Building a First Aid Kit for Data Breaches 06

Summer 2018 (vol. 12 issue 3) | www.csae.org EXCELLENCE BY ASSOCIATION

BUILDING A FIRST AID KIT FOR DATA BREACHES 06

10 AI IN YOUR FUTURE Colorado 12 BACKING UP YOUR DATA Society of Association 22 SPOTLIGHT: ALEXANDRA MERRICK Executives TAKE YOUR ASSOCIATION TO NEW HEIGHTS.

Book by December 31, 2018 and choose your reward.

50 - 150 Room Nights Choose One Reward 151 - 250 Room Nights Choose Two Rewards 251 - 350 Room Nights Choose Three Rewards 351 - 450 Room Nights Choose Four Rewards

BOOK JUST ONE MEETING AND MAXIMIZE YOUR REWARDS BY BOOKING TWO RECEIVE GREAT REWARDS* OR MORE MEETINGS THROUGH 2025*

• 3% credit to master on actualized room revenue • 5% credit to master on actualized room revenue • 5% discount on F&B • 10% discount on F&B • 1 per 45 lodging rooms comped • 1 per 35 lodging rooms comped • 25% off resort fee • 50% off resort fee • 3 Complimentary round trip airport transfers • 5 Complimentary round trip airport transfers • Complimentary WiFi in meeting space • Complimentary WiFi in meeting space • Complimentary one-night-stay gift certificate • Complimentary two-night-stay gift certificate • Complimentary catered happy hour or coffee break • Complimentary catered happy hour or coffee break • Complimentary board meeting with F&B break • Complimentary board meeting with F&B break for up to 12 people for up to 12 people • Complimentary one-hour yoga class per guest • Complimentary one-hour yoga class per guest

Visit vailresortsmeetings.com/associationpromotion to learn more

VAILRESORTSMEETINGS.COM | 970.496.6557 | [email protected]

*Offer valid for bookings contracted through December 31, 2018. Promotion valid for applicable groups that take place between April 1 through June 15 or October 1 through December 15, 2018 - 2025. Offer valid for new bookings only; previously contracted bookings are not eligible. Based on availability. Other restrictions may apply. contentssummer 2018 vol. 12 issue 3

10 features 06

6 Building a First Aid Kit for Data Breaches

10 How Artificial Intelligence Will Impact Your Association

12 Data Backups

departments GO DIGITAL An e-version of Executive Memo becomes News from the President...... 5 available on www.csae.org once the issue The Mission: TechTip...... 16 is published. It’s a fun, interactive way CSAE is the community that fosters personal excellence for all within the to experience and share the magazine. Resource Review...... 18 association management profession. Between editions, keep up on all things Member Benefit...... 20 CSAE via Facebook, Twitter and LinkedIn. The Promise: Member Spotlight...... 22 CSAE is committed to delivering high-value programs and services. Infographic...... 26 If a CSAE member is not completely satisfied with any CSAE offering, CSAE will make it right or refund the member’s money. On the Web | www.csae.org CSAE is: ABOUT: Who We Are, What We Offer, Leadership, CSAE News, Committees and Volunteers All about leadership LEARN: CSAE Events, Online Learning, Gray Matters Committed to association excellence ASSOCIATION RESOURCES: Articles, Publications, Books, Legislative Updates, Research and Reports Future-focused CAREER CENTER: Job Postings, Certification Information Unique learning opportunities JOIN CSAE: Membership Information ONLINE An effective advocate Don’t forget to check out csae.org for more resources, stories and inspiration. In fact, every time EXTRA you see the symbol at the right, that means we’ve got some more for you online.

Executive Memo is the quarterly publication of Colorado Society of Association Executives (CSAE) and is provided as a benefit to members. Submit your article to [email protected]. Deadline for all material is six weeks prior to issue date. Submissions are edited and published as space allows. Letters to the editor, suggestions, comments and encouragement are welcome. Expressed opinions and statements in this publication do not necessarily represent the opinions of the CSAE board of directors or its membership.

www.csae.org | summer 2018 | 3 Colorado Society of FOCUSING ON WHAT MATTERS MOST... Association Executives YOUR SUCCESS! www.csae.org

SUMMER 2018

Executive Memo is the official magazine of CSAE, Colorado Society of Association Executives. CSAE brings together association leaders to foster professional and personal excellence through unique learning opportunities that inspire members to achieve more and guide associations into the future. Copyright 2018 Colorado Society of Association Executives

CSAE EDITORIAL COMMITTEE: MARILEE YORCHAK, CAE, CO-CHAIR Digital Analytics Association [email protected] 303.728.4395  COMPLIMENTARY AIRPORT & LOCAL SHUTTLE  LESLIE SHIVERS, CAE, CO-CHAIR, CO-EDITOR 84,000 SQUARE FEET OF CONVENTION AND Association Pro to Go MEETING SPACE [email protected]  24HOUR BUSINESS CENTERS 303.359.2751  NEWLY RENOVATED FITNESS CENTER LANCE RITCHLIN, CO-EDITOR R-Star Productions, Inc.  HIGHSPEED INTERNET ACCESS IN EVERY ROOM [email protected] 303.842.5559  ONSITE DINING OPTIONS  SLEEP ADVANTAGE PROGRAM® LUXURIOUS MARY BETH ARMBRUSTER Independent Electrical Contractors Rocky Mountain BEDDING, QUIET ZONES, AROMATHERAPY, [email protected] & GUARANTEED WAKE UP CALLS 303.853.4886

15500 E. 40th Avenue, Denver, CO 80239 FRANCINE BUTLER, PHD, CMP, CAE (303) 3719494 Empressa Consulting cpdenverairport.com [email protected] 303.725.9155, ext.105

