In previous articles, we looked at whether golf clubs were a target for cyberattacks; phishing and spear-phishing emails; password strength and management and, most recently, how to launch a cyber attack on a golf club. This article attempts to bring these articles together and provide you with ways that may help you mitigate any attacks.
If any suggestions below come across as too technical, pass them on to your IT support staff or company.
Start by getting a clear picture of the computer equipment the club runs. You are interested in anything that attaches to the club’s network that has access to the Internet. This list should include servers, desktops, laptops, PSI units, EPoS and BYOD (Bring Your Own Device) units. Next, consider the risks associated with each device. For example, it is reasonably evident that the PSI unit is potentially pretty risky on all levels. In contrast, offices PCs are far less so as they reside in restricted areas. EPoS and servers are somewhere in between. This assessment will give you a clearer idea of where criminals may gain access to your systems.
Rule 1. Always run all software updates on all devices. Most updates now happen automatically, but they still require regular checks. These checks are especially true for operating system updates (though be cautious about upgrading to a new major software version, such as moving from Windows 10 to the latest Windows 11 until your IT support staff or company recommends it). Microsoft and Apple close security flaws in their systems regularly, so ensuring updates are done is critical.
Rule 2. Never turn off your anti-virus or firewall on your computer, even if explicitly requested by a web service you are using, without first consulting your IT support staff or company. If you do turn it off, then make sure you reinstate it as quickly as possible.
Rule 3. Never use an ‘administrator’ account for day to day activity. This type of account allows the user access to all parts of your computer, which means that if you inadvertently click on a malicious link, the criminals can load and run malware on your computer. Good practice dictates that you set up user accounts that do not have administrative powers for day to day operations. Administrator level accounts are required only when particular work is needed, such as loading or updating existing applications.
Rule 4. Keep a register of login details for anyone who has access to the club’s systems. Make sure that you have a policy and process for adding and removing people’s credentials from your systems. This task is especially true with your core club systems such as membership, accounts and email.
Rule 5. Make sure everyone uses a password manager (see June issue). There are many on the market. Some, such as Roboform, offer individual (1 user – $16.70pa), family (up to 5 users – $33.40pa) and business (more than 5 users – $34.95 per user pa) versions. Ideally, the club should buy a suitable package to cover all staff with Internet access. The costs are reasonable for the incredible protection they provide. Password Managers allow you simply to create unique, strong passwords so that you do not have to use the same password twice (see the next rule). If you really do not want to use a password manager, storing passwords in your browser is an option, but not ideal as passwords do not necessarily travel with you to other computers unless you sign in to your Google, Microsoft or Mozilla account.
Rule 6. Use strong passwords! Do not use the same password twice! Do not share passwords! You can test the strength of a password at https://bennish.net/password-strength-checker/.
Rule 7. If the club has Wi-Fi, and most now do, make sure you separate the club’s ‘admin’ Wi-Fi from the members’ and visitors’ Wi-Fi. This means that you need Wi-Fi that supports multiple SSIDs (the Wi-Fi’s name you see when you are connecting). Also, make sure the password is changed from the original password to something strong. The members’ and visitors Wi-Fi must not be able to access any of the club’s systems.
Rule 8. Make sure that all PCs lock their screens after a sensibly short period of time! It may be inconvenient, but five or ten minutes is a good choice. If your screen locks after say, 30 minutes, you may as well not lock it at all. Instead, try encouraging everyone to lock their screen before leaving their desk.
Rule 9. Make sure all USB connections are disabled on all public or semi public-facing computers. These include any PSI units and all the EPoS units. This precaution is to stop malware from being introduced through a USB device.
Rule 10. Use Multi-Factor Authentication (MFA), otherwise known as Two Factor Authentication (2FA), wherever it is available. Especially on your password manager and email accounts.
I hope that many managers will already have implemented some, if not all, of these recommendations. Implementing these rules will provide a solid defence against cyberattacks, but educating staff to take cybersecurity seriously adds another layer of protection.
I’ll finish with a short story. Imagine you are alone in Africa and see a lion. What do you do? Fear grips and you hope he’s already eaten or that you can run faster and not become dinner. Now imagine you are on a safari and your tour guide points out a lion. You are excited and happy; take pictures and applaud your guide. You are not fearful! Now imagine you are the guide. You everything there is to know about the lion. You know precisely what to do. You know how to keep yourself safe.