In an age where technology controls many facets of a business, attention to cybersecurity when face-to-face meetings resume will be paramount. Meeting and event planners recognize how technological breaches can rob them of vital intangible assets and affect the security of events of all sizes. Today’s meeting leaders must change how they’re incorporating appropriate resources to handle both attendee privacy and cybersecurity perspectives, and to properly assess their readiness to deal with a compromised event.
According to Sanjay Deo, president and founder of 24By7Security, a national online security and compliance advisory firm headquartered in Coral Springs, Florida, the cybersecurity threat landscape within meetings has drastically increased and become more complex as we’ve become more reliant on connected devices.
“Cybersecurity defense has had to evolve to keep up with the threats, which is driven by advances in technology on both sides,” Deo says. “Changes in cyberthreats means IT security experts have to change their strategies for any industry, including the events space. A threat isn’t about if it will happen, but it’s about when. When planning for a major conference, it takes the whole team to get involved, and adopt a safe and secure mindset. That’s a big shift we are seeing nowadays. Meeting planners need to adopt a cybersecurity culture as they plan events, again, because threats will eventually happen.”
Gabe Turner, attorney and director of content at SecurityBaron.com, a company that is dedicated to cybersecurity, says that since there have been a number of attacks on large-scale festivals and events, people are more hesitant to share personal information at large public events, according to the most recent Unisys Security Index.
“This has caused an increase in event security,” Turner says. “Venues have begun reaching out to learn about security from the Department of Homeland Security, as well as the Cybersecurity and Infrastructure Security Agency.” These organizations provide risk assessments, training and technical assistance to event spaces. Turner says there is also more concern regarding cybersecurity at large events, particularly because of the use of public Wi-Fi and credit card use.
“In the meeting industry, especially at shared workplaces or conference rooms, one concern is making sure that customer data is protected, even if they’re using the Wi-Fi of the shared space,” Turner says. In a large, shared office, like at WeWork, it’s easier for people to hack into accounts, which is why Turner recommends using VPNs to encrypt all web traffic and replace IP addresses.
While protecting information and data associated with meeting attendees is vital, another key reason meeting planners need to focus on cybersecurity is based purely on reputation. “With so much information being shared at meetings, if something goes awry, meeting planners risk damaging their own reputations, their companies’ and their clients and hotels that they work with,” Deo says. “So, if they have a weak and insecure website, for instance, anybody can change the content of the website and put disparaging remarks about the hotel, the venues and the customers that they are working with.”
Deo and his team also are seeing a rise in ransomware and malware in the service industry. Wherever there is money, there are hackers. “It’s important meeting planners make sure that their laptop, desktop and email are secure,” Deo says. “So, you may send financial instructions to transfer money or send money to others. And if the hackers are in their email inbox, they may change those instructions so that the money will go to somebody else and the meeting planner will never receive it. Planners have to be very careful and double check when they send financial instructions to customers.”
Avani Desai, president of Schellman & Company LLC, a global independent security and privacy compliance assessor, says “Most of the time you go to events, you can easily connect to the open Wi-Fi at the hotel or conference room.” However, meeting planners should know that open Wi-Fi can increase the risk of unwanted intruders sniffing data they don’t want them to see. So making sure that the networks are secure and each user needs a SSID name and a password specifically for the attendees, guests and speakers.
Recently, consumers, including meeting and event attendees, have become much more online savvy, and they understand the necessity of having appropriate online hygiene. In turn, the need to safeguard personal data is now at the forefront for meeting planners as well, especially since these administrators themselves are using more technology to run conferences.
“Ten years ago, we didn’t have connected projectors, real-time polls or social media frenzy — all of these new digital developments increase the exposure to people and more data, which in turn increases the allure and potential of large-scale meetings being compromised,” Desai says.
Techniques To Use
Erin Thompson, vice president of conference services at MetroConnections, says meeting planners often provide online registration to their attendees. As such, they are responsible for that data and, therefore, it needs to be cybersafe.
“Attendees are more aware of data breaches and are looking for confirmation that events they’re attending are cybersafe,” Thompson says. Major online registration software providers like Certain and Cvent have teams of people that focus on cybersafety and are constantly upgrading their products to protect data. Additionally, regulations like General Data Protection Regulation (GDPR) have been passed requiring online protections be in place.
And, remember, it isn’t about if you are going to be hacked, it is about when you are going to be hacked. Keep in mind, the entire purpose of meetings and events is to bring a diverse group together. As such, as Desai explains, you have attendees from different geographical areas, companies, and industries, each bringing their individual phones, laptops, etc., making the environment a hot bed for bad actors to steal data or compromise devices.
“I haven’t heard about a large-scale attack, but I have heard about several smaller ones that saw attendees or guests connect to the hotel or conference Wi-Fi only to have their data stolen,” Desai says.
Now that music and A/V equipment are connected to the internet, these systems can also be compromised — leading to a major disruption of an event. “Let’s say a hacker could either shut the audiovisual down or change the images on the TV screen to controversial images,” Deo says. “They may play different music that was not selected by the host or worse.”
According to Desai, when working a large-scale conference, there will be several vendors and partners working together. That means there will be several different types of devices and software being used. Meeting planners need to educate the teams about good cybersecurity practices, such as making sure everyone has up-to-date antivirus software, there are passcodes or locks on mobile devices, passwords are not shared or written down, etc. “All meetings also want to see some trending on social media. However, bad actors use social media to mine data,” Desai says. “So, make sure your teams know to be careful on what is posted, what is discussed publicly, redacting pictures of slides, etc. Keep in mind the more exposure the event gets, the riskier it gets from a cybersecurity perspective. Using social media to promote the event details can make you susceptible to hackers, who can make changes and then attendees might go to the wrong place at the wrong time.”
