Imagine a typical workday at an office, opening and skimming through email after email. On a particularly busy day, rather than reading every subject line carefully, an employee might click on a seemingly innocuous link such as “track your package” or “verify your email.” Suddenly, company computers begin to slow down. Some programs begin to lag or fail outright. Error messages blink across screens. These days, opening one compromised link can be all it takes to make a company vulnerable to a cyberattack, which can cripple an organization and cost thousands or millions of dollars to repair.

Such breaches have become all too common and have cost governments, businesses, hospitals, and more tens of millions of dollars in ran­som fees and security costs. “Back in the ’90s, it was the nerds in the basement trying to write that code that could infect a million computers, just to show that they could do it,” says Michael Tanney, director of operations for HLP Associates, a Washington, D.C.-based company that provides IT support and con­sulting to small businesses and trade associations. (OPERA America utilizes HLP Associates as a third-party consultant.) “Now, it’s criminal gangs doing it just to make money,” Tanney says.

Opera companies have not escaped these cyber attacks unscathed in recent years. Last July, the digital market­ing service WordFly — with high-profile clients includ­ing the Royal Opera House and the Canadian Opera Company — fell victim to a ransomware attack that com­promised the data of the company and its custom­ers. A few months later, in December, an attack on the Metropolitan Opera took down the organization’s web­site, box office, and payroll system for a period of nine days, costing the company hundreds of thousands of dol­lars in delayed or lost sales. A few months after that, the Philadelphia Orchestra and Kimmel Center fell victim to another attack. (Both the Met and Kimmel Center declined to comment, as did several other opera companies that had experienced cyber attacks in recent years. Understand­ably, most companies prefer to avoid publicly discussing their security measures.)

No one is safe, and like all organizations, opera compa­nies are looking for ways to protect their data and online systems. “Hackers are just getting better and better at disguising their emails,” says Houston Grand Opera’s chief financial officer, Eliz­abeth Greer, who oversaw a preemptive assessment and upgrade of the compa­ny’s cyber security policies.

Houston Grand Opera’s first actions to increase security were to outsource its systems and network management to third-party companies equipped with better secu­rity than it could provide on its own. “It wasn’t realistic to expect our staff to be able to do everything we need to do to stay safe,” Greer says. She explains that the com­pany has moved key systems that manage sensitive data such as credit card informa­tion, donor data, and their own financials — like Tes­situra, Financial Edge, and their HRIS and payroll sys­tems — to cloud-based platforms. These platforms host data on an off-site server that is maintained by a third-party provider responsible for hosting, managing, and securing this data. Often, such providers provide stron­ger security protocols than a company would be able to implement on its own. HGO also outsourced its network administration to Dat­aVox, a Houston-based tech company, which was more equipped to handle threats than the opera company’s two-person IT department.

There are also free day-to-day steps that HGO takes to stay safe, Greer notes, including running Sophos Cybersecurity software daily, quarterly training for staff about safely open­ing emails, and multi-factor authentication for all users. Passwords are changed every 90 days, and every email is scanned through a Microsoft 365 tool and quar­antined if suspicious. Greer adds that some HGO board members have also been able to point the organiza­tion to experts who provided consultations pro bono.

“IT, and security in gen­eral, is seen as a money sink because you don’t use it 99.9% of the time,” says OPERA America’s chief information officer, Kevin Sobczyk. Like Greer, he also recommends outsourcing cyber secu­rity to a third party, budget permitting. Sobczyk also rec­ommends the philanthropic website TechSoup, which he describes as a “tech shopping mall” for nonprofits. It fea­tures discounted products that nonprofits can utilize. Ultimately, training employ­ees on exactly how to spot these risks and avoid falling through traps is key. “Usu­ally, the number one risk for an organization to be attacked is through its own employees,” Sobczyk says.