United States

The 4 legs of the cybersecurity platform

From Private Club Technology Update, a newsletter by Bill Boothe


No technology topic is hotter in the private club industry than cybersecurity. Articles, conference and chapter meeting education sessions, vendor presentations–all are addressing the topic from a variety of angles. Sadly, the swirl of information often creates more confusion than clarity.

The purpose of this article is to lay out the four elements of cybersecurity that should concern your club. We call those elements “legs of the cybersecurity platform.” Imagine that a complete cybersecurity program is the platform that your club’s technology rests upon. Supporting that platform are four legs–all equally important in keeping the platform steady. Remove one leg and the platform topples.

Leg #1 - Security assessment. This is where it all should start, and sadly, where it often prematurely ends. An effective security assessment includes an evaluation of all aspects of your club’s computer systems: servers, switches, firewalls, desktop units, server and desktop software, communications software, anti-malware software, network design and configuration–and a host of other elements that combine to represent your system’s infrastructure. Security assessments can be provided by many sources–local IT individuals, outsourced network management companies, network security specialists. Costs start as low as $750 and go up from there depending on the depth of the assessment, and size and complexity of the club’s infrastructure. A proper security assessment will pinpoint vulnerabilities and recommend effective remedies. Depending on the condition of your club’s infrastructure, costs to remediate could be a few thousand dollars to tens of thousands, again depending on the scope of your environment. While these assessments are highly recommended and should serve to shore up any security holes in your club’s infrastructure, their value is short-lived. That’s because the security landscape is continually evolving. So a clean bill of health this week doesn’t guarantee protection next week.

Leg #2 – Security monitoring. Once your club’s infrastructure is up to par, you have to keep it there. Security monitoring does just that by installing devices and software on your club’s network that continuously monitor performance and user activities. Any suspicious activity is detected through this monitoring and reported to the security outfit to alert that there is a problem. Monitoring includes identifying attempts to access the network by unauthorized users, alerting when suspicious activity occurs on the network (i.e., a user copying data files or moving files off the network), the attachment of an unauthorized device to the network (i.e., a flash drive), identifying and stopping malware activity or attacks, etc. Security monitoring picks up where a security assessment leaves off and helps to ensure that the club’s infrastructure is kept in top condition.

Leg #3 – User education. Study after study shows that internal users are the unwitting accomplices in a majority of business security breaches. Innocently clicking on a phishing email, providing network access information to a convincing hacker posing as a credible source, transferring monies to “the bank” or other “trusted source” when the receiver is actually a hacker using a believable impersonation–these and other unsuspecting behaviors are the “door openers” hackers now focus on to steal valuable personal information and monies. Why waste time trying to break through a firewall when you can send a phishing email out to a thousand business networks and quickly hook some innocent employees? Fortunately, effective online employee education is available to teach users how to recognize and avoid these debilitating scams. Courses are provided for management as well as line employees, and are intended to sharpen employee awareness of the full spectrum of attack methods. Reasonably priced, this education is a critical part of any effective cybersecurity program.

Leg #4 – Cyber insurance. Almost unheard of just a few years ago, cyber insurance is now front and center in security discussions. This insurance addresses two basic risks: first, the liability risk to the club if sensitive member information is compromised, and second, the risk (and substantial cost) of notifying members that their information has been compromised. While many clubs worry about potential lawsuits by members stemming from a breach of the member database, the likelihood of such litigation is actually rather small. The major risk is the cost (in damage to the club’s image and in dollars) in managing such a breach. Laws in each state differ, but they all have in common some requirement to notify all parties whose personally identifying information (PII) has, or may have been, compromised. Well-crafted cyber insurance policies include reimbursement for costs associated with employing specialists to handle the notification tasks. (Note: I attended a Hospitality Financial and Technology Professionals (HFTP) education session recently where a cyber insurance specialist stated that the median cost for a small business to handle the damage control from a breach is about $80,000.)

Your key take-away from this article should be: All four legs of the cybersecurity platform are needed to support a robust and effective cybersecurity program at your club. If just one leg is weak or missing, the entire platform becomes vulnerable to collapse.

Online cybersecurity training–now available with a special discount for RSM clients.

Private Clubs 360 (PC360) is a powerful new online training solution that will help you protect your club member information. The online courses teach your staff to avoid the traps and ploys used by hackers to tap into computer networks. Seventy percent of all data breaches are unwittingly assisted by company employees–that’s membership, accounting, food and beverage, golf, tennis, spa and admin staff. PC360 trains your employees to identify and avoid the common traps used by identity thieves and cybercriminals. The program is provided online, consisting of 12 courses totaling 2½ hours of training–plus written security policies and risk assessments (all of which are needed to meet the minimum standard for data security). Each employee logs into the course portal to take the courses on their own schedule. Progress is tracked and reported to inform management of individual employee compliance. Training is also provided for department heads and even the board of directors. PC360 provides the following benefits:

  • Helps protect club member data by dramatically reducing the chances that an employee will unwittingly assist an outside intruder.
  • Can qualify for a special cyber insurance program available only to participating clubs.
  • Easy to administer and track employee compliance.
  • An effective yet inexpensive way to slam the door on outside intruders and identity thieves.

For more information, visit the PC360 website. RSM clients receive a 10 percent discount on all PC360 services.  

This article was submitted with permission from Club Technology Update.