘Hey, John Doe over there is not following our protocols about saving personal information on a laptop,’” said Tori Miller Liu, president and CEO at the Association for Intelligent Information Management (AIIM) and a former CIO. AIIM’s members focus on how information is leveraged within organizations.
The National Institute of Science and Technology recommends using a five-step framework for thinking through a cybersecurity strategy: identify, protect, detect, respond and recover.
Identify
First, assess what’s at stake. “Identify the things in your business that are of value to somebody with malicious intent,” Plaggemier said. That could be money, data, inventory, intellectual property — or a combination of factors.
If you’re struggling with how to prioritize cybersecurity, run the numbers, Liu advised. “You can talk to your insurance providers about this or figure it out on your own,” she said. For example, what would it cost your organization if you couldn’t process credit cards anymore?
There’s also the loss associated with reputational damage and weakening the confidence of your members and employees. If people believe you aren’t taking their cybersecurity seriously, “it’ll cause this slow trickle of distrust that will eat into your revenues,” Liu said.
Performing cybersecurity audits regularly is crucial to risk identification. A consultant can provide a critical, third-party perspective, just like with a financial audit. “A lot of times cybersecurity insurance providers will actually provide that as part of their quote,” Liu said, “because they want to know how risky you are.”
According to the “2023 State of Cybersecurity” report, which surveyed 2,178 cybersecurity professionals last year, 73% of them conducted risk assessments ranging between monthly and yearly, with the largest segment of respondents (39%) performing them annually. The report was published by ISACA, an international association focused on IT governance. “I would (recommend) every year if you can afford it, but certainly every other year,” Liu said.
Protect
“The CEO and the board have to set the pace for the importance of security,” said Ron Mark Moen, CIO at the American Society for Clinical Pathology (ASCP), a Chicago-based membership organization for pathologists and laboratory professionals with 100,000 members around the globe.
“Our mantra at ASCP is, ‘With security comes inconvenience,’” Moen said. Thus, the senior team must reinforce that, as annoying as it might be to create unique, complex passwords for each system, it’s the price everyone must pay to protect themselves and their organization. Otherwise, the same password uncovered when an employee’s gym membership is hacked could be used to infiltrate your server, he noted.
Multifactor authentication — a login process that obligates users to provide two or more verification factors to access a resource — is also a necessary nuisance. Wahlquist recommends requiring this method for anyone with access accounts to your systems.
The importance of staff training also cannot be overstated, given that breaks in the so-called “human firewall” are the No. 1 reason breaches occur, experts agree. In other words, “Somebody clicked on something they shouldn’t have,” Plaggemier said. That risk has only intensified as more people work from home on routers that aren’t usually maintained by your organization or log in to work accounts from different devices and locations.
Employee training must be frequent, universal, compelling and memorable. There are good options for every budget. Today’s modules use gamification to engage people, for example, and humor to help messages stick. Plaggemier pointed to Kubikle, the National Cybersecurity Alliance’s free — and funny — YouTube series.
Creating mechanisms for accountability is also key. Platforms like KnowB4 simulate phishing attacks and track how often employees take the “bait,” Liu said. “I’ve been in organizations where if you failed more than four times, it could actually lead to a performance improvement plan,” she added. At ALTA, Tomb’s association, employees who fail regular testing are required to do additional training.
CEOs must hold themselves accountable as well. They are the ones most often impersonated in attacks posing as urgent requests for money or access. At the same time, many CEOs are, in fact, inclined to make similar requests of employees in day-to-day work. “It’s the C-suite that’s going to want to break the rules,” Plaggemier pointed out.
It’s important for executives to respect — and not try to circumvent — the checks and balances put in place to avoid risky situations, particularly as cybercriminals utilize artificial intelligence and other tools to generate increasingly convincing fake communications from leadership.
Detect
Your IT or information security team should have processes in place to alert them to anomalous activity, such as network logins at odd times or from countries where you don’t have members or employees. That might take the form of a staff member who reviews network logs each day or a managed security services provider you contract with to monitor your network.
Like other aspects of cybersecurity, threat detection is an enterprise-wide effort. “We make sure that our employees have the training and the resources to really understand what these emerging threats are,” said Tomb, ALTA’s CEO. “I try to create and foster a community and a culture where people feel comfortable coming forward” if they observe any suspicious behavior.
