While associations pay careful attention to virtually every aspect of their meetings when it comes to planning, promotion, content and travel arrangements, one area that is often neglected is cybersecurity and safety. And that simple fact is rendered more ominous by the reality that cyberattacks are becoming more and more frequent and ever more damaging to their victims. And by no means are associations exempt from the danger.
“Every association that is hosting large meetings needs to realize that they are a target,” says Alan Brill, the Secaucus, New Jersey-based senior managing director of the cybersecurity and investigations practice at the global security firm Kroll. “And that reality is based simply on the fact that a large number of people are going to be using a huge number of mobile devices while traveling. And that makes you a target, no matter what industry you’re involved with. Anybody who thinks they are not a target is being of tremendous help to the bad guys.”
Vivian Marinelli, senior director, crisis management services, at Milwaukee-based cybersecurity consultants FEI Behavioral Health, agrees that cyberthreats are universal today and that no organization is immune to risk. “And the risk grows constantly,” she says, “as hacking becomes more widespread and sophisticated.”
The primary risks faced by associations, just as they are for private and public companies, are financial and personal information, such as the Social Security numbers or credit card information, of staff members or meeting attendees, says Jason Paganessi, vice president of information technology at PCMA. “When it comes to associations, one of the big issues is the protection of personal data,” says Paganessi, who notes that the views he is expressing are his own and not official communication from PCMA. “And that responsibility is driven by factors like the data security standards from PCI, which must be adhered to.” Any association that stores any personally identifiable information and collects credit card payments, must comply with the PCI (Payment Card Industry) data security standard.
When it comes to association meetings and conventions, a large risk facing planners and attendees is the ill-advised use of free or “public” Wi-Fi networks in the destination, Paganessi says. “A large number of destinations have taken measures to prevent rogue Wi-Fi networks tricking attendees into connecting to them where they can see the traffic going through them, however it’s still a common threat to take into consideration.”
By now, Marinelli says, all associations and their meeting attendees should be aware of the severe vulnerability — and the lure — of free Wi-Fi networks.
Says Brill, “It is a relatively straightforward task for bad guys to generate a Wi-Fi signal that is going to look equal to or better than a real one. And they might even tailor it to your meeting and say, ‘Attention medical convention attendees — free Wi-Fi available to you.’ ” Such a hoax is called a “man in the middle” attack. It means the bad guys now have unfettered access to your computer.
And the risk is ubiquitous, Marinelli says. “The chances are good that if a free Wi-Fi hot spot has materialized at your meeting, it was created for a nefarious purpose that is disguised.”
She advises clients to inform meeting attendees they should never use the free Wi-Fi networks in a Starbucks or any other public place. “It could easily be coming from a hacker who put it out there to lure you in,” she says.
The fundamental factor that underlies the broader risks of Wi-Fi, Brill says, is that “we’ve gotten people to the point that when they are at a hotel or convention center, they expect free wireless internet. That is what has created the vulnerability that everybody now faces.”
The shocker, according to Brill: The typical meeting attendee is not aware of the risk, nor are they prepared for one. “And a big part of the problem,” he says, “is that meeting attendees don’t read their program or background material. Or the association people running the meeting don’t make announcements telling attendees not to use the free Wi-Fi networks they’ll be offered. They don’t make attendees aware of the risks and the things they should be looking for. So if I create a fake Wi-Fi network that sounds like it’s related to your meeting, I have a pretty good chance of getting you to sign onto it.”
Not even the safety of the Wi-Fi network at a hotel or convention center should be taken for granted, Brill says. The impetus is on the association to make sure that such networks are secure. “You must make sure that the provider is using secure equipment and that it has secure connection from its technology to the internet. You also need to make sure that the people involved in running it have been backgrounded and vetted.” And again, he says, few associations take such measures by asking such questions.
The good news is that Brill offers a simple recommendation for risk mitigation. “Before attendees head out to your meeting, send them an email that is about just one thing,” he says. “And that one thing is online security. And what it’s going to say is, ‘We know that many people today experience spoofed Wi-Fi being operated by criminals. We do not want you to be a victim, so we are informing you that the official Wi-Fi network for the meeting is named XYZ. That is the only network you should connect to. If you connect to anything else, we cannot promise that you are secure.’ ”
Somewhat incredibly, he says that in his experience and observation, almost no associations undertake such a simple and obvious action. “There are just so many things going on before a meeting that something as simple as the action I’m suggesting does not get taken.”
Therefore, he offers a backup measure: Make formal announcements at the meeting. “For example, do it at the beginning of an opening general session,” he says. “The real point is that you have already gone to the trouble and expense of providing a secure network at the meeting. Why not go that last step and make it easy for people to connect to the right network and avoid the risky ones?”
Given the enormity and inevitability of the risk, the other good news is that two well-established best practices — the use of a virtual private network, or VPN, and two-factor authentication — can eradicate much of the exposure. “A VPN is a very easy measure to take, and it works,” Paganessi says.
A VPN is, in effect, a computer program that creates encrypted connections. “And because of that, it’s much harder for someone to intercept your signal,” Brill says. And the technology is widely available and inexpensive today. It can be acquired for just a month to cover the meeting dates, then canceled.
Brill suggests that associations use VPNs at all of their major meetings as a fundamental best practice.
Attendees also should be encouraged to use two-factor authentication to protect their personal information, including information related to the meeting, Brill says.