DON KNOX Civica Management [email protected] 720.457.1193

ERIN O’CONNELL Institute of Food Technologists Proudly Redefining [email protected] the CPA Experience 312.599.0027 Save the Dates! GRANT PRICE, MBA, CAE World Sign Associates [email protected] WHIPPLEWOOD 303.488.9700 CPAs BECKY ROLAND, CAE 2019 CSAE Phoenix AMC Accounting [email protected] • Annual 303.551.3266 Audit, Review & Compilation LAURIE SHIELDS • Laurie Shields Design Business Consulting Conference [email protected] • 303.777.6354 Employee Benefit Audits • CSAE EXECUTIVE DIRECTOR Payroll JOAN TEZAK, CAE, CMP • June 5-7, 2019 [email protected] Personal Success Planning CSAE PRESIDENT • KEITH SEGUNDO Taxation President/CEO Limitless Association Solution Resource www.whipplewoodcpas.com Pueblo Convention PO Box 631026 Littleton, CO 80163 [email protected] Center 850.322.3910 Pueblo, CO PUBLISHED BY: Colorado Society of Association Executives (CSAE) 8690 Wolff Court, Suite 200 Westminster, CO 80031 303.650.0301 office 303.650.1450 fax www.csae.org

SALES CONTACT: JOAN TEZAK, CAE, CMP 303.650.0301 [email protected]

4 | summer 2018 | www.csae.org from the NEWS president

Honored, Humbled, Enthusiastic and READY!!!

could not be more grateful for the opportunity to lead the Colorado Society of Association Executives (CSAE) as your 2018–2019 President . I must say, I never I imagined that I would have been selected by my colleagues to be your President . However, we are here, and I am ready…so thank you from the bottom of my heart . From the moment I was elected President, all of the emails, calls and in-person conversations began and they all started with two interesting questions . One, what do you want your legacy to be? Two, what do you want to accomplish during your presidency? Well, if you are looking for that typical presidential answer…that’s not me . Unfortunately, my response has been and will continue to be lackluster…this isn’t about me or “My Legacy” or what “I want CSAE to do ”. This is about you—the members . I have been entrusted by the membership of this organization to not just smile, nod and eat the typical conference chicken . I was selected to guide the Board, to serve at the will of the membership . This is a responsibility that I take extremely seriously . So that brought me to my next question . What is the will of the membership? What do our members truly need? So, this isn’t my President’s message, but ours . With our message, I acknowledge that we have a tremendous amount of work to do but only you can tell us what you want and need . It’s time to come together . The best organizations thrive because they work as one . I want nothing more than when members gather, we don’t look at our colleagues by their respective membership categories of Professionals, Associates, etc ,. but as what we all truly are—CSAE members . To grow and thrive in this ever- changing world we must work as one . We must lead the way and work as a strong collective, because when we stop embracing all member categories as equals, the ever-changing landscape will consume us . The time has come for CSAE members to express their voice on how they believe CSAE can step into 2018 and beyond to take care of our best asset—which is you, the member . We need your words, your thoughts…I am not talking about the typical Goldilocks syndrome feedback…the meeting room is too hot, the meeting room was too cold . I am talking about revolutionary changes . Those that will lead and be the disruptors and prevent CSAE from being the disrupted . So think about the following questions and please email, call, text, or carrier pigeon your answers to me . 1 . Excluding CSAE, what organizations are you most proud to be affiliated with and why? 2 . What is the single greatest reason that you belong to other organizations and why? 3 . What would you like to see CSAE do to make your experience that much better (go big here)? I am honored, excited and grateful to serve you the CSAE member . Please help me in making your member experience all that you deserve . Together we grow…let’s grow beyond all of our wildest expectations .

Humbly Yours, Keith

Keith Segundo President/CEO Limitless Association Solution Resource 850 322. 3910. keith@limitlessasr org.

www.csae.org | summer 2018 | 5 BUILDING A FIRST AID KIT FOR DATA BREACHES

By Thad Lurie, CAE, CIP, Vice President, Business Intelligence and Performance, Experient

n the past couple years, I’ve heard too many associations say Isomething such as, “We wouldn’t be a target for hackers, we’re a small organization and we don’t have any important information.”

6 | summer 2018 | www.csae.org Be aware that cybersecurity problems for small organizations BUILDING have risen dramatically in recent years. According to Symantec’s 2018 Internet Security A FIRST Threat Report, 65 percent of cyber attacks target small- and medium-sized THE MOST IMPORTANT ASPECT TECHNICAL RESPONSE OF A BREACH MITIGATION Your first step should be to contact a businesses. Automation PLAN IS THAT IT’S CREATED forensics/cybersecurity expert or firm, has made it lucrative BEFORE THE BREACH OCCURS, hopefully one you identified and vetted AID KIT when all the right people in your during the development of your breach for cyber criminals to organization can be involved in response plan. There are plenty of planning and your plan can go through companies that specialize in this area, attack thousands of small proper consideration and vetting. The and having one to give you advice and organizations. Such time to create a strategy is not when guide your process will be invaluable. organizations often lack your organization is in the middle of Your cybersecurity consulting FOR DATA managing a significant crisis. firm will assist you in making sure sophisticated defense The second point worth noting that your data systems are no longer about a response strategy is that there compromised, whether by addressing/ resources. are usually two primary elements: patching vulnerabilities, removing The first and best step the technical response and the infected computers from your network, communications response. These or taking other actions. They will also BREACHES to mitigating a breach should both be fully fleshed out, as one help you understand the scope of the is to prevent the breach without the other will not be nearly as breach—what data sources may have effective. been compromised—as well as helping in the first place, and So, let’s assume your organization you identify, isolate, and preserve the best way to do that has suffered a data breach. Now what any affected data for later study and do you do? mitigation. is to accept that your organization is likely a target (even if only a target of opportunity). percent of cyber attacks target small- and After all, an ounce of 65 medium-sized businesses. prevention is worth a -Symantec’s 2018 Internet Security Threat Report pound of cure, right?

www.csae.org | summer 2018 | 7 Everything you’ve done ahead of time is one more thing you don’t need to try to handle in the heat of the moment.

