Brian Scott, president and founder of ClearTone Consulting, provides executive technology consulting services based on 35 years of technology expertise and 20 years of CIO/CISO experience within the exhibitions and events industry. Brian provides expert technology consultation in the areas of technology strategy, software development, systems integration, data warehousing and analytics, cyber security, data center operations, cloud computing, and end user support. He works with his customers to overcome technology challenges, leverage tech to drive growth and revenue, secure valuable digital assets, and execute projects to meet the organizational objectives.
Remote Work and Security for Associations
Since the onset of the pandemic, the FBI has reported cyberattacks to jump by 300%. No, that’s not a fabrication. These are the salad days for cybercriminals. As the office space abruptly entered our homes, and that includes both physical and electronic environments, more workers have become lax with their cyber precautions. It’s a natural response to adversity and change: Hunker down and simplify the things that you can control until the storm of chaos passes. The storm may be passing by, but what it’s leaving behind is looking quite different than the past.
We’re clearly not all headed back to the office, ever. A Forbes survey has shown that 96% of U.S. employees prefer a hybrid work model. That’s huge compared to pre-pandemic and no one thinks it’s ever going back to the office-centric model. Of course, people were working remotely prior to the pandemic, but does this “new normal” for so many staff change the way organizations need to be thinking about security?
Cybercriminals know that something’s amiss…businesses need to wise up, as well.
According to a report by Malwarebytes, 20% of U.S. companies reported a security breach tied to a remote worker. The attack on the Colonial Pipeline is believed to have originated through the compromising of an employee password that allowed hackers to infiltrate company accounts. As our employees have been scattered across the country with the wind, our once manageable, safe and secure central office has been torn apart.
To make matters worse, now that everyone’s working from home, a lot of people are beginning to bleed home-work with work-work in such a way that they’re using their work laptop at home to do things like stream movies or download games. Anytime anyone downloads anything (intentional overuse of ‘any’) from the internet, there’s an increased risk of downloading malware, some kind of virus or unwittingly providing credentials to the wrong set of people.
A survey conducted by Malwarebytes asked respondents how they used their work devices. They found 53% reported sending or receiving personal email, 52% read news, 38% shopped online, 25% accessed their social media and 22% downloaded or installed non-company software. I believe the true numbers are much higher but respondents weren’t comfortable telling the truth.
And then there’s the flip side: using a personal device for work. Just when you thought things were bad, they got worse. A report from cybersecurity vendor Morphisec found that 56% of employees reported using their personal computer as their work device. And according to a survey by antivirus software maker Kaspersky, 36% of respondents did work on their personal laptop or desktop.
What’s the bottom line with all these stats? Your attack surface for cybercrime has quickly morphed from a once clear and delineated perimeter completely under your control to an unclear assortment of devices, many of which are not under your control. To maintain an adequate level of security to protect all the valuable member and customer data you store, as well as organization documents, you must change your approach to security and do it quickly.
Now is the time to deploy annual security assessments.
If you’ve been following any of my previous blogs on security you’ll be familiar with my first and fundamental advice to organizations: “Turn on the lights.” By that I mean you should engage a security professional to provide an annual security assessment that highlights your strengths and weaknesses to help the organization have full, transparent awareness of their risk position. This is the best way to ensure your ever-changing security priorities stay up to date and targeted against your biggest risks. But short of that, I’ll share with you a couple of gotcha areas that I commonly see in the association industry.
The first is regarding multifactor (MFA) or two-factor authentication. Thank goodness this was adopted and deployed relatively quickly across the industry, as it is truly one of the most effective security controls for protecting your information. Simply said, if you haven’t deployed it yet, your systems have already been compromised whether you’re aware of it or not. But there is a common misunderstanding that accompanies MFA.
One of the easiest areas to deploy MFA is against your email system. For example, if your organization is using Microsoft’s Office365, it’s really a matter of simply clicking a few configuration checkboxes and all your staff will be forced to create a second authentication method such as a text to a cell phone or a phone authentication app. But many organizations mistakenly believe they’re done at that point. I’ve seen far too many organizations provide VPN access into their networks, with this VPN access open to the internet, and yet the authentication into that VPN is not protected by MFA. It’s great you’ve protected your email, but you’ve left another door open to your entire network and file storage, and you’re inviting the bad actors in the world to have a crack at it all.
The second area that I see causing major concern is the use of unauthorized platforms to communicate and store sensitive or company information. With the “remote-ification” of our workforce, staff have been more willing to explore cloud, SaaS solutions to help with collaboration, communication and information-sharing. Individual departments have begun using tools without the IT team or the organizational leadership, having the opportunity to assess the platform and create a policy regarding how or if the organization should use it at all. Now we have member data and proprietary information flying through the likes of Basecamp, Slack, Teams, Discord, Dropbox and believe me, Google Docs and Sheets galore! All unmonitored, uncontrolled and in many cases, used with the employee’s personal accounts and credentials. This is not good and is ripe for cyber problems.
The third problem area is phishing and security training. Most organizations I encounter are providing some level of phishing training on a regular basis. Again, if you’re not, then I can pretty much guarantee you’ve already been compromised. But unfortunately, they are too laxed in their expectation for employee responsibility to learn and exercise solid security practices. I’ve found some organizations proudly state they phish test the staff once monthly, thinking “so we’re good, right?” Yet their failure rate is consistently at 30% every month. How can one-third of you staff failing to recognize a malicious phishing email and clicking on the link, downloading the attachment or even entering their credentials within a malicious site, every single month be considered acceptable? Be warned, big problems are coming!
For your organization, membership, employees, brand, board and for any other reason you can possibly think of, please engage a security professional either internal or external to your organization to help you identify and close these significant gaps in your protections. Do it before the inevitable does something much worse to you!