Remote Work and Security for Associations

April 27, 2022

Brian Scott

Brian Scott, president and founder of ClearTone Consulting, provides executive technology consulting services based on 35 years of technology expertise and 20 years of CIO/CISO experience within the exhibitions and events industry. Brian provides expert technology consultation in the areas of technology strategy, software development, systems integration, data warehousing and analytics, cyber security, data center operations, cloud computing, and end user support. He works with his customers to overcome technology challenges, leverage tech to drive growth and revenue, secure valuable digital assets, and execute projects to meet the organizational objectives.

Since the onset of the pandemic, the FBI has reported cyberattacks to jump by 300%. No, that’s not a fabrication. These are the salad days for cybercriminals. As the office space abruptly entered our homes, and that includes both physical and electronic environments, more workers have become lax with their cyber precautions. It’s a natural response to adversity and change: Hunker down and simplify the things that you can control until the storm of chaos passes. The storm may be passing by, but what it’s leaving behind is looking quite different than the past.

We’re clearly not all headed back to the office, ever. A Forbes survey has shown that 96% of U.S. employees prefer a hybrid work model. That’s huge compared to pre-pandemic and no one thinks it’s ever going back to the office-centric model. Of course, people were working remotely prior to the pandemic, but does this “new normal” for so many staff change the way organizations need to be thinking about security? 

Cybercriminals know that something’s amiss…businesses need to wise up, as well.

According to a report by Malwarebytes, 20% of U.S. companies reported a security breach tied to a remote worker. The attack on the Colonial Pipeline is believed to have originated through the compromising of an employee password that allowed hackers to infiltrate company accounts. As our employees have been scattered across the country with the wind, our once manageable, safe and secure central office has been torn apart.

To make matters worse, now that everyone’s working from home, a lot of people are beginning to bleed home-work with work-work in such a way that they’re using their work laptop at home to do things like stream movies or download games. Anytime anyone downloads anything (intentional overuse of ‘any’) from the internet, there’s an increased risk of downloading malware, some kind of virus or unwittingly providing credentials to the wrong set of people.

A survey conducted by Malwarebytes asked respondents how they used their work devices. They found 53% reported sending or receiving personal email, 52% read news, 38% shopped online, 25% accessed their social media and 22% downloaded or installed non-company software. I believe the true numbers are much higher but respondents weren’t comfortable telling the truth.

And then there’s the flip side: using a personal device for work. Just when you thought things were bad, they got worse. A report from cybersecurity vendor Morphisec found that 56% of employees reported using their personal computer as their work device. And according to a survey by antivirus software maker Kaspersky, 36% of respondents did work on their personal laptop or desktop. 

What’s the bottom line with all these stats? Your attack surface for cybercrime has quickly morphed from a once clear and delineated perimeter completely under your control to an unclear assortment of devices, many of which are not under your control. To maintain an adequate level of security to protect all the valuable member and customer data you store, as well as organization documents, you must change your approach to security and do it quickly.

Now is the time to deploy annual security assessments.

If you’ve been following any of my previous blogs on security you’ll be familiar with my first and fundamental advice to organizations: “Turn on the lights.” By that I mean you should engage a security professional to provide an annual security assessment that highlights your strengths and weaknesses to help the organization have full, transparent awareness of their risk position. This is the best way to ensure your ever-changing security priorities stay up to date and targeted against your biggest risks. But short of that, I’ll share with you a couple of gotcha areas that I commonly see in the association industry.

The first is regarding multifactor (MFA) or two-factor authentication. Thank goodness this was adopted and deployed relatively quickly across the industry, as it is truly one of the most effective security controls for protecting your information. Simply said, if you haven’t deployed it yet, your systems have already been compromised whether you’re aware of it or not. But there is a common misunderstanding that accompanies MFA. 

One of the easiest areas to deploy MFA is against your email system. For example, if your organization is using Microsoft’s Office365, it’s really a matter of simply clicking a few configuration checkboxes and all your staff will be forced to create a second authentication method such as a text to a cell phone or a phone authentication app. But many organizations mistakenly believe they’re done at that point. I’ve seen far too many organizations provide VPN access into their networks, with this VPN access open to the internet, and yet the authentication into that VPN is not protected by MFA. It’s great you’ve protected your email, but you’ve left another door open to your entire network and file storage, and you’re inviting the bad actors in the world to have a crack at it all.