COMMUNICATIONS RESPONSE any associated foundations or other Please be advised that I am not an Once the size and depth of the breach related entities, and any collaborating attorney, and nothing in this article and the potential damages are better organizations or partners that may should be considered legal advice. Be sure understood, it’s time to share more specific have had data or an active data services to consult your organization’s attorney communications. Your communication connection with any compromised system before any data breach occurs, as you plan (developed ahead of time) should or platform. will need to understand your obligations include such items as approved parties to Please be advised, this is likely not a and responsibilities to all parties well in communicate with and answer questions comprehensive list; it’s merely a starting advance. from the press and/or membership, point to develop your organization’s list of pre-written message drafts for specific primary audiences with whom you need Thad Lurie is VP, Business parties and groups you’ll expect to to communicate regarding your data being Intelligence and Performance, communicate with, and specific cascading compromised. for Experient and works with communication plans and timelines. These steps should get your organizations in using their data Depending on the organizational organization moving in the right direction to drive improved business performance. structure and the seriousness of the if you experience a breach. Remember, Previously, he was VP Operations and CIO breach, consider making the following preparation is key here—everything you’ve for EDUCAUSE and led the association's parties part of the communication plan: done ahead of time is one more thing you functions relating to membership, marketing, the organization’s Board, the membership, don’t need to try to handle in the heat of conferences and events, content, web, and any brother or sister organizations, the moment. information technology.

YOUR MEMBERS’ CYBERSECURITY BILL OF RIGHTS

Policies and protection strategies will vary among associations, based on size and type of organization . But consider addressing these basic expectations your members will have .

> The association will protect your PII (personally identifiable information), such as your name, address, Social Security number, etc . > The association will notify you as quickly as possible if they suffer any data breach that affects you . > The association will provide an acceptable level of security for any transaction that contains financial or other sensitive data . > The association will provide confirmation anytime a transaction (purchase, profile update, etc .) occurs directly related to your account . > The association will adhere to their privacy policy and terms of service with respect to data sharing and sales .

8 | summer 2018 | www.csae.org CAREER CENTERS AMS LEARNING

EVENTS COMMUNICATIONS MANAGEMENT

REINVENT Amazing things happen when it all LUXURY comes together. IN COLORADO SPRINGS MORE MEMBERS • MORE ENGAGEMENT • MORE REVENUE With 27,500 sq. ft. of meeting space, renovated guest rooms, a swimming pool, fitness center, three brand new restaurants and a lobby bar, the Antlers, a Wyndham Hotel is your meeting headquarters.

naylor.com/achieve 4 S Cascade Ave. Colorado Springs, CO 80903 · 719.955.5600 · Antlers.com

Naylor 2017 Amazing Things 3.5x4.75.indd 1 2017-01-31 12:26 PM

“Outstanding facilities, lodging and service” A MEETINGS DESTINATION

“The location to WITH BACKBONE downtown is ideal” WIN A SITE FOR THE SENSES “The Beaver Run staff is GIVEAWAY what sets them apart”

“Group outings at the Jack Nicklaus golf course are world-class”

“On-site amenities like The Spa make for an extraordinary experience”

With over 40,000 square feet of exible meeting space, ample onsite amenities, a slope-side location nestled between Mountain and Main street and an exemplary team, a Beaver Run conference stands out from the rest. We’ve got the meeting planner testimonials to prove it.

Go online, call, or email 970-453-8780 VISIT for more information. [email protected] BeaverRun.com caspermeetings.com 24340

www.csae.org | summer 2018 | 9 HOW ARTIFICIAL INTELLIGENCE WILL IMPACT YOUR ASSOCIATION

By Jim Sterne, Founder, Marketing Evolution Experience and Board Chair Emeritus, Digital Analytics Association

et aside the unending hype around artificial intelligence and accept that Sit is valuable and destined to become an important part of your world. But what reason or common sense—it in the first place, which creates has none. But it can correlate new recommendations. And the part? What does the association of tomorrow information that may seem cycle continues. look like when armed with artificial unreasonable to a human and Machine learning reaches its discover some relationship full potential when it is given intelligence and machine learning? that, while nonsensical to the control over the environment. The truth is impossible to imagine in the observer, proves valuable to the Give the system your email organization. list, a variety of potential email same way today's Internet was unthinkable subject lines, and a database 20 years ago. Exploring the possibilities now THE ROBOT THAT of images to use, and it can CHANGES ITS MIND reduce the cycle of execution will prepare you for the eventualities. Further, once the machine has and revision from weeks to made a correlation, it can make seconds. It generates messages, DEFINING TERMS • W hich members are most a recommendation toward some sends them out, measures the Everybody is so excited likely to buy a ticket to an predetermined goal. results, and then changes its because machine learning, event? • H ow should we best encourage statistical opinion about which a central component of • W hich members are most at-risk members to renew? messages should go out to which artificial intelligence, is likely to run for office? members to improve the desired • H ow can we best entice a completely new way of Standard statistics can answer outcome. members to attend our next programming a computer. these questions, but only after This new way of conference? Instead of telling the machine a statistician has built a specific programming computers is exactly what to do to data, model, describing specific • W hen is the best time to send applicable to any problem data scientists create systems relationships between members out an email encouraging that can be described by webinar registration? that can infer rules about the and information about them. rules, allowing the machine to data, from the data, and use The statistician is responsible for • What subject line will persuade determine those rules based on those rules to solve problems assigning weights to individual the most members to serve on the data and the results. or answer questions. information elements, a committee? • P eople who have the same • Which members are most predetermining how much • H ow do we recruit the most profile and online behavior as likely to renew, and which more predictive membership nonmembers from a given our most active members are least likely? recency is than where members region? the most likely to respond to • W hich members are most live or their ages. The machine can review an email offering a VIP pass to likely to accept higher The machine does not look the results from those our next event. membership fees? at this information in the same recommendations, and • M embers who have served on • W hich members are most reasoned way as a human. It automatically recalculate the more than three committees likely to volunteer? uses higher math rather than mathematical model it created in the past seven months are 10 | summer 2018 | www.csae.org to people to perform. Ranking, advised nurses to delay treating and the ability to apply learning sorting, finding patterns and asthma patients who show from one field to another. This look-alikes, a needle in a signs of pneumonia. The data is the task of deciding how haystack, or finding anomalies showed that asthma patients to allocate resources, people, are, at their heart, as boring as recover faster from pneumonia money and machines, to further can be. That’s why we give these than all others. the machine did goals of the association. tasks to interns. not know that asthma patients Artificial intelligence is wildly But when there is so much who show signs of pneumonia complex, but so is your phone. information that an infinite are immediately whisked into Your job is not to create the number of interns can’t crank intensive care and that's why they new tools, but to figure out the out an answer in a practical recover faster. Not enough data. best way to put them to use. amount of time, the machine is On the other hand, give the Your job is safe as long as you priceless. machine too many variables to embrace these new and more However, the machine contemplate and it will not be powerful tools. cannot: confident about anything. The • D ecide which problem to machine will properly spit out a Jim Sterne has solve. long list of “it depends” results just published his rather than useful findings. 12th book, Artificial • D ecide which data to consider. Deciding which problems Intelligence for • D ecide if the output is to solve will remain a human Marketing: Practical Applications. reasonable. endeavor until long after the He produced the eMetrics most likely to agree to run for Your job will be to direct and current workforce retires. This Summit from 2002–2017 the Board of Directors. judge the machine, just as you is the job of the executive, the (now the Marketing Evolution would assign a task to a fresh • C ompanies with revenues manager, the journeyman Experience) and is cofounder recruit or a contractor, give them above $250 million with with years of experience. This and Board Chair Emeritus of the some instructions, and review more than 50 employees are requires common sense, gut feel Digital Analytics Association. the outcome. more likely to sponsor our Determining the conference. reasonableness of an outcome These rules do not have to remains a human task for now. make sense to humans. For It requires years of domain example, results may show: knowledge and common sense. • M embers who live to the west Does the output from the of their offices are most likely machine pass the smell test? to answer two surveys per Did the machine recommend quarter. sending out 200 emails a day • C ompanies with generous to the same person? While that paternity leave are most likely might be a statistically correct to drop their membership way of ensuring a response, a within three years. human can tell in the blink of an eye that it will not elicit the • Or ganizations that start with desired response. While the the letters B, D and T are machine might learn that on its more likely to reimburse their own, thousands of people will be employees’ membership fees. mighty upset in the process. The reasonableness of the Identifying which datasets observation is immaterial the machine should mull over is if actions taken because of thorny until machines get much these observations yield better faster (smarter). Given too little outcomes. information, the system will spit out a result with high confidence YOUR JOB IS SECURE that is completely wrong. While it may look like the Three coins landing heads machine is performing miracles, up will yield a prediction with the tasks it excels at are only 100 percent certainty that all considered “intelligent” because future coin flips will land heads we used to have to give them up as well. A medical system www.csae.org | summer 2018 | 11 DATA BACKUPS