Two-factor authentication requires an additional piece of information to log in and visit an exterior website. The second factor can include anything from an extra PIN to a fingerprint.
Marinelli notes that despite the overwhelming evidence of their effectiveness as security tools, not all associations are using VPNs and two-factor authentication at their meetings. Her advice: if your association is not doing so, start now or risk the consequences.
Her caution even extends to the use of the official Wi-Fi networks at hotels, convention centers and other meeting venues. She advises associations to still deploy a VPN and two-factor authentication as insurance.
A relatively new threat, which Paganessi calls “social engineering,” uses technology — including one as basic and old school as the telephone — to manipulate behaviors of unsuspecting victims.
“An important element of cybersecurity is the ‘social’ part of it,” Paganessi says. “And what I mean by that is that a large part of security concerns, with any IT department, is not so much systems and software. It’s more about the people.”
So-called social engineering is probably the biggest risk that any IT department has to deal with today, he says.
As an example, he says a nefarious individual will call an organization on the phone and (trick) an employee into giving them the information they need to get access to its IT system. “Or an employee will get an email that looks like it comes from your CEO or treasurer. And it will say, ‘Hey, can you please make sure this bill gets paid? Here’s the invoicing and bank transfer information.’ I have heard, and this is third-party information, that people have fallen for that and paid large sums of money to a ‘vendor’ that is not really a vendor.”
In the most sophisticated executions of the scam, Paganessi says, the email appears to be a legitimate communication from the CEO to the organization’s chief financial officer. “And what you see is a pretty convincing invoice that the CEO asks to be paid.”
The great irony of the internet age, Paganessi says, is that too often, when confronted with such an online scheme, the victim does not bother to pick up the phone and call the CEO’s office to ask whether the request for such a payment is legitimate. “All you have to do,” he says, “is ask a question about whether the message is legitimate.”
How does an organization protect against such acts of clever social engineering? “Training and awareness,” Paganessi says. “At PCMA, we do updated internal training at least twice a month. And as part of those training sessions, we cover a range of topics including security. And we explain these different scenarios of how outsiders are getting access to systems. In the end, the most important thing is to make people in your organization aware that these things happen and what you need to do if they happen to you.”
Brill also cites social engineering as a key vulnerability. “For example, you might get a phone call from someone who tells you they are from your banking institution,” he says. “And they will tell you they are investigating a possible breach of your account. And they will often trick you into giving them you credit card number — and the PIN number and the expiration date.”
Another growing threat is the deployment of ransomware, which takes control of and, in effect, locks up your computer, then demands a payment to restore access.
Marinelli calls it one of the most serious current risks at meetings and events. And the most obvious consequence is the cost of removing it from your computer.
“The basic reason why ransomware is such a serious threat is that at a meeting, you are making yourself accessible to a lot of communication and information,” Marinelli says. “And often, quite a bit of that is from people you don’t know prior to the event. And even when you’re dealing with people you know, you don’t know how good the cybersecurity measures are at the organization or company they work for. For example, you have no way of knowing how up-to-date their systems are and whether they’re using all of the current security patches that are available. And those things make almost everyone vulnerable to a random attack.”
And, as Brill noted in a broader context, the reason why meeting planners and attendees are particularly vulnerable is that they are bringing multiple personal devices to the event and likely not taking all of the security precautions and measures that they should, Marinelli says. “And they are receiving a lot of information and a lot of emails while they’re at the meeting. And making just one mistake by clicking on an email or a link is all it takes to become infected. So the risk is that something will get through to them that does the damage, and they are not even aware of it until later.”
In the event of what appears to be a ransomware attack, the simplest solution is to turn the laptop off without doing anything else, she says. “And leave it off. Then contact your IT department and tell them what has happened.”
Yet another cybersecurity threat that is not well understood by meeting planners and attendees is the ever-widening distribution of free USB devices (flash drives) as promotional tools used by meeting sponsors or exhibitors. They can include everything from new product information to a presentation given in a general session or breakout.
Unfortunately, Marinelli says, they also can include malware designed to infiltrate your organization’s IT system. So Marinelli’s counsel is to be acutely aware of the risk involved in ever using them. “And do not accept and use one from an unknown or questionable source. Planners and attendees must be aware that giving you a malware-based free USB at a meeting is one of the easiest ways to access your network — or even to take control of it and hold it hostage.”
Marinelli also recommends that meeting planners and attendees routinely ask their IT departments for an up-to-date list of the measures that should be taken to protect themselves from an onsite breach. “Of course, the issue there is that so many IT departments have so much going on, they might not be able to help you,” Marinelli says. “So it’s really a personal responsibility of meeting planners and their attendees to stay informed and prepared.”
By the same token, when a planner or attendee returns from a meeting, he or she should ask their IT department to make sure their devices are secure and that they have not been infected with a virus or malware during the meeting.
The open question, she says, is how many associations or companies will go that far to protect themselves.
“You have to think about it this way,” Paganessi says. “Technology has created a lot of convenience for us. But it has also created a lot of susceptibility. So you have to be smart in the way you use the technology.”
Even with all recommended precautions, however, the risks remain serious and universal, Marinelli says. “There is no such thing, and there never will be, any such thing as absolute cybersecurity. And meanwhile, hackers will continue to get better and better at what they do. Therefore, the only real protection is constant vigilance.” AC&F