Remote Work and Security for Associations

April 27, 2022

Brian Scott

Brian Scott, president and founder of ClearTone Consulting, provides executive technology consulting services based on 35 years of technology expertise and 20 years of CIO/CISO experience within the exhibitions and events industry. Brian provides expert technology consultation in the areas of technology strategy, software development, systems integration, data warehousing and analytics, cyber security, data center operations, cloud computing, and end user support. He works with his customers to overcome technology challenges, leverage tech to drive growth and revenue, secure valuable digital assets, and execute projects to meet the organizational objectives.

Since the onset of the pandemic, the FBI has reported cyberattacks to jump by 300%. No, that’s not a fabrication. These are the salad days for cybercriminals. As the office space abruptly entered our homes, and that includes both physical and electronic environments, more workers have become lax with their cyber precautions. It’s a natural response to adversity and change: Hunker down and simplify the things that you can control until the storm of chaos passes. The storm may be passing by, but what it’s leaving behind is looking quite different than the past.

We’re clearly not all headed back to the office, ever. A Forbes survey has shown that 96% of U.S. employees prefer a hybrid work model. That’s huge compared to pre-pandemic and no one thinks it’s ever going back to the office-centric model. Of course, people were working remotely prior to the pandemic, but does this “new normal” for so many staff change the way organizations need to be thinking about security? 

Cybercriminals know that something’s amiss…businesses need to wise up, as well.

According to a report by Malwarebytes, 20% of U.S. companies reported a security breach tied to a remote worker. The attack on the Colonial Pipeline is believed to have originated through the compromising of an employee password that allowed hackers to infiltrate company accounts. As our employees have been scattered across the country with the wind, our once manageable, safe and secure central office has been torn apart.

To make matters worse, now that everyone’s working from home, a lot of people are beginning to bleed home-work with work-work in such a way that they’re using their work laptop at home to do things like stream movies or download games. Anytime anyone downloads anything (intentional overuse of ‘any’) from the internet, there’s an increased risk of downloading malware, some kind of virus or unwittingly providing credentials to the wrong set of people.

A survey conducted by Malwarebytes asked respondents how they used their work devices. They found 53% reported sending or receiving personal email, 52% read news, 38% shopped online, 25% accessed their social media and 22% downloaded or installed non-company software. I believe the true numbers are much higher but respondents weren’t comfortable telling the truth.

And then there’s the flip side: using a personal device for work. Just when you thought things were bad, they got worse. A report from cybersecurity vendor Morphisec found that 56% of employees reported using their personal computer as their work device. And according to a survey by antivirus software maker Kaspersky, 36% of respondents did work on their personal laptop or desktop. 

What’s the bottom line with all these stats? Your attack surface for cybercrime has quickly morphed from a once clear and delineated perimeter completely under your control to an unclear assortment of devices, many of which are not under your control. To maintain an adequate level of security to protect all the valuable member and customer data you store, as well as organization documents, you must change your approach to security and do it quickly.

Now is the time to deploy annual security assessments.

If you’ve been following any of my previous blogs on security you’ll be familiar with my first and fundamental advice to organizations: “Turn on the lights.” By that I mean you should engage a security professional to provide an annual security assessment that highlights your strengths and weaknesses to help the organization have full, transparent awareness of their risk position. This is the best way to ensure your ever-changing security priorities stay up to date and targeted against your biggest risks. But short of that, I’ll share with you a couple of gotcha areas that I commonly see in the association industry.

The first is regarding multifactor (MFA) or two-factor authentication. Thank goodness this was adopted and deployed relatively quickly across the industry, as it is truly one of the most effective security controls for protecting your information. Simply said, if you haven’t deployed it yet, your systems have already been compromised whether you’re aware of it or not. But there is a common misunderstanding that accompanies MFA. 

One of the easiest areas to deploy MFA is against your email system. For example, if your organization is using Microsoft’s Office365, it’s really a matter of simply clicking a few configuration checkboxes and all your staff will be forced to create a second authentication method such as a text to a cell phone or a phone authentication app. But many organizations mistakenly believe they’re done at that point. I’ve seen far too many organizations provide VPN access into their networks, with this VPN access open to the internet, and yet the authentication into that VPN is not protected by MFA. It’s great you’ve protected your email, but you’ve left another door open to your entire network and file storage, and you’re inviting the bad actors in the world to have a crack at it all.

