Remote Work and Security for Associations

April 27, 2022

Brian Scott

Brian Scott, president and founder of ClearTone Consulting, provides executive technology consulting services based on 35 years of technology expertise and 20 years of CIO/CISO experience within the exhibitions and events industry. Brian provides expert technology consultation in the areas of technology strategy, software development, systems integration, data warehousing and analytics, cyber security, data center operations, cloud computing, and end user support. He works with his customers to overcome technology challenges, leverage tech to drive growth and revenue, secure valuable digital assets, and execute projects to meet the organizational objectives.

Since the onset of the pandemic, the FBI has reported cyberattacks to jump by 300%. No, that’s not a fabrication. These are the salad days for cybercriminals. As the office space abruptly entered our homes, and that includes both physical and electronic environments, more workers have become lax with their cyber precautions. It’s a natural response to adversity and change: Hunker down and simplify the things that you can control until the storm of chaos passes. The storm may be passing by, but what it’s leaving behind is looking quite different than the past.

We’re clearly not all headed back to the office, ever. A Forbes survey has shown that 96% of U.S. employees prefer a hybrid work model. That’s huge compared to pre-pandemic and no one thinks it’s ever going back to the office-centric model. Of course, people were working remotely prior to the pandemic, but does this “new normal” for so many staff change the way organizations need to be thinking about security? 

Cybercriminals know that something’s amiss…businesses need to wise up, as well.

According to a report by Malwarebytes, 20% of U.S. companies reported a security breach tied to a remote worker. The attack on the Colonial Pipeline is believed to have originated through the compromising of an employee password that allowed hackers to infiltrate company accounts. As our employees have been scattered across the country with the wind, our once manageable, safe and secure central office has been torn apart.

To make matters worse, now that everyone’s working from home, a lot of people are beginning to bleed home-work with work-work in such a way that they’re using their work laptop at home to do things like stream movies or download games. Anytime anyone downloads anything (intentional overuse of ‘any’) from the internet, there’s an increased risk of downloading malware, some kind of virus or unwittingly providing credentials to the wrong set of people.

A survey conducted by Malwarebytes asked respondents how they used their work devices. They found 53% reported sending or receiving personal email, 52% read news, 38% shopped online, 25% accessed their social media and 22% downloaded or installed non-company software. I believe the true numbers are much higher but respondents weren’t comfortable telling the truth.

And then there’s the flip side: using a personal device for work. Just when you thought things were bad, they got worse. A report from cybersecurity vendor Morphisec found that 56% of employees reported using their personal computer as their work device. And according to a survey by antivirus software maker Kaspersky, 36% of respondents did work on their personal laptop or desktop. 

What’s the bottom line with all these stats? Your attack surface for cybercrime has quickly morphed from a once clear and delineated perimeter completely under your control to an unclear assortment of devices, many of which are not under your control. To maintain an adequate level of security to protect all the valuable member and customer data you store, as well as organization documents, you must change your approach to security and do it quickly.

Now is the time to deploy annual security assessments.

If you’ve been following any of my previous blogs on security you’ll be familiar with my first and fundamental advice to organizations: “Turn on the lights.” By that I mean you should engage a security professional to provide an annual security assessment that highlights your strengths and weaknesses to help the organization have full, transparent awareness of their risk position. This is the best way to ensure your ever-changing security priorities stay up to date and targeted against your biggest risks. But short of that, I’ll share with you a couple of gotcha areas that I commonly see in the association industry.

The first is regarding multifactor (MFA) or two-factor authentication. Thank goodness this was adopted and deployed relatively quickly across the industry, as it is truly one of the most effective security controls for protecting your information. Simply said, if you haven’t deployed it yet, your systems have already been compromised whether you’re aware of it or not. But there is a common misunderstanding that accompanies MFA. 

One of the easiest areas to deploy MFA is against your email system. For example, if your organization is using Microsoft’s Office365, it’s really a matter of simply clicking a few configuration checkboxes and all your staff will be forced to create a second authentication method such as a text to a cell phone or a phone authentication app. But many organizations mistakenly believe they’re done at that point. I’ve seen far too many organizations provide VPN access into their networks, with this VPN access open to the internet, and yet the authentication into that VPN is not protected by MFA. It’s great you’ve protected your email, but you’ve left another door open to your entire network and file storage, and you’re inviting the bad actors in the world to have a crack at it all.