For example, she reminds people to slow down and question when they get unusual calls or emails that don’t seem right, especially if they require sensitive information or urgent action.
It’s also a good idea to raise employees’ awareness at times when you anticipate heavy database and/or credit card usage, like during your membership renewal cycle. Risk increases during economic downturns, and December is a vulnerable period as well. “The number of attacks at the holidays is triple at least,” Moen said.
Respond
Once you have a comprehensive breach response plan in place, it’s important to test it regularly —ideally monthly. In these “tabletop exercises,” as Plaggemier calls them, the goal is to walk through an attack scenario from start to finish, discussing your answers to questions such as:
• What’s our technical response?
• What's our crisis communications plan?
• What will we tell employees? Salespeople? Customers?
• Who will brief the board and the C-suite as the investigation is unfolding?
At the Chicago Association of Realtors, having a plan and clearly outlined roles and responsibilities allowed them to react swiftly and effectively. Wahlquist’s team began executing their response the moment they accessed the ransom note.
By early evening, the CFO had tapped into their cybersecurity insurance, and the team was meeting with a cyber forensics team and breach coach provided by the insurer. The coach helped keep everyone calm and focused.
“It was terrifying,” Wahlquist said. “You read about these things, and the director of IT was up on these things — but when you’re going through it, it’s like panic mode and emotions kick in.”
In the two days that followed, Wahlquist and the team worked with their insurer to assess the extent of the damage and carry out their communication strategy. “The earliest conversation was about transparency,” Wahlquist said. “What were we going to communicate about what was happening?”
They decided to publicly acknowledge the attack and tell members and staff they were working diligently to address it. They noted they’d be in immediate contact with anyone whose personal data was exposed.
Nearly every organization has legal obligations around reporting breaches, but the laws vary by state and industry. In most cases, organizations are required to inform individuals whose information was compromised within 72 hours of discovering a cyber-attack — but experts advise going beyond what’s mandated to protect the trust you’ve built with stakeholders.
“I think the most important thing we can do is be transparent and honest about the incident and the steps that are being taken,” Tomb said.
Liu agreed. She’s been involved in breaches as CIO that occurred outside her organization’s server and thus were not under her control. “But I still was involved in the communications and the crisis management afterwards,” she said, “because we had a responsibility to our members and we wanted them to hear from us” rather than from a third-party software provider.
Recover
Fortunately, Wahlquist’s story has a happy ending, or at least an ending that preserved the functionality of the Chicago Association of Realtors.
The forensics team communicated with the threat actor through a secure terminal on the dark web — “like you see in the spy movies,” Wahlquist said. After negotiating with the hacker to buy time, “we made the decision to not pay the ransom and to just deal with the data loss on those file servers,” which they were able to rebuild, Wahlquist said.
Despite getting high marks from the forensic investigators on their cybersecurity systems and processes, the organization decided to upgrade their endpoint detection software, which monitors devices to detect threats like ransomware and malware, following their attack.
Also, because of the incident, they realized their two cyber insurance policies contained some contradictory language. “I encourage folks to take a look at what their insurance coverage is, and make sure they look at all of their policies,” Wahlquist said.
In describing the vendor breach that affected her in a previous role, Liu said she realized in hindsight that her organization probably had too much data stored with the third party. “So it was a really good opportunity for us to talk about an appropriate retention schedule with them,” she noted.
After spending years as a CIO and information technology professional, Liu recently started her second year as CEO at AIIM, where her role in advancing cybersecurity is just as important as it was in her previous positions, if not more so.
“The Board has a fiduciary responsibility, as does the executive director or CEO,” she said. “We have an obligation to be good stewards of our organization, and these kinds of incidents, whether it’s a cybersecurity breach or a natural disaster, can destroy an organization pretty quickly,” she said.
Free generative AI tools gobble data, making it available to anyone; use of AI in employment practices could lead to discrimination.
Associations are still making choices on remote work and commitment to DEI; job seekers can no longer delegate tech knowledge
Inteleos is testing artificial intelligence to write certification exam questions
Association efforts focus on interactions with members, internal communication.
Association Women Technology Champions accepts members from any field or knowledge level; must work for or with associations.
IT experts say the question isn't prevention, but managing the response.