12 | summer 2018 | www.csae.org By Don Knox, Managing Director, Civica Associations Conferences & Exhibitions

n email arrived in my company inbox last week, and it made my heart sink. DATA BACKUPS A “Notice of data breach,” it read. Uh-oh. An ancestry service that I subscribe to for personal use had been hacked, and my email address and hashed password (not the actual password) had been accessed. By Don Knox So, too, had those of 92.3 million other users. As data intrusions go, this breach was remarkable. In this age of encryption, how were the hackers able to access this file in the first place? I don’t know, and neither—still, apparently—does the service. “[Our] Information Security Team analyzed the file and began an investigation to determine how its contents were obtained,” the email detailed, without further detail. Was a server compromised? Did a rogue employee release the file? Or was a phishing scam or lax password security to blame? We may never know. On a personal level, however, the breach was no biggie. My email address is everywhere already, and I don’t much care if people know that I’m a user of the ancestry service in question. But my day job is running a company here in Colorado that serves nonprofit trade associations, professional societies, foundations and Political Action Committees. And in that capacity, I must worry. And because you are reading this magazine, you must worry, too.

www.csae.org | summer 2018 | 13 Besides cost, a big worry for these associations is how quickly they can retrieve their data file over the Internet.

frequently?), encryption (both when BORN IN THE CLOUD files are at rest and when they’re being By contrast, some associations have moved), hot sites (is the remote data stopped relying on a traditional in-office backup service saving to multiple servers file server. They sync their files to the at multiple locations?), and security cloud as they create and edit them. Faster, protocols both internally and at your cheaper, better, safer, they reason. How backup provider. could their little associations provide Associations that back up remotely more secure file storage than one of use one of countless enterprise-level the big providers? And association providers in the market, including management companies, which provide Amazon S3, Backblaze B2 Cloud Storage, outsourced services to nonprofits, often Code 42 CrashPlan, Microsoft Azure or figure it makes sense to outsource their OpenDrive for Business. data storage and backup, too. Besides cost, a big worry for these “Do I think about it, do I lose sleep associations is how quickly they can over it, no, I just know it’s being backed retrieve their backup data file over the up,” says Henry C. Kyle III, CAE, MPA, Internet in the event of a file-server crash executive vice president of the Colorado or intrusion. So Internet speed at the Assisted Living Association and a former provider level is critical. president of the Colorado Society of With a quick Internet search, you Association Executives. should find lots of provider comparisons, The association’s only close call came SECURE BACKUPS ARE CRITICAL from cost to download speed to how when Wells Fargo accounts were hacked, Association executives and their staffs you can restore business operations with but the bank made things good, Kyle work with private, even sensitive, minimal to no data loss. says. data that’s collectively owned by your Consulting your IT professional is Operating fully in the cloud has associations or foundations. Members important. And, as with doctors, it never payoffs. Precious IT dollars are spent expect this data to remain secure. hurts to get a second opinion—even the on integration and optimization, not on And you’re probably not an IT best technologists disagree, and as the hardware that must be maintained and professional. You didn’t go to school CEO, you need to hear all sides and make occasionally replaced. Because these for computer science. Instead, you judgment calls. associations are not tied to their own studied business or liberal arts, and you “Cloud-enabled managed failover hardware, they can transition between burnished that by getting some type of services that can enable the switch certification, maybe even a CAE. from primary systems to backups But where and how you store and back promise the fastest possible disaster up your association’s data, and how you recovery solution, increased resilience access it, are critical. and near-zero downtime for mission- Some associations store their critical applications,” writes Marc Langer electronic documents in a shared in the November 2017 issue of Risk file server in their office, and they’re Management, the magazine of the Risk tasked with securing that machine as and Insurance Management Society, well as backing it up to both an inside Inc. “It is a flexible approach, often and remote location in case their data outside the public cloud, that allows became compromised or damaged and companies to design and frequently test they needed to restore it. separate backup and recovery schemes They worry—or should worry— for different databases, applications about things like automatic backups and services.” (www.rmmagazine.com/ (how much data gets saved and how author/marc-langer/)

