IT Security Case Study: Prospect Park Alliance

Central Park gets all the attention, but Prospect Park in Brooklyn is its equal in urban landscape architecture and as a center of activity for its borough. Designed by Frederick Law Olmstead and Calvert Vaux 150 years ago, today Prospect Park receives more than 10 million visits per year.

One big reason the park is so loved is the Prospect Park Alliance. The Alliance partners with New York City to provide maintenance and programming over the park’s 585 acres.

To manage so many people and acres, the Alliance uses a lot of technology. It maintains a database with more than 4,000 members and a separate database for volunteers. It also raises revenue through concessions, a tennis center, and programs, which requires taking payment information. Its staff of 80 uses computers and mobile devices to schedule events, manage maintenance work, communicate with the community, and more.

So, when a recent audit pointed out that the organization faced risks from hackers and others who might try to steal information, James Snow, Chief Operating Officer and Chief Financial Officer, took the finding very seriously.

Insure or Secure?

The auditor recommended that the Alliance purchase hacker insurance for any lost or stolen data. On the one hand, the recommendation was prudent—it offered some financial protection in the event of a major data breach. However, it also felt like a misdirection of resources.

“The lifeblood of the organization is raising money,” Snow said. “A lot of it is transacted by credit card. If it ever became known that giving your credit card to the Prospect Park Alliance is a risk, that would be a big problem for us.”

To Snow, insurance didn’t cover the biggest risk—the hit to the Alliance’s reputation if data were leaked or stolen.

With limited resources available for IT, Snow considered another option: What if, rather than buying insurance, the Alliance spent its money on reducing the risk of a data breach?

Assessing the Risks

Snow reached out to an IT consultant the Alliance relies on for strategic help and technical expertise. The consultant initiated a risk assessment that helped the Alliance inventory its data and evaluate how significant the loss would be if particular data sets were lost or exposed.

Together, the Alliance and its consultant identified a handful of ways the Alliance carried unnecessary risk and put together a plan for addressing those risks. Today, the Alliance has policies in place to protect its computers from opportunists who walk through the doors looking for an easy target. (Working in a public park means that its offices are in public buildings.) It also now requires more complex passwords and has stricter policies on handling credit card information, including making sure that card numbers that are stored by the Alliance are done so appropriately and in accordance with a defined policy.

In fact, the Alliance took the extra step of certifying that it is compliant with the Payment Card Industry Data Security Standard (PCI DSS). This is a voluntary certification program that allows you to self-evaluate whether your organization is sufficiently protecting payment information.

Policies and People Are the Best Protection

Snow estimates that the one-time cost of the risk assessment was roughly the same as its annual hacker insurance premium would have been. That means that by being proactive about data security, the Alliance will see cost savings starting next year and every year after that.

“You’re never going to have enough money to keep the bad people out,” Snow said. “Being safe comes down to policies.”

Policies are ultimately about people—they are guides that can help people make the right choices and avoid major risks. For the Alliance, the next step is making sure everyone in the organization understands and internalizes the policies.

“It’s important to educate employees of what the risks are,” Snow said. “They need to be reminded that there’s risk in what we do with our data.”

Leave a Comment