Cybercrime is big business. Learn how to reduce and manage your organization’s risk.

Coming in just behind the U.S. and China, the world’s third-largest economy isn’t a country at all. It’s cybercrime. And it’s big business.

Bad actors target organizations when they believe there’s commercial benefit. They’re looking for the most efficient way to monetize their hacking skills.

In other words, cybercriminals are in it for the money. And arts and culture organizations are not immune to this risk. The data you hold is valuable, and you increasingly rely on internet-connected systems to run your businesses.

Understanding Common Security Threats

Some security risks directly impact your bottom line. Criminals might attempt to exploit a software vulnerability in your finance system to commit fraud. They may use social engineering to coerce an unsuspecting member of your team to misroute a payment. They could try to blackmail you by locking your systems or threatening to disclose sensitive information.

Other security risks have indirect, but no less harmful, effects. They hurt your brand reputation, reduce customer trust or increase overhead costs. If a criminal uses a stolen credit card to transact on your website, that might or might not have a hard cost. But it will likely change how a customer perceives your organization.

How can you protect your systems and customer data? It’s important to start by understanding the most common cybersecurity threats. In arts and culture, they fall into three categories:

• Ransomware attacks. Ransomware can be targeted or opportunistic. It can take the form of a data breach where criminals threaten to disclose sensitive customer details. Or criminals may lock you out of key business systems until you pay the ransom. These attacks are not unique to arts and culture. But they are especially relevant because of the amount of personal information many organizations in our sector hold.
• Card validation, or “carding.” These crimes target your e-commerce website. Criminals make low-value online purchases (or even donations) to test stolen credit cards. Validated card numbers are then used fraudulently or sold for a higher value than untested cards.
• Payment redirection scams. This attack involves criminals impersonating an organization or taking over an account or communication channel. If the criminals pretend to be one of your regular suppliers, they might try to convince you to pay a fraudulent invoice. If the criminals impersonate your organization, they could target your customers and attempt to trick them into sending money to a fraudulent destination.

Managing Your Risk

In an ideal world, you could remove 100% of these risks. You would apply process controls and technical tools to perfectly protect your organization.

In reality, computers and networks support nearly every part of our businesses. As a result, we make trade-offs. We accept some risks because they are good for customer experience, employee productivity or our bottom line.

Deciding which compromises you’re willing to make is an exercise in risk management. For example, imagine you own a coffee shop. You want to reduce the liability risk you face from patrons spilling hot coffee on themselves. You have two levers to manage this risk: reducing likelihood and reducing impact. You can reduce the chances of an accident by selling every cup with a very tight lid. Sure, the tiny hole makes it more difficult for customers to drink. But it also makes the beverage harder to spill (reducing the likelihood).

You could also reduce the harm from potential accidents (reducing the impact). You could sell only small sizes so less coffee can be spilled. Or you could lower the temperature of the coffee you serve. Those spills would make someone wet and sticky, but they’d be unlikely to cause severe burns. Of course, you may also increase the number of complaints from people who prefer larger or hotter beverages.

Reducing the Effect of Cybercrime

Similar tradeoffs apply to your security choices. In cybersecurity, risk is a calculation of the likelihood of an incident multiplied by the impact that incident would have on your business. You can employ practices that make it less likely you’ll be the victim of a successful cyberattack. Simultaneously, you can help ensure that if you do suffer an attack, you’ll face less damage. In both cases, you’ll need to weigh the benefits of your options against negative impacts on your day-to-day operations.

The following are steps you might consider based on the risks faced by your organization.

1. Determine accountability. Know (and agree) who in your company is responsible for cybersecurity. There is no more powerful motivator for getting cybersecurity right than being the person whose reputation is on the line if you get it wrong. That person does not have to be a technical expert. They do need a strong understanding of your business practices. And they should have the ability to assign necessary resources in proportion to your risk.
2. Create a formal incident response plan. It’s critical to prepare your team so you know what you will do in the event of a cyberattack. Organizations such as the National Institute of Standards and Technology (NIST) and Cybersecurity and Infrastructure Security Agency (CISA) have detailed materials that can help you plan. The faster you respond, the less damage there will be. Having a response plan means not having to make every critical decision in the heat of the moment.
3. Consider investing in cyber insurance. Pulling together resources you need to respond to an incident can be expensive. Your response team might include outside security and forensics consultants, legal support and crisis management professionals. You might need temporary systems to keep your business running while you recover. Cyber insurance could help you get the resources you need quickly, at a time when you don’t want to debate how much it will cost to call in the cavalry.
4. Collect and store minimal sensitive information. Gather only the information you need to run your business. When you no longer need that information, destroy it. Many arts and culture organizations are familiar with this approach through modern payment processing technologies that use tokenization. These systems allow you to keep customer payment methods on file without storing customer credit card details. Then, even if cybercriminals break into your database, they can’t extract original credit card numbers.
5. Run regular security tests. You might have heard the terms white-hat hacking, ethical hacking or penetration testing. Whatever you call this process, independent security consultants can help you improve your cybersecurity outcomes. By giving them permission to test the security of your systems, a consultant can identify vulnerabilities and recommend ways to fix them. Because these tests replicate a real cyberattack, it’s important to know whether your service providers will permit you to run a security test and, if so, to warn them of your test in advance.
6. Use a strong security stack. Your security stack comprises all the technology you use to protect your information and systems. For arts and culture teams, you might need to protect the systems you use to manage your customer database, ticketing, fundraising, finances, concessions and other transactions. Every organization uses different combinations of software and will have different compliance obligations. Know what you need to protect, then choose tools or services that lower your cybersecurity risk while balancing the cost and impact to your customers.

At Tessitura, we think deeply about how to mitigate cybercrime on behalf of our member organizations. We regularly test our software and infrastructure for vulnerabilities. Most of our members choose to use our cloud environment, and we protect that environment using both automated vulnerability scans and manual penetration tests. The scope of our penetration tests includes multiple, interconnected systems, simulating how a bad actor could leverage one system to access another. Everything we learn from those tests and scans is incorporated into our security tools and processes.

Security is Tessitura’s top technology priority. You can learn more about our commitment to security on our website.

Nic Boling is the Vice President of Information Technology & Security at Tessitura. He was previously Chief Technology Officer at Sydney Opera House, where he led the teams responsible for networked systems, application support, operational technology, web development, information management and cybersecurity. He holds a bachelor’s degree in security analysis and double master’s degrees in policing intelligence and counterterrorism and international security studies. He leverages this background in security and public policy to mitigate cybersecurity and business continuity risks.

This content was adapted from Nic’s presentation at the 2023 INTIX Annual Conference & Exhibition.

This article was sponsored by Tessitura.