14 | summer 2018 | www.csae.org cloud providers should new features— security or otherwise—prove compelling. If your association also stores most or SOME CLOUD all of your work in the cloud, you must ask a similar set of questions as those BACKUP who store on physical servers. The timing of backups may be less critical, as the biggest cloud providers— PROVIDERS there are about 50 listed in the sidebar—allow you to synchronize files There are scores of cloud in real time. They should also provide backup services, as this list from versioning, which is a fancy way of Wikipedia attests, but finding the saying a computer file exists in several right service for your association versions at the same time. Native cloud users should be more depends on your needs . Ask concerned with their providers’ data good questions, and consult encryption and security protocols. your trusted IT professional . Besides storing our files in the cloud, could be hacked remotely, spoke last associations use a dizzying number of year about their exploits at a national Acronis, Backblaze, Baidu Cloud, cloud-based service providers. Most association conference. When the Q&A Barracuda Backup Service, AMS, or association management session turned to their personal security software, providers today are cloud- recommendations, they agreed that Box, Carbonite, CloudBerry Lab, based. So, too, are most ancillary all companies should use a password CloudMe, Comodo Backup, websites, most merchant-processing management system (think LastPass, CrashPlan, Dropbox, Dropmysite, providers, telephone systems, accounting DashLane, 1Password or KeePass). Egnyte, ElephantDrive, software and email services. These services can help defend In preparation of this article, a review against hackers by generating and FilesAnywhere, Google Drive, of the security protocol pages of cloud storing a different password for each of IASO Backup, iCloud, iDrive, providers returns more questions than your online accounts. Infrascale, Intronis, Iperius answers. Our team started using LastPass Online Storage, Jumpshare, All the providers purport to offer a month ago, and the benefits are high levels of security, detailing things obvious. Jungle Disk, KeepVault, such as PCI compliance (for credit A password manager allows us to Livedrive, luckycloud, MediaFire, card payments), firewall protection, periodically change passwords remotely, MEGA, Memopal, MiMedia, encryption, data-center access, password without our team missing a beat. They Mozy, OneDrive, SpiderOak, protection, session timeouts, user group also solve the problem of remembering permissions and secure remote backups. passwords – we’ve identified 200 SugarSync, Syncplicity, Tarsnap, But some providers provided more companywide passwords so far. TeamDrive, Tencent Weiyun, detail than others, which raises questions The moral of the story: Security is Trend Micro SafeSync, Tresorit, about how seriously association scary, but sometimes security makes life Unitrends Vault2Cloud, executives scrutinize these supposed easier, too. trusted partners. Stay safe out there. UpdateStar Online Backup, Yandex .Disk, Zetta .net, Zmanda THE HUMAN ELEMENT Don Knox is managing Cloud Backup . Security researchers Charlie Miller and director of Civica Associations Chris Valasek, who in 2015 famously Conferences & Exhibitions in demonstrated that a Jeep Cherokee southeast metro Denver.

www.csae.org | summer 2018 | 15 TECH tip

SECURITY How Healthy Is Your Site? If your website gathers data from users or accepts By Becky Roland, CAE, Phoenix AMC online payments, an SSL Certificate helps to protect ust as you schedule regular physicals with your doctor, your that data (see below) . Jorganization should test your website’s health on a frequent It is very important to work with reputable basis . Below are a few of the many items you may want to review as Online Payment Gateway services when accepting payments online, in order to you determine the fitness of your web presence . secure the critical credit card information in an encrypted format . ANALYTICS: BACKUPS If your webpage gathers personal There are many things As with all business information on users, consider whether a to consider when systems, a backup of secure in-house server with a third-party gathering analytics . your website and online offsite backup or a reputable third-party Here are just a few: files is critical . At a vendor will provide better security for your • Page views – How many times has a minimum, a full backup website and data . page been viewed? This will tell you should be done weekly . If you are gathering and storing data from users, you should what visitors most frequently need from SEO your site . consider an incremental backup . The frequency of incremental backups should Search engine optimization (SEO) is the • Click through – Click-through rate be based on the amount of data you’re process of getting traffic statistics from (CTR) is the ratio of users who click on a willing to recreate if there is an issue . search engine results . specific link to the number of total users who view a page, email, or advertisement . Backups should be stored offsite . All major search engines have primary It is commonly used to measure the search results, where web pages and other content such as videos or local success of an online advertising BANDWIDTH campaign for a particular website and the listings are ranked based on what the Bandwidth can refer to the rate at which effectiveness of email campaigns . search engine considers most relevant . data can be transferred, or the total amount The order of the results is based on • Bounce Rate – A website’s bounce of data allowed to be transferred from a criteria from free metatags and page rate is the percentage of people who web host during a given month (or other content to purchased ad words . When leave the site from the same page they hosting service term) before overage purchasing ad words, keep in mind that entered, without clicking through to any charges are applied . If you are able to you can choose whether your ad lists other pages . This can be an indicator of grab a cup of coffee while a page loads you at the top section of the web links or how good a website’s navigation is, as or report processes, you may need more to the side . Popular ad words are often well as an indicator of the quality of the bandwidth . auctioned off to the highest bidder . site’s content (a very high bounce rate doesn’t bode well for either of those things) . PAGE LOADING SPEED SERVER STORAGE SPACE • Traffic Source – Where are the webpage The time it takes to load a webpage should The server that houses visitors from geographically? What time of be three seconds or less, depending on your website shares the day do they access your website? the user’s line speed . If your members are space with the operating in rural areas, their Internet speed may be system . It may also be much lower than someone accessing your a shared server with other clients . For site from a high-tech commercial office . basic websites without a large amount of

