As cyber crime rises, arts organizations seek cost-effective security

Imagine a typical workday at an office, opening and skimming through email after email. On a particularly busy day, rather than reading every subject line carefully, an employee might click on a seemingly innocuous link such as “track your package” or “verify your email.” Suddenly, company computers begin to slow down. Some programs begin to lag or fail outright. Error messages blink across screens. These days, opening one compromised link can be all it takes to make a company vulnerable to a cyberattack, which can cripple an organization and cost thousands or millions of dollars to repair.
Such breaches have become all too common and have cost governments, businesses, hospitals, and more tens of millions of dollars in ransom fees and security costs. “Back in the ’90s, it was the nerds in the basement trying to write that code that could infect a million computers, just to show that they could do it,” says Michael Tanney, director of operations for HLP Associates, a Washington, D.C.-based company that provides IT support and consulting to small businesses and trade associations. (OPERA America utilizes HLP Associates as a third-party consultant.) “Now, it’s criminal gangs doing it just to make money,” Tanney says.
Opera companies have not escaped these cyber attacks unscathed in recent years. Last July, the digital marketing service WordFly — with high-profile clients including the Royal Opera House and the Canadian Opera Company — fell victim to a ransomware attack that compromised the data of the company and its customers. A few months later, in December, an attack on the Metropolitan Opera took down the organization’s website, box office, and payroll system for a period of nine days, costing the company hundreds of thousands of dollars in delayed or lost sales. A few months after that, the Philadelphia Orchestra and Kimmel Center fell victim to another attack. (Both the Met and Kimmel Center declined to comment, as did several other opera companies that had experienced cyber attacks in recent years. Understandably, most companies prefer to avoid publicly discussing their security measures.)
No one is safe, and like all organizations, opera companies are looking for ways to protect their data and online systems. “Hackers are just getting better and better at disguising their emails,” says Houston Grand Opera’s chief financial officer, Elizabeth Greer, who oversaw a preemptive assessment and upgrade of the company’s cyber security policies.
Houston Grand Opera’s first actions to increase security were to outsource its systems and network management to third-party companies equipped with better security than it could provide on its own. “It wasn’t realistic to expect our staff to be able to do everything we need to do to stay safe,” Greer says. She explains that the company has moved key systems that manage sensitive data such as credit card information, donor data, and their own financials — like Tessitura, Financial Edge, and their HRIS and payroll systems — to cloud-based platforms. These platforms host data on an off-site server that is maintained by a third-party provider responsible for hosting, managing, and securing this data. Often, such providers provide stronger security protocols than a company would be able to implement on its own. HGO also outsourced its network administration to DataVox, a Houston-based tech company, which was more equipped to handle threats than the opera company’s two-person IT department.
There are also free day-to-day steps that HGO takes to stay safe, Greer notes, including running Sophos Cybersecurity software daily, quarterly training for staff about safely opening emails, and multi-factor authentication for all users. Passwords are changed every 90 days, and every email is scanned through a Microsoft 365 tool and quarantined if suspicious. Greer adds that some HGO board members have also been able to point the organization to experts who provided consultations pro bono.
“IT, and security in general, is seen as a money sink because you don’t use it 99.9% of the time,” says OPERA America’s chief information officer, Kevin Sobczyk. Like Greer, he also recommends outsourcing cyber security to a third party, budget permitting. Sobczyk also recommends the philanthropic website TechSoup, which he describes as a “tech shopping mall” for nonprofits. It features discounted products that nonprofits can utilize. Ultimately, training employees on exactly how to spot these risks and avoid falling through traps is key. “Usually, the number one risk for an organization to be attacked is through its own employees,” Sobczyk says.
This article was published in the Summer 2023 issue of Opera America Magazine.

Maggie Gilroy
Maggie Gilroy is a theater teacher and has written for American Theatre magazine, Irish Dancing Magazine, TodayTix, and several of the USA Today Network’s New York publications.