The second area that I see causing major concern is the use of unauthorized platforms to communicate and store sensitive or company information. With the “remote-ification” of our workforce, staff have been more willing to explore cloud, SaaS solutions to help with collaboration, communication and information-sharing. Individual departments have begun using tools without the IT team or the organizational leadership, having the opportunity to assess the platform and create a policy regarding how or if the organization should use it at all.  Now we have member data and proprietary information flying through the likes of Basecamp, Slack, Teams, Discord, Dropbox and believe me, Google Docs and Sheets galore! All unmonitored, uncontrolled and in many cases, used with the employee’s personal accounts and credentials. This is not good and is ripe for cyber problems.

The third problem area is phishing and security training. Most organizations I encounter are providing some level of phishing training on a regular basis. Again, if you’re not, then I can pretty much guarantee you’ve already been compromised. But unfortunately, they are too laxed in their expectation for employee responsibility to learn and exercise solid security practices.  I’ve found some organizations proudly state they phish test the staff once monthly, thinking “so we’re good, right?” Yet their failure rate is consistently at 30% every month. How can one-third of you staff failing to recognize a malicious phishing email and clicking on the link, downloading the attachment or even entering their credentials within a malicious site, every single month be considered acceptable? Be warned, big problems are coming!

For your organization, membership, employees, brand, board and for any other reason you can possibly think of, please engage a security professional either internal or external to your organization to help you identify and close these significant gaps in your protections. Do it before the inevitable does something much worse to you!


Don’t miss any event-related news: Sign up for our weekly e-newsletter HERE and engage with us on Twitter, Facebook, LinkedIn and Instagram!

Add new comment

Partner Voices
Overview: The award-winning Orange County Convention Center (OCCC) goes the extra mile to make every day extraordinary by offering customer service excellence and industry-leading partnerships. From their dedicated in-house Rigging team to their robust Exhibitor Services, The Center of Hospitality brings your imagination to life by helping you host unforgettable meetings and events. With more than 2 million square feet of exhibit space, world-class services and a dream destination, we are committed to making even the most ambitious conventions a reality. In October 2023, the Orange County Board of County Commissioners voted to approve allocating Tourist Development Tax funding for the $560 million Phase 5A completion of the OCCC. The Convention Way Grand Concourse project will include enhancements to the North-South Building, featuring an additional 60,000 square feet of meeting space, an 80,000- square-foot ballroom and new entry to the North-South Building along Convention Way. “We are thrilled to begin work on completing our North-South Building which will allow us to meet the growing needs of our clients,” said OCCC Executive Director Mark Tester. “As an economic driver for the community, this project will provide the Center with connectivity and meeting space to host more events and continue to infuse the local economy with new money and expanding business opportunities.” Amenities: The Center of Hospitality goes above and beyond by offering world-class customer service and industry-leading partnerships. From the largest convention center Wi-Fi network to custom LAN/WAN design, the Center takes pride in enhancing exhibitor and customer experience.  The OCCC is the exclusive provider of electricity (24-hour power at no additional cost), aerial rigging and lighting, water, natural gas and propane, compressed air, and cable TV services. Convenience The Center is at the epicenter of the destination, with an abundance of hotels, restaurants, and attractions within walking distance. Pedestrian bridges connect both buildings to more than 5,200 rooms and is within a 15-minute drive from the Orlando International Airport. The convenience of the location goes hand-in-hand with top notch service to help meet an event’s every need. Gold Key Members The OCCC’s Gold Key Members represent the best of the best when it comes to exceptional service and exclusive benefits for clients, exhibitors and guests. The Center’s Gold Key memberships with Universal Orlando Resort, SeaWorld Orlando and Walt Disney World greatly enhance meeting planner and attendee experiences offering world-renowned venues, immersive experiences and creative resources for their events. OCCC Events: This fiscal year, the OCCC is projected to host 168 events, 1.7 million attendees, and $2.9 billion in economic impact.  The Center’s top five events during their 2022-2023 fiscal year included:  AAU Jr. National Volleyball Championships 2023 200,000 Attendees $257 Million in Economic Impact MEGACON 2023 160,000 Attendees $205 Million in Economic Impact Open Championship Series 2023 69,500 Attendees $89 Million in Economic Impact Sunshine Classic 2023 42,000 Attendees $54 Million in Economic Impact Premiere Orlando 2023 42,000 Attendees $108 Million in Economic Impact