16 | summer 2018 | www.csae.org graphics or videos, 1 GB of storage space VALIDITY should be fine . Valid web pages are those that return PASSWORD no errors based on the type of HTML/ MANAGEMENT SSL CERTIFICATE XHTML specified in the doctype declaration at the beginning of the file . Secure Sockets Layer (SSL) is a protocol In other words, the code used on the that helps secure communications over You have dozens page conforms to the specifications for computer networks and is most often and dozens that version of HTML/XHTML . This can used with email . An SSL certificate is a be checked through various validation of passwords digital document that ensures the content services, most commonly the one from provided is from the correct (verified) and managing W3C (http://validator .w3 .org/) sender . them is always a pain . A bad scenario is using USABILITY ARTICLE RESOURCES the same passwords for Interview with Gary Duhn, Owner of IRMS, How easy is it for a visitor to use your multiple sites but even gduhn@irmsco com. site as intended? Are navigation, content, worse is storing all of your images, and any interactive elements easy “Web Design Industry Jargon and Web various passwords in one to use and functioning the way they were Terms: Glossary and Resources,” Smashing intended? Will your intended target visitor Magazine, May 21, 2009 . document and then naming need any special training to use your site? the file “passwords” on your computer! Implement ITEM NORMAL RANGE a password manager (software or app) to fix Backup Weekly (full backup) the situation . These Daily if gathering data (incremental backup) programs typically install Bandwidth 25 mbs download as a browser plug-in and 3 mbs upload it will prompt you to save Links No broken links credentials when you save them, and will auto Page Loading Speed Less than 3 seconds populate them upon your

Security SSL Certificate, Online Payment Gateway, return . Try LastPass in-house server (www .lastpass .com) for SEO Metatags, Optimum Tags, buy ad words a free personal version or a paid version suitable for Server Storage Space More than 1GB a small to medium sized office ($29/user/year .) Usability Reviewed

Valid Tested

www.csae.org | summer 2018 | 17 RESOURCE review

GDPR and Your Organization

By Francine Butler, PhD, CAE, CMP, President, Empressa Consulting

t’s here…The regulation Here are fundamentals: Iwent into effect on May • If your organization has personal data of EU citizens, this applies to you . 25 . And what do those • This covers any file or database that has a person’s name or an ID in it . ominous letters mean? The • It doesn’t matter what country the hard drive containing the data is in, if it is about General Data Protection an EU citizen, the GDPR applies . Regulation was primarily • P ersonal data should be kept: Accurate and up to date, secured, transparent created to affect European about how it’s going to be used, restricted to the minimum needed to do the job . organizations, but also • T ell people what you are going to do with the data . Do that . Don’t do things with it other than that . impacts any US company • Be able to prove you got consent to use the data for the way you said you that has a web presence wanted to use it, and markets their products • Minimum age for consent is 16 . over the web . • Don’t collect data that is considered sensitive (race, religion, politics, health, criminal background) . According to an article by O .A . Dosunmu and C . Yang, published in the • Be honest and use plain language . Brookings Institute blog, “the European • Respond promptly to user requests . regulators were not thinking about organizations like us…their primary • Ask for proof of identity if needed . targets were social media companies • W hen you collect data from people tell them why you need the data and what and cloud service providers in the you are going to do with it . business of data collection ”. They • etc. note, “Nonprofits probably weren’t top of mind for European regulators . While it will be some time before the There are 98 Articles in the full document…I have touched on the first 20!! enforcement infrastructure will be fully The link to the full article follows and I urge you get a copy . . as it says…GDPR in place, no organization wants to be Requirements in Plain English the test case ”. https://blog .varonis .com/gdpr-requirements-list-in-plain-english/

18 | summer 2018 | www.csae.org Let’s Build a Better Organization Together Save money with NPP Membership is free. Join today at mynpp.com

COLORADO SPRINGS / DENVER / GRAND JUNCTION LOVELAND / SALT LAKE CITY / SCOTTSDALE

EmployersCouncil.org

www.csae.org | summer 2018 | 19 MEMBER benefit

Small Staff Association Roundtables and Resources By Nancy Erickson, MBA, CAE, President, Erickson and Associates Consulting, and Francine Butler, PhD, CAE, CMP, President, Empressa Consulting

How can CSAE support the CEOs who constantly juggle not just resources but competing pulls on their time to remain efficient and effective? One recent educational development has been a series of free breakfast roundtables for staff executives of associations with a small staff . These followed closely after the 2017 CSAE Conference breakout session, Small Staff Associations – Challenges and Strengths . That meeting initiated a conversation among association executives about how to fulfill their organizations’ mission and goals with limited resources . The roundtables, held in September, January and April, delved more deeply into areas of Management of Board and Volunteers as well as Building Successful Relationships with Staff and Vendors . The participants shared the gore and glory of how they successfully split their time between major responsibilities . One exercise polled the group about Nancy Erickson, MBA, CAE, President of Erickson and Associates Consulting, captures comments from the percentage of time spent managing attendees at recent roundtable dialog. their board, committees and individual members versus other staff who spend mong CSAE’s membership of local, state, national and time with those groups . For some, just thinking about where the pulls on their Ainternational associations, many operate with few staff . time exist also raised the question, Externally facing, each organization’s chief staff officer “Where should I be spending my time?” represents her association in all common service fronts: board Analyzing the key responses faced by relations, volunteer management, conference and educational CEOs leading associations with a small staff, highlighted issues include: programming, communications, and membership . Looking behind the curtain, the magic often happens through minimal EFFICIENCY staff, but with maximum use of contracted services—a mixture • Producing more with less • Leveraging your activities with of individual vendors and large suppliers . fewer people

