Security has always been a concern in planning meetings. But in an increasingly complex world, few would argue that the need to keep information secure is taking on new levels of importance, especially when it comes to online interactions.
“Today, more than ever, planners are taking notice of security and risk management as it pertains to the planning of their own events,” says Matthew Marcial, vice president, education and events for Meeting Professionals International. He notes that while physical threats may garner the most attention, the occurrence of issues relating to cybersecurity are much more common.
The truth is, online crooks may be after much more than accessing your home computer or convincing you that a Nigerian prince needs to deposit big bucks into your bank account. For some, the meeting environment offers rich hunting grounds.
“Today, more than ever, planners are taking notice of security and risk management as it pertains to the planning of their own events.”
— Matthew Marcial, CAE, CMP
“Although it may seem like travel booking services, event planning services and conference organizing would not be a ripe target for cyberattacks, it would be incorrect to assume that these verticals are not targeted, oftentimes with success,” says Alex Heid, chief research officer at SecurityScorecard, a New York-based security rating and risk monitoring firm. Known as an experienced white hat hacker (one who hacks for the common good), Heid also has direct experience in planning meetings as an organizer with the HackMiami Conference that takes place every year in Miami Beach. He notes that hackers often target information that is not protected by advanced controls. This may include email address/password combinations, credit card data and other personally identifiable information that can be leveraged for underground criminal activities. Especially vulnerable is information basic to registration and payment processes.
Marcial says a high level of importance should be placed on ensuring that sensitive information such as credit card numbers and other personal information is securely stored, noting that many organizations no longer allow printing or e-mailing of this type of information. Too, planners as well as attendees and other stakeholders should exercise caution when using unsecured wireless networks, as this presents a greater risk for hacking and data theft. Advance work regarding compliance and emergency planning also should be undertaken.
“Planners should do their best to ensure that their organizations and suppliers are compliant with all local and federal regulations relating to their data management processes,” Marcial says. “At the planner level, this may mean only working with technology partners such as a registration provider whose systems are fully compliant with the latest security and data protection.” Every organization also should have a comprehensive crisis management plan in place in the event that reactive steps need to be taken, he adds.
“Cybersecurity is a critical issue that impacts this industry in many ways,” says Michael Lynn, co-founder of Dallas-based Global PEC and Professional Tradeshow Resources. “It’s especially critical in meeting and conference registration because name and credit card information can be hacked. The liability is costly and can have severe ramifications. Also, the hackers then can…cause overall havoc.”
Lynn recalls a meeting where an attendee inserted a flash drive with preloaded software into her computer, not realizing she had been set up for someone to access her personal and her company’s data and infect the overall system with a virus.
“I got a call and it turned out five computers had been affected so we had to destroy all five computers, including hers,” Lynn explains.
“Wireless security is typically the thing that meeting planners need to worry about the most,” says Tom DeSot, E.V.P. and chief information officer at Digital Defense Inc., a San Antonio computer security service provider. “More often than not, wireless networks are set up as open networks with little to no security so that it is easy for attendees to connect to and use the network.”
Meeting planners should go the next step, he suggests, by ensuring that the wireless network is set up with WPA2 security, and that the shared passphrase is provided only to the attendees and not to members of the hotel staff or other parties.
If a reliable and secure network is not provided, meeting attendees are likely to enable their own services such as mobile phone hotspots or other mobile wireless nodes. But this can cause problems, according to Ron Winward, security evangelist at Radware, a provider of cyber security solutions with North American headquarters in Mahwah, New Jersey. “When this happens, the wireless spectrums interfere with each other and everyone has a bad experience,” he says. To avoid this situation, he advises making sure to have a well-planned wireless network that supports both an encrypted protocol like WPA2 (and perhaps adding 802.1x), as well as an unencrypted service.
“When I attend conferences, my greatest info security concern is that my personal data is secure and that I have access to secure Wi-Fi, which also encompasses having working internet access,” Winward says. He notes that many events even publish their network topology for users to see, where they can ensure nothing unusual is happening to their data.
“Protect your customer registration data and provide them with secure networking during their event,” he says. “Remember that unencrypted Wi-Fi and even WEP can be easily decoded by hackers onsite hoping to capture user data.”
Alvaro Hoyos, chief information security officer for OneLogin, an identity and access management solutions provider based in San Francisco, says planners also should keep in mind that event spaces are used by many different entities before and after a given event and thus should be considered unsecured, similar to working with public Wi-Fi in a coffee shop.
