Signature March/April 2015 - 23

thinking, get them asking questions.
When they think it's just big groups
with big data breaches, they can think
it's not important to them. When we
put into their language, tailor it to their
industry, and make it relatable to their
organization, they get it."
According to a 2013 study by the
Poneman Institute, a privacy and data
protection research center, the average
data breach costs $188 to $194 per record.
This includes response, credit monitoring, forensics, and breach coach. The
average cost per breach in the study was
$5.4 million. Cyber liability generally
covers expenses such as crisis management, notification costs, credit monitoring, data restoration, network security,
some regulatory proceedings, intellectual property, and business interruption.
Guzman notes that associations should
discuss their options and coverage with
an agent.
Guzman also says he has not had a client's claim go over their coverage. "It'll
cover an average breach. Breaches probably happen every day. These aren't going
to be multimillion-dollar breaches. A lost
laptop full of social security numbers
might not result in a major breach. It
might be resolved quickly. But you want
to make sure."
Unfortunately, not all data or all
breaches are created equal. Even small
amounts of data leaked to the wrong
person can be damaging. Guzman says
the largest claim he ever saw came from
California. Someone sent an email to
the wrong person. That was all. It was
only nine records. Except it was records,
including social security numbers,
names, and addresses for nine correctional officers.
"You can't protect against human
error," Guzman says.

PASSWORDS AND PASSPHRASES
Weak passwords can mean an easy
jackpot for cyberattackers. Even if a
stolen or cracked password is for an
account that does not contain personal
or sensitive information, it can create
major vulnerabilities for individuals and
organizations. In both cases, a compromised password means increased access
for a hacker. By accessing a particular
account, hackers can gain more information to attack other accounts or move
more easily through a system under the
guise of an authorized user.
Another major concern with passwords is the tendency people have to
use the same password for multiple
accounts. So a password used to access
an association user profile might also
give a hacker access to a person's bank
accounts, personal information, or to
a work account, which is a particular
concern for people who work in government or large corporations.
A survey conducted by SCIPP
International, a nonprofit organization
dedicated to information security, found
that 58 percent of association respondents have organizational requirements
to change passwords every three to six
months. This is a good start, but a startling 38 percent of organizations reported
having no password requirements at all.
"We have seen an effort by many people
to be more secure by adding characters to
passwords, but if these longer passwords
are based on simple patterns, they will put
you in just as much risk of having your
identity stolen by hackers," says Morgan
Slain, CEO of SplashData.
In its fifth annual analysis of reported
hacked or leaked passwords, SplashData
has seen a disturbing trend in password
use. In 2015, the most commonly stolen
passwords were:

* 123456
* password
* 12345678
* qwerty
* 12345
* 123456789
* football
* 1234

* 1234567
* baseball
* welcome
* 1234567890
* abc123
* 111111
* 1qaz2wsx

Almost all of them were repeats from
past years, meaning many people are
opting for passwords that are easy to
remember, and therefore, easy to crack.
It does seem to be a conundrum. The
more secure a password is - random
numbers, letters, symbols, etc. - the
harder it is for a person to remember.
It is often recommended that people
use a passphrase rather than a password.
A random combination of words can
be easier to remember but complicated
enough to deter hacking programs.
Grammarpandaguitarzone (grammar
panda guitar zone) is a much stronger
password than p455w0rd&1 ("password" with replaced characters), and
the image of something odd, like a
special zone for grammatically correct
pandas to play guitar, will make it easy
to remember.
But this all comes back to education
and policy for members of an association.
"Associations will need to have very
clear policies and expectations," Trochlil
says. "Associations and members don't
know what they don't know. Some are
oblivious to what their cyber concerns
should be. But, for the most part, they
know they want to find out. They know
they want to know more." ■
Thomas Marcetti is a freelance
writer based in Florida. This is his
first article for Signature magazine.

MARCH/APRIL 16

signature

Table of Contents for the Digital Edition of Signature March/April 2015