It is critical that a club’s management adopt a cyber-security attitude and stay focused on it, says Joseph Saracino, President and CEO of Cino Ltd. Cyber security must be part of a club’s DNA and placed on the front burner of operations. 

By Joseph Saracino, President and CEO of Cino Ltd

When it comes to experiencing a cyber-attack, it is not a matter of if, but when. There is not a person, business or organization that does not face a potential cyber threat. For private country clubs, golf and tennis clubs, and resorts, there are heightened threats stemming from memberships that include high and ultra-high net worth individuals who are attractive targets for cyber criminals. The Wentworth golf and country club, one of England’s most exclusive golf clubs, is a case in point.

In widely publicized news accounts, we learned that this prestigious club—whose members include prominent business leaders, celebrities and other UHNW individuals—had been hacked.  The personal data of the club’s 4,000 high profile members was stolen including their names, dates of birth, home addresses, phone numbers and last four digits of their bank account numbers used for their direct debit payments.

Imagine learning, as Wentworth did, when the first group of club members read an unauthorized message on the Wentworth at Home internet page, which read, “Your personal files are encrypted!” The message continued with a demand of a Bitcoin cryptocurrency payment in return for a decryption key.

This scenario is not far-fetched as cyber risks are pervasive with increasing ransomware, phishing, malware, SQL injection attacks, session hijacks, point of sale (POS) hacks, and video conference invasions. Keylogging in malware is a common cyber-attack vector which copies sensitive information (e.g., credit card numbers and expiration dates, passwords, etc.) as they are being typed on a keyboard/keypad and then stolen by cyber thieves.

For private clubs and resorts, while threats like keylogging attacks will not go away, the potential of your organization’s proprietary and sensitive data being breached can be mitigated. What is necessary is an end-to-end approach to cyber security which incorporates defensive and offensive strategies and tactics that begin with a thorough vulnerability assessment.

In order to determine where a club’s information technologies (IT) system vulnerabilities lie, it is important that an extensive vulnerability assessment be performed by a third-party cyber security firm. Having internal IT staff or a contracted managed service provider (MSP) conduct the assessment is like having students grade their own tests. For the integrity of the task, the assessment should be performed by an objective third-party with no initial knowledge of how a system is/is not secured, and a professional not involved in the club’s day-to-day IT system operations. This assessment will check for various system vulnerabilities and assign a risk level to each exposure uncovered.

In conjunction with the vulnerability assessment, penetration testing is necessary to see how easy/difficult it is for a cybercriminal to penetrate the club’s system, network, ports, data base, e-mails, etc. This information is then used to delineate all of the areas where a club’s IT system can be breached.

Once the vulnerability assessment and penetration tests have been completed, the cyber security service provider will provide recommendations as to the various steps, technologies, policies, and procedures which should be implemented for effective cyber security measures.

Among the measures which may be suggested are:
– Next-gen firewalls/web application firewalls
– Encryption (i.e., encrypt sensitive club member payment data to ensure only authorized staff have access to this information)
– End-point protection
– Multi-factor authentication
– Password and SSH key management
– Cyber security solutions that lock down access to personal and corporate data by protection areas that hackers exploit such as a computer’s camera, microphone, speakers, keyboard, clipboard and screen.
– Secure video conferencing platform
– Correcting security vulnerabilities in servers
– Implementing procedures to connecting local computer networks to club-level network
– Institute need to know access measures including limiting third-party access, and monitoring of unauthorized computer access.
– Back-up data recovery plan
– Establishing a protocol for properly disposing of confident data/papers
– Developing a Cyber Security Policy Manual and implementing ongoing Cyber Security Awareness Training for existing and new staff.

In addition to these measures, there are also some simple, practical steps clubs can take to reduce their cyber risks. For example, they can: only store essential member data on their networks; not store all of a member’s data together; and separate the computers used for accounting and financial management from the club’s overall network which would protect financial data should a hacker enter the network. Implementing these measures require a low or no investment, but delivers a high ROI in terms of cyber protection.

A National Club Association survey of clubs across the nation designed to assess the industry’s cyber security profile found that:
– 78% felt they were informed/very informed about cyber security matters, but just 22% maintained incident response records and just 21% had penetration testing performed.
– 63% of the clubs surveyed said they were vulnerable to a security breach.
– 72% of those clubs with an initiative fee of over $50,000, believed their threat was high.
– 49% of the clubs surveyed train their staff on cyber security awareness.

These findings indicate that private club management can be doing more to protect their members’ personal information and the club’s proprietary data. A cyber security initiative which begins with a vulnerability assessment and live penetration testing, and follows through on the recommendations of a reputable, third-party cyber security service provider are the first steps that should be implemented. They should be followed by ongoing cyber security training, which could be provided via online training videos accessible by staff on a convenient on a 24/7 basis with some measure in place to test staff’s completion of the training and understanding and retention of the information conveyed.

In addition, it is important that club management stay up to date on cyber developments including new threats by reading security bulletins, white papers, and news reports from cyber security associations and professionals, as well as associations like the National Club Association, Club Managers Association of America, and Association of Private Club Directors.

In other words, be proactive, remain informed and stay vigilant. For clubs, such as Wentworth, that have experienced a cyber-attack, be especially on the alert for future phishing attacks where members receive a phishing email that appears to be coming from the club and which asks for additional information that would further compromise their personal data, as well as their financial and physical well-being.

Finally, cyber security is not just about the process in the way a safer cyber posture is achieved. It is more of an attitude. We always speak about what needs to be done relative to meeting federal, state and local cyber regulations, as well as the processes and policies to be implemented, but after years of evaluating how people approach cyber security, it is apparent that cyber security is all about attitude. It is no longer an option and everyone at all levels, including the Board of Directors (BOD), must participate in the safekeeping of data.

We say an ounce of prevention is worth a pound of cure, but after seeing many organizations experience and work through the pain of a breach, it is evident that an ounce of prevention is worth more than a pound of cure. Many organizations make excuses when it comes to addressing cyber security challenges and budgeting for it.

BOD decisions often trivialize cyber security and even make a bar station a priority over it. It is critical that a club’s management adopt a cyber security attitude and stay focused on it. Cyber security must be part of a club’s DNA and placed on the front burner of operations.

Joseph Saracino is President and CEO of Cino Ltd, a global cyber security advisory firm serving diverse industries including the private club and hospitality markets.