20 | summer 2018 | www.csae.org • Doing it all for less money • Using staff vs . consultants or both • We utilize many cloud-based • Meeting multiple needs • Effective/efficient use of CEO talent technology tools—Microsoft 365 • “Hat” envy—wearing multiple hats and staff online, Google Drive, internet- based phone service, Zoom video • Prioritizing projects One example of a roundtable conferencing—that enable any • Being a “firefighter” on a daily basis participant’s survey response: staff person to work effectively no matter where they are located . This 1) What is one major challenge you MANAGEMENT EFFECTIVENESS facilitates the virtual staff team we face as the Executive Director/Senior have (two locally, two in different • Evaluating organizational models for Staff of your organization? management—outsource vs . staff, AMC states) . These tools also permit me • Revenue generation is a constant to work and stay connected when I • Competing with for-profits, especially challenge, of course . But I think travel (and I travel a lot) . in professional development the challenge that I feel most is • Managing the effects of industry the demands on my time . With Why attend a Small Staff changes on the organization just 3½ total staff, I struggle often Association Roundtable? This format • Juggling resources and volunteers to stay on top of everything . That of a small group conversation offers • Creating partnerships with vendors includes external outreach, building these advantages: and strengthening relationships • Build a community with peers with members, managing and CEO PROFESSIONAL supporting the board, overseeing • Make new connections DEVELOPMENT finances, guiding strategic plan • Get new ideas that can be • Defining scope of work/job review/ and performance monitoring, staff put to work: contracts/job descriptions supervision and support, scheduling - Serving members • Working “smarter” through effective my calendar, fundraising efforts . - Reducing costs time management 2) How have you addressed that - Increasing income • Considering succession planning challenge? - Creating efficiencies • Delivering value by doing what you • Typically by exhausting myself often - Improving efficiencies do best during the year . • Challenging aspects of being an 3) What are the resources (human and Watch for the next roundtable “entrepreneur” technological) that you turn to most in the CSAE Executive Memo and • Professionalizing yourself (CAE) frequently? online at www .csae .org . • I have a strong, capable team that VOLUNTEER ISSUES works well together, supports each • Improving Executive Director and other and functions independent of board communication me effectively . • Defining how policy affects the organization

• Overcoming board/volunteer lack of Introducing the Hyatt Regency Aurora- Denver Conference Center, Colorado’s engagement new premier meeting destination. Welcome to luxury and comfort, accessibility and • Ensuring board buy-in of the accomplishment. Welcome to limitless strategic plan connectivity. • Managing the squeaky wheel For information please call 720.859.8000 or visit hyattregencyaurora.com

HYATT REGENCY AURORA – STAFFING CHALLENGES DENVER CONFERENCE CENTER 13200 East 14th Place • Cross training of small staff/ Aurora CO 80011

PLEASEPLEASE REFERREFER mentoring staff TO CSAE ADAD TO TO RECEIVERECEIVE UPGRADED • Empowering staff for decision- CONCESSIONCONCESSION PACKAGE making/delegating to staff PACKAGE

www.csae.org | summer 2018 | 21 MEMBER spotlight

Alexandra Merrick

A Colorado native, Alexandra Merrick works for Visit Aurora, bringing business into the city through her passion to help organizations have successful, enjoyable events . She is relatively new to CSAE and just ended her first CSAE conference in June where she had a great time forming new friendships and making many great connections . As she said, “There is no substitution for meeting in person!” WHAT PROMPTED YOU TO JOIN CSAE? Our Director of Sales connected me with Tyrone Adams, a director at CSAE . We spoke about the organization shortly after I started with Visit Aurora and I was hooked! After our first conversation, I joined and signed up for the CSAE conference . Alexandra with her dog, Tina, and husband, Greg. WOULD YOU RECOMMEND OTHER NEW MEMBERS TO ATTEND THE groups and planners from Colorado and of that process . I strive to create a great CSAE CONFERENCE? touch states . However, my market later experience and inspire people to come Absolutely! It was a great conference evolved with an emphasis on associations, back to Aurora to host their meetings or with engaging speakers and topics that medical, and agriculture . events . sparked conversation . With so many different offerings, it was difficult to choose DATA PRIVACY IS SUCH AN which breakout session to attend! The WHAT DO YOU DO FOR FUN OR IMPORTANT AND HOT TOPIC IN YOUR FREE TIME? conference line-up was exciting and fast- RIGHT NOW. WHAT ARE YOU paced, so I was able to make the most of I love to travel, spend time with family, each session . HEARING FROM YOUR CLIENTS friends, and my dog, Tina . Growing up in ABOUT THEIR CONCERNS, AND Colorado, the outdoors and mountains WHAT WAS YOUR FAVORITE PART HOW IS YOUR ORGANIZATION have a special place in my heart, so I try to OF THE CONFERENCE? ADDRESSING THOSE CONCERNS? get out as often as I can! Although there are tons of ways we can Privacy and client confidentiality are connect with our peers in the digital age, extremely important to many different WHAT IS SOMETHING PEOPLE there is no substitution for meeting in types of businesses, including destination MAY NOT KNOW ABOUT YOU? marketing organizations . We have adopted person! Not only was the conference I love to scuba dive and have a Search and current data collection, storage, and beneficial professionally, but personally as Rescue dive license . My husband actually well . I made a lot of great connections with sharing processes to ensure the usage proposed to me underwater with a sign people from all different experience and of the information we collect is handled while we were visiting Mexico . backgrounds while having an awesome responsibly . We began communicating our time! There were plenty of opportunities dedication to privacy with our clients to to form new friendships and strengthen allow them peace of mind and, in doing so, WHAT DO YOU CONSIDER YOUR existing ones . we can focus on the unique needs of their GREATEST ACCOMPLISHMENT? meeting or event . Earning my MBA is something I'm WHEN DID YOU START WORKING extremely proud of . I had to master WITH ASSOCIATIONS, AND IN WHAT WHAT IS YOUR PASSION AND managing my time since I was working ROLE ARE YOU WORKING NOW? HOW DOES IT INSPIRE YOU IN full-time, planning a wedding, and I immediately started with groups and YOUR WORK? studying for a heavy course load . I had a planners when I started with Visit Aurora My passion is helping others achieve lot going on, but was super determined in September 2017 . I began working with success, and it is very fulfilling to be a part to get my degree!

22 | summer 2018 | www.csae.org ridgeline_CSAE_ad_3.5x4.75_print.pdf 1 1/4/18 11:17 PM

MORE THAN A BOARDROOM CY

CMY K Idel For: CONFERENCES, MEETINGS & WEDDINGS

Over 20,000 sq ft of Indoor/Outdoor Meeting & Event Space Customized Catering Options 147 Newly Remodeled Guest Rooms

LATITUDE 105 ALEHOUSE Gourmet burgers, craft beer, full bar and more!

