Remote Work and Security for Associations

April 27, 2022

Brian Scott

Brian Scott, president and founder of ClearTone Consulting, provides executive technology consulting services based on 35 years of technology expertise and 20 years of CIO/CISO experience within the exhibitions and events industry. Brian provides expert technology consultation in the areas of technology strategy, software development, systems integration, data warehousing and analytics, cyber security, data center operations, cloud computing, and end user support. He works with his customers to overcome technology challenges, leverage tech to drive growth and revenue, secure valuable digital assets, and execute projects to meet the organizational objectives.

Since the onset of the pandemic, the FBI has reported cyberattacks to jump by 300%. No, that’s not a fabrication. These are the salad days for cybercriminals. As the office space abruptly entered our homes, and that includes both physical and electronic environments, more workers have become lax with their cyber precautions. It’s a natural response to adversity and change: Hunker down and simplify the things that you can control until the storm of chaos passes. The storm may be passing by, but what it’s leaving behind is looking quite different than the past.

We’re clearly not all headed back to the office, ever. A Forbes survey has shown that 96% of U.S. employees prefer a hybrid work model. That’s huge compared to pre-pandemic and no one thinks it’s ever going back to the office-centric model. Of course, people were working remotely prior to the pandemic, but does this “new normal” for so many staff change the way organizations need to be thinking about security?

Cybercriminals know that something’s amiss…businesses need to wise up, as well.

According to a report by Malwarebytes, 20% of U.S. companies reported a security breach tied to a remote worker. The attack on the Colonial Pipeline is believed to have originated through the compromising of an employee password that allowed hackers to infiltrate company accounts. As our employees have been scattered across the country with the wind, our once manageable, safe and secure central office has been torn apart.

To make matters worse, now that everyone’s working from home, a lot of people are beginning to bleed home-work with work-work in such a way that they’re using their work laptop at home to do things like stream movies or download games. Anytime anyone downloads anything (intentional overuse of ‘any’) from the internet, there’s an increased risk of downloading malware, some kind of virus or unwittingly providing credentials to the wrong set of people.

A survey conducted by Malwarebytes asked respondents how they used their work devices. They found 53% reported sending or receiving personal email, 52% read news, 38% shopped online, 25% accessed their social media and 22% downloaded or installed non-company software. I believe the true numbers are much higher but respondents weren’t comfortable telling the truth.

And then there’s the flip side: using a personal device for work. Just when you thought things were bad, they got worse. A report from cybersecurity vendor Morphisec found that 56% of employees reported using their personal computer as their work device. And according to a survey by antivirus software maker Kaspersky, 36% of respondents did work on their personal laptop or desktop.

What’s the bottom line with all these stats? Your attack surface for cybercrime has quickly morphed from a once clear and delineated perimeter completely under your control to an unclear assortment of devices, many of which are not under your control. To maintain an adequate level of security to protect all the valuable member and customer data you store, as well as organization documents, you must change your approach to security and do it quickly.

Now is the time to deploy annual security assessments.

If you’ve been following any of my previous blogs on security you’ll be familiar with my first and fundamental advice to organizations: “Turn on the lights.” By that I mean you should engage a security professional to provide an annual security assessment that highlights your strengths and weaknesses to help the organization have full, transparent awareness of their risk position. This is the best way to ensure your ever-changing security priorities stay up to date and targeted against your biggest risks. But short of that, I’ll share with you a couple of gotcha areas that I commonly see in the association industry.

The first is regarding multifactor (MFA) or two-factor authentication. Thank goodness this was adopted and deployed relatively quickly across the industry, as it is truly one of the most effective security controls for protecting your information. Simply said, if you haven’t deployed it yet, your systems have already been compromised whether you’re aware of it or not. But there is a common misunderstanding that accompanies MFA.

One of the easiest areas to deploy MFA is against your email system. For example, if your organization is using Microsoft’s Office365, it’s really a matter of simply clicking a few configuration checkboxes and all your staff will be forced to create a second authentication method such as a text to a cell phone or a phone authentication app. But many organizations mistakenly believe they’re done at that point. I’ve seen far too many organizations provide VPN access into their networks, with this VPN access open to the internet, and yet the authentication into that VPN is not protected by MFA. It’s great you’ve protected your email, but you’ve left another door open to your entire network and file storage, and you’re inviting the bad actors in the world to have a crack at it all.

