Rising cyber threats demand cybersecurity measures for golf clubs

  • Image: Gorodenkoff/Adobe Stock

By Joseph Saracino

Cyber threats are increasing rapidly across all categories from ransomware, phishing, malware and keylogging attacks to SQL injection, video conference and point of sales attacks. According to the ForgeRock 2021 Breach Report, attacks in the United States involving usernames and passwords increased by an astounding 450% in 2020 from 2019 with over one billion personal records compromised.

For many golf and private clubs, the January 2021 ransomware attack on the Wentworth Club in Surrey, England, was a loud wake up call. In that attack, this exclusive club had its entire membership database hacked by cyber thieves who gained access to its elite members’ names, dates of birth, home addresses, email addresses, landline phone numbers and the last four digits of their bank accounts used for direct debit payments.

The Wentworth ransomware attack was what is known as a double extortion attack wherein sensitive files are stolen before encrypting them on the network. This gives cyber criminals greater leverage in their ransom negotiations as they threaten to expose sensitive files if their demands are not met. Additionally, this type of attack places the individuals whose data was stolen at higher risk for future email phishing attacks since an email including some of their account information could be made to look like it came from their bank. Besides the reputational damage Wentworth suffered, it also suffered a breach of trust with its members. While clubs can not necessarily avoid a cyberattack, they can minimize their risks and the potential damages by taking a proactive stance and implementing sound cybersecurity measures.

State of cybersecurity in golf clubs

Wentworth is not alone in having experienced a cyberattack. This year, the email account of Clubster founder William King was hacked, resulting in members of 10 U.S. clubs, including Anderson Country Clubs, receiving messages replete with racial slurs and expletives. Attacks like this one, and probably others that have gone unreported, are not that surprising. In 2017, the National Club Association surveyed its members and found that only 41% had conducted a cybersecurity vulnerability assessment within the past year. The survey also reported 63% of respondents recognized their vulnerability to a security breach and only 49% indicated they had done any training to raise their staff’s awareness on cybersecurity.

This latter finding is important as research by other entities demonstrates a general lack of understanding regarding cybersecurity and related items. For example, Pew Research Center’s data revealed that only 10% of those canvassed could identify a multi-factor authentication screen, 13% knew the role of a Virtual Private Network, 33% could identify an encrypted URL, and 48% could define the term ransomware. This lack of knowledge is further exacerbated by the prevalence of many other threats to a club’s Information Technology (IT) systems’ security. Among these are overreliance on technology, failure to assess and then address system vulnerabilities, no formal cybersecurity policies and procedures in place, and a lack of due diligence relating to informing Board Members regarding their clubs’ cybersecurity measures. Add to these circumstances new technology trends for clubs such as the growth of Internet of Behavior (IoB) whereby clubs are capturing, analyzing, and monetizing their members’ behavior, and the increased application of new technologies such as intelligent business systems deploying Artificial Intelligence (AI) and Machine Learning (ML), and it becomes even more critical that clubs adopt best cybersecurity practices.

Best practices for club cybersecurity

In order to gauge just how vulnerable your club is to cyber-attacks, it is important to benchmark where you are now. For instance, does the club have formal, written cybersecurity policies and procedures in place? Do you have a dedicated cybersecurity firm monitoring and managing the club’s cybersecurity? If you believe this is a role that can be performed by the club’s internal IT staff or its Managed Service Provider (MSP) for computer maintenance and technical support, you would be wrong. Cybersecurity is a specialization that requires individuals with specific training and certifications. Further, having the same individual/firm that that is managing your computer monitor how secure the systems are is like having the fox guard the henhouse. You need an objective, third-party resource for this critical role.

A comprehensive cybersecurity initiative begins with a vulnerability assessment and penetration testing. The vulnerability assessment should be performed by a cybersecurity firm not involved in the club’s day-to-day IT operations. The purpose of this assessment is to identify particular vulnerabilities and to assign a risk level to each vulnerability detected. Penetration testing is performed by an ethical hacker whose goal is to determine how hard/easy it is for a cyber criminal to penetrate the club’s IT system, network, ports, database, emails, video conference calls, etc. These two initial steps will determine where the weaknesses lie and what needs to be done to mitigate potential cyber risks.

The cybersecurity consultant will prepare a list of recommendations that include new policies and procedures that need to be implemented, as well as measures and technologies that should be deployed to remedy the security gaps in the club’s IT systems. There are a wide range of suggestions that might be made.

Some of the technology-related recommendations include:

  • Encryption of sensitive club member payment data to ensure that only authorized staff have access to this personal data
  • End point protection
  • Multi-factor authentication
  • Password and SSH key management
  • Next-generation firewalls/web application firewalls
  • Solutions to lock down access to personal and club data by protecting areas that hackers typically exploit (i.e., a computer’s keyboard, clipboard, screen, camera, microphone and speakers
  • Secure video conferencing platform
  • Correcting security vulnerabilities in services

Policy and procedural recommendations could include:

  • Developing a cybersecurity policy manual
  • Initiating cybersecurity awareness staff training
  • Creating a back-up data recovery plan
  • Developing an incident response plan
  • Implementing procedures to connect local computer networks to club-level networks
  • Instituting “need-to-know” access measures including third-party access and monitoring of unauthorized computer access
  • Reviewing the club’s cybersecurity insurance policy to make sure the coverage is adequate and protects the club against liability claims of invasion of privacy, failures of computer security, and unauthorized release of information, as well as for litigation defense costs

Remaining vigilant and in compliance

What is important for club management to understand is that cybersecurity is not a one-and-done deal. It should be regarded as a critical area of operations that is ongoing. Remaining vigilant at all times and monitoring your systems for vulnerabilities against new cyber threats is vital. It is also important that clubs be aware of and in full compliance with all federal and state laws and regulations relating to cybersecurity and data privacy protection, such as the Health Insurance Portability and Accountability Act (HIPPA), New York State’s SHIELD Act, Connecticut’s H.B.5310 “An Act Concerning Data Breaches,” and California’s Consumer Privacy Act of 2018. It is prudent for club management to adopt an attitude that recognizes the reality of the cyber landscape today, which is that it is not a matter of if, but when a cyber-attack may occur. Remaining vigilant and performing cybersecurity monitoring on a regular basis by experienced, credentialed cybersecurity professionals is the key.

Joseph Saracino is the President and Chief Executive Officer of Cino Security Solutions. (www.cinoltd.com)

Add new comment

If you enjoyed this article and would like to sign up for a FREE digital subscription, click here!