The second area that I see causing major concern is the use of unauthorized platforms to communicate and store sensitive or company information. With the “remote-ification” of our workforce, staff have been more willing to explore cloud, SaaS solutions to help with collaboration, communication and information-sharing. Individual departments have begun using tools without the IT team or the organizational leadership, having the opportunity to assess the platform and create a policy regarding how or if the organization should use it at all.  Now we have member data and proprietary information flying through the likes of Basecamp, Slack, Teams, Discord, Dropbox and believe me, Google Docs and Sheets galore! All unmonitored, uncontrolled and in many cases, used with the employee’s personal accounts and credentials. This is not good and is ripe for cyber problems.

The third problem area is phishing and security training. Most organizations I encounter are providing some level of phishing training on a regular basis. Again, if you’re not, then I can pretty much guarantee you’ve already been compromised. But unfortunately, they are too laxed in their expectation for employee responsibility to learn and exercise solid security practices.  I’ve found some organizations proudly state they phish test the staff once monthly, thinking “so we’re good, right?” Yet their failure rate is consistently at 30% every month. How can one-third of you staff failing to recognize a malicious phishing email and clicking on the link, downloading the attachment or even entering their credentials within a malicious site, every single month be considered acceptable? Be warned, big problems are coming!

For your organization, membership, employees, brand, board and for any other reason you can possibly think of, please engage a security professional either internal or external to your organization to help you identify and close these significant gaps in your protections. Do it before the inevitable does something much worse to you!

Don’t miss any event-related news: Sign up for our weekly e-newsletter HERE and engage with us on Twitter, Facebook, LinkedIn and Instagram!

Add new comment

Partner Voices
Just when it seems like Las Vegas can’t get any bigger, brighter or more exciting for groups, MGM Resorts raises the bar again. The company continues to invest and innovate across its portfolio of Las Vegas resorts, with new attractions and upgraded experiences for attendees of all interests.  Remodeled Guest Rooms MGM Grand is the largest single hotel in the world with over 5,000 guest rooms and an 850,000-square-foot conference center. It is home to the newly remodeled MGM Grand Studio Tower—700 reimagined guest rooms with a fun mid-century vibe. Nearby, the iconic New York-New York Las Vegas Hotel & Casino recently completed a $63M redesign and remodel of its 1,830 guest rooms and 155 suites. Down the street, Bellagio Las Vegas is sporting renovated rooms in the Spa Tower with sunrise-inspired decor and luxurious soaking tubs in Premier King rooms after a $110-million transformation. Reinvented Luxury Experiences The Luxury Meetings District, made up of Bellagio Las Vegas, ARIA Resort & Casino, Vdara Hotel & Spa, The Cosmopolitan of Las Vegas, Park MGM and NoMad Las Vegas, is now more connected than ever before. A new interior walkway opened this October for a seamless attendee experience – connecting Vdara, Bellagio, and The Cosmopolitan of Las Vegas, guests can now walk from Park MGM to Bellagio in around 15 minutes. New on the scene in the Luxury Meetings District is Cathedrale at ARIA, TAO Group’s upscale establishment specializing in exquisite French-Mediterranean cuisine offering elevated private dining experiences that opened in May. Heralded by World’s Best 50 Restaurants, GQ and VOGUE, LPM at The Cosmopolitan of Las Vegas is opening this fall and will deliver its signature spontaneity and imaginative celebration of France’s Mediterranean cuisine, art, and culture to the unique luxury resort in impeccable fashion.  A “New Wave  for Mandalay Bay A new wave of enhancements and experiences has arrived at Mandalay Bay Resort and Casino, including Flanker Kitchen + Sports Bar, an 8,445-square-foot restaurant that opened this June, perfect for pre- and post-game eats and drinks. Event planner’s favorite, Chef Michael Mina’s StripSteak, received a full renovation and now includes one of the largest private dining rooms on The Strip. Retro by Voltaggio debuts a one-year residency with a fun take on pop culture of the 80s and 90s with classic American dishes. An exciting addition planned for 2024 is Swingers, a 40,000-square-foot oasis of street food, miniature golf and art at Mandalay Bay. Most exciting for meeting planners, the 2.1 million-square-foot Mandalay Bay Convention Center  is undergoing a complete refresh, with lightened space, added eye-catching art, and improved technology infrastructure for even more flexible space. Energy-efficient digital signage now leads the way with faster internet speeds and new AV options. From renovated guest rooms and meeting spaces to celebrated dining options and dedicated teams, MGM Resorts is dedicated to delivering exceptional and innovative meeting experiences.