“You have no guarantees that the same level of security measures your IT team put into your corporate network are available in these spaces,” he says. “Attackers focused on one company will find the path of least resistance, and attacking an event space, rather than the company network, is bound to be an easier target.”
In many cases, a major point of weakness is an unsecured network, according to Hoyos. He points out that most event spaces offer hardwired or Wi-Fi networks as a service, whether it’s for attendees to be able to get an internet connection, for presenters to be able to show their slide deck from their laptop, or for other media purposes.
“Knowing that these networks will be used by other entities, sometimes because the event space publishes this information, is a great opportunity to try to intercept corporate data or compromise a corporate device,” he says.
Heid notes that while online event planning tools may offer positives and that some providers attempt to provide security solutions, using them also centralizes information within an easily accessible interface. That means if the organizer’s credentials or the service itself becomes compromised, registration and payment information can still be obtained by interlopers.
On the other hand if an event organizer chooses to self-host registration solutions, then Heid advises leveraging a less-is-more approach to the technologies employed. This might include using static HTML websites as well as payment services for credit card payments that allow credit card processing without the need for meeting organizers to handle credit card data.
Too, if a planner chooses to make use of a third-party event service, the use of a continuous third-party vendor monitoring solution also is recommended by Heid.
“This solution allows users to keep an eye on the external security posture of any third-party company entity being utilized,” he says. You can respond to security issues before they have a negative impact.”
“The importance of planning for cybersecurity is a risk management decision that should be based on the circumstances of the event,” says Christopher Wright, principal of Citadel Systems, an Arkansas-based cybersecurity consulting firm. “If the topics and information are more sensitive, the planner will need to make stronger plans to protect the information and the attendees.” In planning sensitive events for larger companies, he adds, the planner should consider meeting with a corporate threat intelligence or risk management group in the planning process.
Awareness is the key, according to Wright, who suggests that meeting organizers take steps to emphasize security needs to attendees.
“Notify them that Wi-Fi is provided as part of the venue, but that users should take additional steps to ensure their information is protected,” he says. “First and foremost, ensure that attendees know the proper hotspot to use. Nefarious people can set up hotspots that advertise free Wi-Fi and may seem legitimate, but then falsify connections to steal sensitive information or passwords.”
Wright adds that for corporate events, organizers also should emphasize the use of company VPN (virtual private network) software. This practice adds another layer of security and reduces risk of data theft. For events requiring a higher than normal level of security, planners might want to work with corporate technical staff to provide dedicated and private connectivity for attendees. Beyond awareness, though, the decision is a risk versus cost one.
Hoyos notes that unsecured equipment also can bring challenges.
“Onsite equipment that will be used for media purposes can also be a big risk factor,” he says. “If a device is already compromised or not properly secured and you are saving files to it or logging into your accounts, you are introducing risks into your otherwise secured application or leaking internal information.”
Personal data also can be problematic.
“Guests signing in on tablets, pictures being taken and invites being sent out to personal email addresses are some ways personal data is picked up as part of an event,” Hoyos says.
He notes that understanding what data will be captured and what will reside with you versus the venue is important. “If any data will sit on the venue’s systems, even temporarily, you should have a process planned out to make sure you get verification that the data has been released to you or completely wiped from their systems,” he says. And since it’s your event, you will be liable for any personal data.
Robert Siciliano, CSP, CEO of IDTheftSecurity.com, says a key to avoiding problems is conferring with hotel security teams to determine what systems they have or don’t have in place. If they have some type of crisis management response plan it may include information regarding cybersecurity threats as well.
“It’s equally important that planners provide information in meeting brochures and handouts, or on the website, in regard to the attendees’ responsibility for their own information security,” he adds.
He notes that when a group leaves a meeting room for lunch, it’s inevitable that attendees leave laptops and tablets behind. Yet these devices can not only be easily stolen, but also infected with malware.
Too often, both planners and attendees live under the false sense of security that “these things won’t happen here,” Siciliano says. But even when equipment is secured in physical terms, it may still be vulnerable.
“Planners and event attendees are at high risk when everyone has access to main frame, full data and wireless connection through the internet,” says Ann Windham James, owner of Texas-based trade show and event management firm Imagine Xhibits & Events. James also is the founder of TS Tech Summit, which will be held this year at host hotel Caesars Palace in Las Vegas. James and Michael Lynn are scheduled to give talks on cybersecurity and similar topics at the show set for April 20–23.
As far as best practices go, James says a registration computer should be preloaded with all related information processed on that computer, and it should not be linked to other computers. Similarly, planning staff should avoid using flash drives for transferring information to eliminate virus contamination from one computer to the next.