The second area that I see causing major concern is the use of unauthorized platforms to communicate and store sensitive or company information. With the “remote-ification” of our workforce, staff have been more willing to explore cloud, SaaS solutions to help with collaboration, communication and information-sharing. Individual departments have begun using tools without the IT team or the organizational leadership, having the opportunity to assess the platform and create a policy regarding how or if the organization should use it at all.  Now we have member data and proprietary information flying through the likes of Basecamp, Slack, Teams, Discord, Dropbox and believe me, Google Docs and Sheets galore! All unmonitored, uncontrolled and in many cases, used with the employee’s personal accounts and credentials. This is not good and is ripe for cyber problems.

The third problem area is phishing and security training. Most organizations I encounter are providing some level of phishing training on a regular basis. Again, if you’re not, then I can pretty much guarantee you’ve already been compromised. But unfortunately, they are too laxed in their expectation for employee responsibility to learn and exercise solid security practices.  I’ve found some organizations proudly state they phish test the staff once monthly, thinking “so we’re good, right?” Yet their failure rate is consistently at 30% every month. How can one-third of you staff failing to recognize a malicious phishing email and clicking on the link, downloading the attachment or even entering their credentials within a malicious site, every single month be considered acceptable? Be warned, big problems are coming!

For your organization, membership, employees, brand, board and for any other reason you can possibly think of, please engage a security professional either internal or external to your organization to help you identify and close these significant gaps in your protections. Do it before the inevitable does something much worse to you!

Don’t miss any event-related news: Sign up for our weekly e-newsletter HERE and engage with us on Twitter, Facebook, LinkedIn and Instagram!

Add new comment

Partner Voices
HERE, hosting responsible meetings and caring for our communities are top priorities. Through its 'Focused on What Matters: Embracing Humanity and Protecting the Planet' philosophy, MGM Resorts commits to creating a more sustainable future, while striving to make an impact in the lives of employees, guests, and the communities in which it operates. Water Stewardship Efforts MGM Resorts understands the importance of using water efficiently, especially in the desert destination of Las Vegas. Conserving water has always been part of the mission, but MGM Resorts has expanded its ambition into water stewardship. In 2022, MGM Resorts President and CEO Bill Hornbuckle signed the CEO Water Mandate—a UN Global Compact initiative mobilizing business leaders to advance water stewardship. MGM Resorts International was the first gaming company to take this important step. MGM Resorts replaced 200,000 square feet of real grass with drought-tolerant landscaping in Las Vegas. MGM Resorts pledges to reduce water withdrawal intensity by 33% by 2025 and by 35% by 2030. From 2007-2021, use of more than 5.6 billion gallons of water was avoided because of conservation efforts. Caring for One Another MGM Resorts’ Food Donations Program collects and preserves unserved food from conventions held at MGM Resorts properties, then safely donates to food insecure people in the community. Since the program’s launch in 2016, more than 3.7 million meals toward a 2025 goal of 5 million meals have been donated into the community. Donations include: Unserved perishable prepared foods from events Perishable unprepared food from MGM Resorts’ kitchens Nonperishable food items from minibars and warehouses The collaboration with Southern Nevada’s primary food bank, Three Square, has developed the infrastructure needed to safely collect, transport, and store food from MGM Resorts properties in Las Vegas, reducing food waste while serving the community. Fostering Diversity and Inclusion To MGM Resorts, a diverse and talented workforce is essential to success. By cultivating innovative strategies that consider multiple perspectives and viewpoints, the company creates an inclusive workplace culture that benefits its employees and community. MGM Resorts takes pride in being a welcoming home for veterans, individuals with disabilities, people from diverse backgrounds, LGBTQ+ community members, and more. This commitment to inclusion is reflected in the company's recruitment and hiring practices and its social responsibility initiatives. From the workplace to the community, MGM Resorts' commitment to diversity, equity and inclusion remains unwavering, and its efforts continue to create a more equitable and sustainable world for all. MGM Resorts understands its responsibility to contribute to the social and economic progress of the communities in which it operates. HERE, we embrace humanity.