Information security is probably not at the forefront of most people’s minds during this pandemic. However, the explosion of Internet usage caused by home working and ordering products and services online has offered many new opportunities to Internet fraudsters. At the same time, the reduced pressures from the course and clubhouse provide club managers with an excellent chance to consider how these potential threats may affect them and how they could be avoided.
With this in mind, we ran a short cybersecurity awareness survey during March. The objective is to understand how well-prepared clubs are to cyberattacks targeted through their staff. Clubs who participate will be encouraged to ask all staff to complete the survey. The clubs will receive a confidential and free report illustrating where the club may be vulnerable. A full report for the industry will be available later in the year.
Clubs may think that they are protecting themselves from cyber threats by moving information into the Cloud with their service providers and ensuring that their computers’ operating software and virus checkers are continuously updated. These are all essential elements in protecting the club and its data but are only part of the range of defense mechanisms that aim to make life harder for hackers to steal sensitive data through the Internet. Nowadays, it is far more straightforward and more common for hackers to design their attacks by manipulating people, called social engineering. The most common form of this type of attack is phishing, where an end-user is tricked into clicking on a malicious link in an email. Successful attacks can allow hackers to access and then control a club’s computer system, disrupt day-to-day operations, hold people and clubs to ransom and steal sensitive information.
The Department for Digital, Culture, Media and Sport reported that phishing attacks accounted for 86% of all cyberattacks in 2020. According to Hiscox, UK small businesses are, on average, targeted with 65,000 phishing attempts each day, and one successful attempt happens every 19 seconds. The estimated cost of dealing with the consequence of a successful attack is just over £25,000. Clearly, clubs need to be aware of these sorts of cyber attacks and how to mitigate them.
Protecting a club against cyber threats such as those from social engineering is becoming ever more critical. While GDPR encouraged clubs to look at data privacy two years ago, a similar effort is needed to target data security today. Assuming that the club and its staff are safe because either the club is too small, or because strong technological protection is in place, is only inviting trouble. Hackers can circumvent many technical safeguards and use phishing attacks to load malicious programs called malware into the club’s computers. This malware may be quiet, simply collecting critical information such as user names and passwords and passing those to a third party unnoticed by users. Alternatively, the malware may control the affected computer to mine bitcoins, for example, causing the computer to run sluggishly and downgrading the end user’s ability to operate efficiently. At worst, the malware may encrypt data in the system demanding a ransom, as happened to the NHS in 2017. Creating awareness of these threats through suitable training gives staff the tools to recognise them and protect the club and its data.
Further articles looking at improving cyber awareness at clubs will appear in The Golf Club Secretary Newsletter’s next few issues.