If you ran a summer youth program 50 years ago, your biggest liability concerns likely centered around protecting participants from injuries, allergic reactions and water- related hazards. Today, programs have one more big issue that is becoming increasingly relevant: cybersecurity. In particular, esports (also known as electronic sports, referring to multiplayer video games in which youngsters compete against other players) can open your participants and organization up to hackers.
Whether the participants use devices you provide, or they bring their own gaming systems, they run the risk of encountering problems, especially if you grant them access to your network.
While cybercriminals are becoming craftier every year, so are the defenses against them. The following are eight ways you can protect yourself and the youth who participate in your program.
Keep Software Up To Date
It’s a sad reality that cluttered systems can become a playground for would-be hackers. If your internet-connected devices have unused apps or out-of-date protection software, they put your entire organization at risk for malware or ransomware. Before opening your devices for public use, make sure they are completely up to date. If needed, hire a software consultant to check your devices at the beginning of the summer.
It’s not enough for you to safeguard your own devices. You should have a system in place that checks your participants’ devices to make sure they aren’t unwittingly exposing your network to dangerous software.
Allow System Access To Approved People
The fastest way to invite a hacker into your system is to advertise your Wi-Fi password far and wide for anyone to use. Your role is to protect your network — both for your organization’s safety and to protect the security of all the young people whose personal information is stored in your system.
Instead, allow system access only to those who have been approved. Rather than keeping your network open for all youth to use, limit their access to only certain times of the day, with certain devices. Be aware that when you allow them to play multiplayer games with their own devices on your network, you are creating a complicated web of liability that could come back to bite you.
Create Strong Passwords
The easier a password is to guess, the easier it is for a hacker to access a system. One common mistake people make is to use parts of their birthday or address in their password. Another is to use a word that can be found in the dictionary. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has said these types of passwords are susceptible to dictionary attacks that attempt to crack passwords based on common words or phrases.
CISA recommends a series of words with symbols replacing letters in some cases. For instance, instead of the password “football,” use 1LmGBp! for the phrase “I love my Green Bay Packers!” Using a combination of upper and lowercase letters, numbers and special characters creates a password very different from any common word that could be found in a dictionary.
Other ways to protect passwords include:
• Two factor authentication: This requires additional information to gain access to a system, such as a code sent to a cellphone to verify the person using the password is the one who created it.
• Password managers: Rather than having to remember a long list of passwords, a person need only remember one password to access all the rest of the passwords. Avoid using the same password for more than one account.
Log Out Of Apps, Websites
Whenever young people are using your network, they should be closely supervised by staff members or volunteers who have been thoroughly trained in cybersecurity best practices. One of the most important things they need to know is that they should never stay logged in to a site after they are done using it.
Consider this scenario: A youth has been playing on a gaming site using one of your devices all morning. During that time, he interacts with several other anonymous users who know him only by his screen name. Instead of exiting the game, he walks away for lunch, intending to return after he has eaten to continue his game.
While his account is inactive, another user who lives halfway across the country takes the opportunity to hack into your system and steal his username and password. By the time the original user returns to the game, the cybercriminal has already exited and is using the youth’s stolen information to open an account on other sites.
It’s unrealistic to expect the youth participating in your program will remember to log themselves off every time. So, empower responsible adults with checking and double-checking on them. Just one indiscretion could put one or more people at serious risk.
Find A Security Vendor
There are many companies that offer data protection technologies. Do your homework and fi nd a vendor that will work for your individual needs. Your vendor should offer credit card and bank account security, donor fraud protections, multifactor authentication and IP security.
Develop A Written Policy
In a worst-case scenario, a cybercriminal is able to access your organization’s network while youth are playing a game. For that situation, you may be liable for signifi cant damages — both for your organization and for the young person. Investigators will start examining your organization’s practices and determine whether you had appropriate safety measures in place.
This is where a written policy comes in. Your policy regarding cybersecurity should detail who has access to the network, when they have access, who will be supervising them while they are online and how those supervisors will be enforcing the rules. The policy should also require that supervisors show participants what acceptable behavior and usage looks like.
Conduct Criminal Background Checks
Not all threats to cybersecurity emerge from outside your organization. It could be incredibly costly for you if it turns out one of your staff members or volunteers is stealing students’ information. This is why you should perform thorough background checks on every person who will be working with your program — both at the start of their employment, and every two to three years afterward. These checks will determine whether the candidate has ever been charged with a crime such as child abuse or cyber attacks.
Background checks aren’t enough. According to David Finkelhor, director of the Crimes Against Children Research Center, less than 10% of sexual offenders are ever criminally prosecuted. This means that more than 90% of offenders have no criminal record to check. So, while you should certainly perform background checks for all volunteers, you need to take other steps to protect children, as well. Those steps include asking applicants to:
• Submit a thorough application.
• Provide references who can give you a sense of their character.
• Participate in an interview with you and others in your organization.
Consider Cyber Liability Insurance
No matter how many protective measures you take, you are still open to liability if there are young people accessing your organization’s network. Threats can range from introducing malware or ransomware into your system and exposing participants’ personal information to outsiders to allowing cybercriminals to steal your participants’ identities. If young people at your program are actively communicating with others through their multiple player games, they could even be the target of sexual abuse.
Insurance is the best way to protect yourself against any of these possibilities. Talk to your insurance company about what it would take to add cyber liability insurance to your policy. The amount of money it would add to your premium pales in comparison to what you might need to pay if your cybersecurity is compromised.
TO DO LIST:
• Keep Software Up To Date
• Approve System Access
• Strenghthen Passwords
• Always Log Out
• Find Good Security Vendor
• Develop Policy – In Writing
• Check Backgrounds
• Get Cyber Liability Insurance
Nick Vaernhoej is assistant vice president, IT chief information security officer at Church Mutual Insurance Company, S.I. (a stock insurer). Reach him at [email protected]