970.480.4012 | 101 South Saint Vrain Ave. RidgelineHotel.com

OvEr 70,000 sQ. fEeT oF mEeTiNg sPaCe. AnD eNdLeSs vIeWs tO eNjOy. Now That’s Grand.

MeEtGrAnDjUnCtIoN.cOm | 800-962-2547

www.csae.org | summer 2018 | 23 2018 CONFERENCE HIGHLIGHTS

Conference Hotel

Doubletree by Hilton Greeley at Lincoln Park The CSAE Annual Conference,CSAE Annual June Conference 6–8, at June 6-8, 2018, Greeley, CO the Doubletree by Hilton

PlatinumGreeley, Sponsor provided aBronze glimpse Sponsors of the future while keeping Silvera firm Sponsor grasp on the present . Speaker Shelly Alcorn previewed the future of artificial intelligence for associations . Holly Duckworth emphasized mindfulness— living in the moment—and other speakers focused on skills attendees can apply right away .

24 | summer 2018 | www.csae.org SAVE THE DATE Plan now to attend the next CSAE Annual Conference, June 5–7, 2019, at the Pueblo Convention Center in Pueblo, Colo . Watch CSAE .org for more information on programming and registration .

Colorado Society of Association Executives

www.csae.org | summer 2018 | 25 CYBERSECURITY – HOW SAFE IS YOUR ASSOCIATION?

The ﬁ rst 24-48 hours after a cyber attack is the most critical time for evidence gathering and A D reassuring your members.

Global ransomware costs exceeded STEPS TO PREPARE The cost of a data breach FOR A DATA HACK involving fewer than 10,000 records was nearly 2 in 2017, a signifi cant increase Adopt a written information security policy of association boards are (WISP) from $325 million in 2015. concerned about cybersecurity. 1 Ransomware is growing by Source: 2016 Data Breach Ponemon Study Source: ASAE Make sure that all of your tech vendors 350 percent annually. 2 also have a WISP Source: Cisco 2017 Annual Cybersecurity Report Get cybersecurity insurance WHAT TO DO AFTER YOUR ASSOCIATION Average cost per stolen record: HAS BEEN HACKED 221 WHAT SHOULD YOU LOOK FOR IN CYBERSECURITY Follow your WISP INSURANCE? 1 Depending on the services provided by the association, Call your lawyer, then your it should include some or all of these coverages: 2 insurance agent • Crisis management coverage for expenses related to Investigate the breach incident management, the investigation, the remediation, data subject notifi cation, call management, credit checking for data subjects, legal costs, court attendance, and regulatory fi nes. Take public and member relations steps to minimize the damage • Extortion liability coverage for losses due to a threat Source: Associations Now, Nov/Dec 2015 Unfi lled cybersecurity of extortion and professional fees related to dealing with the jobs by 2019: extortion. • Network security liability coverage for third-party 1. damages as a result of a hacker denying owners access to HOW LONG DOES IT Cybercrime their website, costs related to data of third-party suppliers, and TAKE TO BREAK A damages expenses related to the theft of data on third-party systems. PASSWORD? worldwide Source: Associations Now, July/Aug 2016 Issue by 2021: 6 characters password = 2 seconds TIPS TO PREVENT 7 characters = 3 minutes 6 RANSOMWARE: 8 characters = 4.75 hours 1 Back up your data frequently 9 characters = 18+ days 600,000 2 Be mindful of fi le permissions 10 characters = 59+ months ! Facebook accounts are Vet your cloud provider Each additional character in your password makes it compromised every single day! Keep your employees mindful of risks 95 times harder to break! Source: CyberSecurity Investing News, May 2017 Source: Associations Now, March 2016 Source: Douglas County Cyber Security Awareness Training

Marilee Yorchak, CAE, Digital Analytics Association, and Laurie Shields, Laurie Shields Design. 26 | summer 2018 | www.csae.org

CSAE Summer_2018_InfoGraphic.indd 1 6/19/18 8:34 AM Cheyenne Meetings Happen!

Affordable. Cutting Edge. Visit Cheyenne’s services, combined with reasonable From assistance with social media to your very own mobile costs for meeting space, food, and beverage enhance meeting website and complimentary use of our cell phone the bottom line for your meeting. charging station, Visit Cheyenne helps your meeting be at the forefront of technology. Efficient. Visit Cheyenne assists in planning your meeting, Successful. selecting meeting space and hotel rooms. Our online Visit Cheyenne’s services, FREE registration system saves you money and our on- combined with outstanding site registration assistance streamlines your effort, meeting locations, ensure that your increasing productivity. meeting leaves attendees engaged, energized, and educated.

Start Planning Today! WWW.CHEYENNE.ORG Call Jim, Lisa or Will at 800-426-5009

we’llGive new get meaning you to the term “lunch break” Established in 1989 THERE Price•Quality•Service

•PioneerForms Printing offers •aEnvelopes rare combination of state-of-the-art technology and knowledgeable •expertLabels printers. We use it •onLetterhead every project we do for you, making sure you’re satisfied not just with an •exceptionalPosters printed product• atMagazines the right price but also with the whole customer experience. •Postcards •Newsletters •Brochures •Pocket Folders Meet in the mountainswelcome and be toinspired THERE by the. •BusinessFree Cards Project Consultations•Mailing Services beauty and adventure of Breckenridge, CO. Online Orders & Estimates Record-breaking a endance Ph. 303.799.9767 • Fax 303.799.9715 and a venue they’ll talk about Toll Free: 1.800.658.8005 www.wypioneer.com for years to come: we’ll help www.selectprintingservices.com 800.876.6564 get you there. 1501 West Tufts Avenue, Suite 101 Call or email for more information. Englewood, Colorado 80110 970.453.8780 | [email protected]/meet

csaenet.org | winter 2016 | 17 Thank You to CSAE for Allowing The DoubleTree by Hilton Greeley at Lincoln Park to Host the 2018 Annual Conference!

Please Call 970.350.5406 To Book Your Next Conference 919 7th Street Greeley, CO 80631