Often at conferences, lists are downloaded and shared across computers which can cause all computers to be infected.
Heid points to web application security for registration and payment processing as a major area to consider in achieving top security, along with secure storage and handling of registration lists and payment data.
“For web applications, ensure that all patches and updates are in place and configurations are hardened,” he says. “The use of a web application firewall service also goes a long way.”
He also advises employing third-party vendor risk-monitoring services to examine the external security postures of service providers offering business solutions such as registration, payment and mailing list service.
“Encourage attendees to use VPN services if they are going to use conference-provided Wi-Fi,” Heid adds. “Often the Wi-Fi is provided by the venue, and no special security controls are in place.
In looking out for the interests of meeting attendees, planners should be especially aware of possible security breaches at high-end hotels, according to Seth Ruden, senior fraud consultant for ACI Worldwide in Waltham, Massachusetts.
“Fraudsters will work harder to compromise a high-end hotel as the target, with the logic that more affluent customers’ payment cards fetch a higher price on the black market,” he says. “That does not mean economy brands have not been affected; they certainly have, but at a much lower rate than their higher-end peers.”
Regardless of the venue, Hoyos says an assertive approach is called for.
“Asking the right questions is paramount,” he says. “You should not go into an event space and assume they have taken care of all security matters.” Instead, it’s wise to obtain a full understanding of the devices that will be used, how they are secured and if Wi-Fi network passwords will be unique to the event.
“If you are asking security questions right off the bat, they will understand this is important to you and provide you with the right resources,” he says.
Mike Baker, principal of Mosaic451, a managed security services provider with headquarters in Phoenix, Arizona, says a VPN is imperative for all corporate meetings where internet connections or access to a network are required.
“Today, it is far simpler for hackers to simply access devices through unsecure networks,” he says. “To make matters worse, victims of a hack attack may not even be aware that their sensitive data has been breached.” He points to recent news reports about “dark hotel” attacks on high-profile hotel guests through a simple Wi-Fi connection.
“Hackers prey upon the misplaced trust that guests or meeting/convention attendees have with the unsecured network connection,” Baker says. For example, unsuspecting guests at a hotel or elsewhere who are using shared connections on open Wi-Fi networks may be sent an update for their computer that looks to be something routine, so they accept. Then the moment the connection is made, every bit of information on a computer, from passwords to confidential business information, is vulnerable to cyberattack. Yet this could have been avoided with a virtual private network.
“That’s why a VPN connection is critical when connecting to the internet while on the go or while attending a meeting or trying to conduct business from a hotel,” he says. “VPNs offer total privacy to roam the internet freely without being tracked, monitored or having data collected and stored. VPN networks are designed to encrypt information before it goes through a network, thwarting potential attacks.”
Baker adds that encrypting data also can prevent information from being stolen or held ransom. “Encrypting email is actually a secondary protection against corporate information being stolen or held ransom at an offsite meeting,” he says. Most companies have exterior protection such as a firewall, but very few take steps to protect data at rest inside of their infrastructure. Database files, documents and emails can be encrypted on disk so that if a device is stolen or compromised, the data that resides on it is still protected, Baker says.
Of course, even with the most diligent efforts, problems with cybersecurity may occur. What happens if a security breach occurs?
“If it’s discovered that there has been an information security incident surrounding an event, such as the compromise of registration data or payment data, then a rapid notification to the affected parties is the most important action item,” Heid says. He stresses that attendees should be informed that their email address, password and/or payment information has been recently compromised. They then can take proactive steps to monitor for suspicious login activity, incoming spam messages, unauthorized credit card activity and similar indicators of compromise.
“Eventually, everyone becomes the victim of an information security breach, especially with the trends indicating a growing reliance on third-party services. What separates the winners from the losers is rapid response and mitigation of potential future incidents,” Heid says.
In the event problems arise, planners should first work through any protocol that their organization has in place, Marcial advises. “The situation should also be reported to local law enforcement.” Another strategy: Have a communications plan executed so that all stakeholders, including those who are affected by the situation are kept up-to-date.
In planning to avoid such problems, James says it’s important to stress information security as a major part of the event planning process.
“Have a security expert on your advisory board, on retainer or on your team to protect from security threats and/or prevent breach issues.” She also advises having a plan in place with a checklist that includes steps to ensure against cybersecurity threats. Such details should also be included in requests for proposals to chosen venues so respondents can include steps they’ve put in place to prevent hacks and security breaches. In addition, she notes that meeting planners should keep their education and certifications up to date in the area of information security. C&IT