The second area that I see causing major concern is the use of unauthorized platforms to communicate and store sensitive or company information. With the “remote-ification” of our workforce, staff have been more willing to explore cloud, SaaS solutions to help with collaboration, communication and information-sharing. Individual departments have begun using tools without the IT team or the organizational leadership, having the opportunity to assess the platform and create a policy regarding how or if the organization should use it at all. Now we have member data and proprietary information flying through the likes of Basecamp, Slack, Teams, Discord, Dropbox and believe me, Google Docs and Sheets galore! All unmonitored, uncontrolled and in many cases, used with the employee’s personal accounts and credentials. This is not good and is ripe for cyber problems.

The third problem area is phishing and security training. Most organizations I encounter are providing some level of phishing training on a regular basis. Again, if you’re not, then I can pretty much guarantee you’ve already been compromised. But unfortunately, they are too laxed in their expectation for employee responsibility to learn and exercise solid security practices. I’ve found some organizations proudly state they phish test the staff once monthly, thinking “so we’re good, right?” Yet their failure rate is consistently at 30% every month. How can one-third of you staff failing to recognize a malicious phishing email and clicking on the link, downloading the attachment or even entering their credentials within a malicious site, every single month be considered acceptable? Be warned, big problems are coming!

For your organization, membership, employees, brand, board and for any other reason you can possibly think of, please engage a security professional either internal or external to your organization to help you identify and close these significant gaps in your protections. Do it before the inevitable does something much worse to you!

Don’t miss any event-related news: Sign up for our weekly e-newsletter HERE and engage with us on Twitter, Facebook, LinkedIn and Instagram!

Add new comment

Partner Voices

MANDALAY BAY: HERE, CONFERENCES ARE INVITING AND INNOVATIVE

One of the most iconic names on the Las Vegas Strip just got an upgrade. Mandalay Bay has everything that your business needs from a refreshed convention space designed to inspire productivity and creativity, to an impressive selection of world-class restaurants and amenities. If you're looking for a venue that's both inviting and innovative, you have to be here. New Wave Experiences Mandalay Bay continues to invest in a new wave of enhancements both in the convention space and within the resort as a whole. New restaurant openings including Orla by Michael Mina, drawing inspiration from the award-winning chef’s childhood in Egypt and with flavors and décor inspired by the spices found in markets common to coastal Mediterranean towns, as well as Caramá by Wolfgang Puck, bringing the essence of Italy and spirit of Wolfgang into one concept, are recent additions. The Four Seasons Hotel Las Vegas also experienced a recent remodel of all 424 rooms. Swingers, a high-end, adults-only golf and entertainment concept will debut in Fall 2024. Enhanced Technology Creating a truly effective conference venue requires careful thought into what a business needs: the right technology, capacity, and inspiration to bring ideas to the next level. As part of the resort’s refresh, Mandalay Bay implemented state-of-the-art technology upgrades, installing cutting-edge Cat6A Ethernet cabling throughout the convention center. This advancement doubles the frequency of data transmission, enabling lightning-fast speeds up to 9400% faster. The convention center now boasts 11 dynamic digital walls, spanning up to 24' x 13', strategically positioned for brand placements, sponsorships and targeted event messaging. Additionally, attendees can benefit from 20 double-sided 55" mobile flexible display units, facilitating effortless navigation to meeting rooms and events. RFID locks were installed on all meeting room doors, and over 200 motion detection cameras have been placed throughout the space. Refreshing New Design & Fine Art The newly remodeled convention space provides a bright and vibrant atmosphere that complements Mandalay Bay's tropical-inspired brand. Featuring white-washed walls and ceilings adorned with bold floral patterns in cerulean and coral tones, the space is complemented by warm walnut accent walls. In addition to the redesign of all pre-function spaces, meeting rooms and ballrooms, Mandalay Bay's 1 million square feet of exhibit space has undergone a rejuvenation, including new paint, covered pillars and relocated strobe lights. Sustainable Spectacles Mandalay Bay is committed to Focused on What Matters and creating more responsible meetings. Refillable water stations all available around the resort, cutting unnecessary plastic usage from single-use bottles. The Mandalay Bay campus’ recent upgrades represent a bold step forward in redefining the Las Vegas experience. With a focus on innovation, sustainability, and unparalleled service, Mandalay Bay sets a new standard for excellence in business hospitality. Whether you're seeking cutting-edge conference facilities, world-class dining options, or simply a luxurious retreat, an unparalleled meeting experience awaits.

Learn More