Because of this, Deo says meeting planners should make sure that they’re using very good antivirus software to protect the A/V equipment they are deploying across the venue or hotel. They need to make sure that all that equipment connected to Wi-Fi that they’re providing to the attendees has adequate security by way of firewalls and intrusion detection systems. Another technique is to make sure that there is a security-monitoring component added to all of this, not just for the A/V side. That way if there is a security compromise, security professionals can handle any breaches immediately.
For example, in 2012, Lynn University in Boca Raton, Florida, hosted the presidential debate. Deo and his company provided the security and firewalls for the event.
“Think about the security level involved — the monitors, the lights, the audiovisual equipment were all connected to the internet,” Deo says. “The teleprompter was connected to the internet. The building security, the air conditioning unit, the lighting of the venue also are connected to the internet. So all of these things could have easily been compromised.”
And when it comes to registration, Thompson says meeting planners need to choose online registration providers that are actively PCI Level 1 compliant and utilize GDPR compliant software. They should also have cybersecurity insurance to protect them should there be a problem. Data encryption, multifactor authentication and frequently changing passwords are just a few of the ways making it harder for someone to access attendee data for an event.
“Meeting planners also are gravitating toward making their own virtual private networks, or VPNs, for the meeting specifically,” Turner says. “This is a welcome alternative to public Wi-Fi networks, which can make devices susceptible to hacking.”
What’s more, meeting attendees also are gravitating toward using VPNs, as well as two or multi-factor authentication, to ensure that only authorized users are accessing accounts.
As Turner explains, two-factor authentication requires that the user enter a passcode sent to their mobile devices in order to access an account, while multi-factor authentication requires biometrics such as fingerprint or facial recognition.
“In order to keep company and customer data safe, these measures are essential in any meeting using digital data,” Turner says.
Mistakes To Avoid
If an event isn’t online secure, the data will be vulnerable. Of course, it’s possible that nothing might happen, but Thompson doesn’t think that any meeting planner would want to take that chance.
“Attendees count on us to be the experts and to protect their information,” Thompson says, “If data was breached it could bankrupt a business that didn’t have insurance.”
One of the most common mistakes that both planners and attendees make is not fully understanding how vulnerable their data can be. For example, as Thompson explains, attendees will commonly provide their full credit card numbers with expiration date, CSC number, etc. to meeting planners in the body of an email. Email is not a secure transmission method of data unless encrypted.
“When we receive these types of emails, we remove the credit card information and we advise those attendees that we received it, but that they should not send in this manner in the future as it is not secure,” Thompson says. “We never request to receive credit card information via email, rather we ask attendees to call us with the information or we provide a secure link to them.”
Another common mistake that meeting planners need to avoid includes cutting corners to keep the costs down by not provisioning for security around their own equipment and the equipment that they use at the venue or the hotel.
So how can meeting planners stay on top of the ever-changing cybersecurity environment? With frequent changes to data security and compliance policies, meeting planners should be taking time to educate themselves, read articles and partner with companies that are up to date and place a high priority on cybersafety.
“Meeting planners should be working with a trusted partner that understands the importance of cybersecurity and that uses software that is GDPR and PCI Level 1 compliant,” Thompson says. A company that is well versed in this area will be able to provide documentation of its security practices and understand the importance of protecting event data.
“They need to start planning for security. So, if they are hosting large events with celebrities and high-profile people or government officials, they need to make sure that everything that’s connected to the internet has been secured,” Deo says. “Plus, they need to also let the venue know to have a cybersecurity specialist available during the event just in case a problem occurs.”
Planners should also make sure that their clients are aware of the extra charges related to cybersecurity costs that may arise in the protection of the infrastructure. These days, many large hotels now have cybersecurity professionals on staff. Or, they can go to turn to cybersecurity consulting firms that can help with assessing cybersecurity risks and help put together a mitigation plan.
Desai says she cannot emphasize education and awareness enough — that goes for everyone, including meeting planners, vendors and speakers.
“It’s essential to set the expectation that cybersecurity is a must and that following security protocol is not negotiable,” Desai says. “Other useful avenues pertinent to events include utilizing a secure file sharing system on a secure network rather than sending files via text message or email.” Another key point is making sure that both attendees and planners understand what can or cannot be posted on social media, as that is the first place hackers go to mine data for social engineering. They identify a person, where they are, what they are speaking about and, through that data, will try to obtain unauthorized access to systems.
“Falling susceptible to the common assumption that while cybersecurity breaches may happen everywhere else, they won’t happen here — that mistake always inevitably leads to abandoning a focus on cybersecurity,” Desai says. “At every event, at every meeting, always be prepared for an attack and have an incident response plan in place, ready to execute. Not only that, but make sure that plan has been tested and that everyone involved knows their roles in making sure continuity and safety is the priority.”
Turner recommends meeting and event planners read reviews of the best VPNs and password managers and make a plan for how to educate the attendees on proper usage of both.
“I think meetings and event coordinators are becoming more concerned with cybersecurity in addition to physical security, as this field is becoming increasingly necessary in our digital landscape,” Turner says.
As far as what cybersecurity looks like in the future for meetings and events — experts agree that online incidents are only going to become more prevalent, and meeting planners have to be ahead of the curve.
“Working with cybersecurity specialists on identifying risks and how to mitigate them is going to be key, and that includes testing internal systems and controls through audits, and penetration testing,” Desai says. “Vulnerability assessments like these will help identify and remediate weaknesses mitigating just how much they can be exploited, if at all. It’s important to understand that a compromise to your system will happen, but it is how well you are prepared to react to the incident that will determine the extent of the cleanup.” C&IT