Is the meetings industry setting itself up for a catastrophic cyber incident in the near future? Are planners putting themselves at personal risk if their attendees’ information is hacked and data collected and used for meetings is breached?
The hacking of Equifax, reported in September 2017, may be proof that any company and any individual can fall prey to cyberattackers these days, and that hackers are often an elite group of competent international criminals who are out to collect and use data for immense personal gain.
Data breaches may be about personal information gathering, or they may be about corporate espionage or ransom. A breach can be an aim to disrupt if the group itself or someone speaking at the conference is controversial, and that may be particularly true if the meeting involves government or military employees. A breach may be hackers just trying to see what they can get because they know a venue isn’t very secure.
The fact is, when you put a lot of people together in one place, all using their mobile devices and laptops, and all registered using personal data and/or accessing sensitive data for the meeting, it’s a scenario ripe for cyber infiltration.
Sean Donahoo, CEO of Disruptive Solutions, which provides cybersecurity solutions in the meetings industry, says there are multiple possibilities. Registration kiosks and websites can be hacked in order to steal personal information. Hackers can “impersonate” or shut down conference Wi-Fi or disrupt audio-visual equipment. Cyber-savvy criminals can also set up cellphone intercept equipment, another way to gain access to personal information. And if embarrassing or disrupting a conference or corporation is the goal, criminals can do such things as exploiting a conference app and sending fake updates or other messages. All of these things, Donahoo says, have negative potential, from embarrassment, to harming reputations, to loss of sensitive data to causing major financial damage to companies or individuals.
And then there’s the venue. Paige Schaffer, president and COO, Identity and Digital Protection Services Global Unit, at Generali Global Assistance, says, “Identity theft and fraud risks run rampant at both convention centers and hotels, as well as unfortunately in most locations throughout the world. Hotels may pose slightly more significant risks only because they are not usually reserved exclusively for a given conference. In other words, many other people may be in the hotel outside of an event, which makes it a bit more difficult to ensure that only registered attendees enter a conference area.”
Additionally, she says, “most hotels have free, open Wi-Fi running in their lobby area 24/7, which opens up channels of attack for cybercriminals. Convention centers may be more limited in their Wi-Fi access requirements. Again, however, both hotels and convention centers pose cyberthreats, so organizers and attendees should ultimately not take any differences into account. Cyberattacks can occur, and identities can be stolen, anytime and anywhere.”
Schaffer notes that phishing of one kind or another is still the major cyberthreat at conferences and in many aspects of life in general. “In 2016, for example, more than 55 percent of the more than 1,000 data breaches reported in the U.S. were caused by spearphishing, according to the Identity Theft Resource Center. Spearphishing occurs when cybercriminals target employees who have access to sensitive data by sending them bogus emails that appear to come from a trusted source and that request confidential information. Spearphishing emails may also include links or attachments that lead to malicious websites, or that install malware on an organization’s network,” she says.
Schaffer points out that cybercriminals often specifically target large events with their phishing campaigns because they can so easily obtain an attendee list, including contact information, which is all they require to get started. “Phishing emails are increasingly difficult to detect as criminals become ever more savvy, and any conference attendee that is duped by them may unknowingly hand over their sensitive data, whether that be personally identifiable information (PII), credit card information, corporate information from the organization for which they work, etc.”
While phishing may be the most common cybercrime tactic aimed at conferences and their attendees, Schaffer says it’s by no means the only threat. “Attackers can hack the physical scanners that are used to collect PII from attendees, set up bogus event websites that ask visitors to enter their sensitive information and can even hack legitimate conference websites, also for the purposes of collecting PII.”
Then there’s the non-digital arena, “low-tech” identity theft, which is also rampant at conferences.
“Because the majority of attendees at a large event travel from out of town,” Schaffer notes, “they’re likely to carry sensitive documents and other materials with them, especially at business-oriented conferences, and therefore pickpockets and muggers often loiter near event venues. Attendees need to remain vigilant against these threats, but event organizers must also play their part by providing educational resources about all identity theft risks and best practices to protect against them.”
In addition to all that, Schaffer says vendors at conferences also can pose a threat. “Vendors often collect payment information or other types of PII, and if they do not properly handle this data it can pose serious problems. To effectively combat this risk, conference organizers should ensure that any vendors collecting payment information onsite are fully compliant with the Payment Card Industry Data Security Standard (PCI DSS).”
Event organizers, Schaffer says, should research how effectively vendors protect their own customers. “Questions to be asked include, do they have adequate firewall protection in place? And, do they encrypt sensitive customer data? If a vendor does not engage in these practices normally, then they almost assuredly would not do so at an event.”
But even that is not enough. Schaffer says conference organizers should investigate whether a given vendor has suffered a data breach or been the victim of a cyberattack in the past. “Countless organizations experience breaches in today’s day and age, and in and of itself this is not necessarily a cause for major concern. Critically important, however, is a vendor’s response to a past breach. If an organization has experienced a breach and done little or nothing to rectify damages, reimburse constituents or update their security systems, that vendor should not be allowed to participate in a given event.”
One staple of conferences these days, online registration, is another potential risk, though Donahoo says there are many variables that affect the different parties involved with a registration website.
“Users,” Donahoo says, “should verify that they’re on the correct site before entering any information and should make sure there’s a secure connection before using the site. To do that, they should look for ‘https’ in front of the address and check for an indication on the browser bar that the site is secure, usually a lock icon with the word ‘secure.’ ”
Planners, for their part, have to vet registration providers. “Planners should take the time to ask about their registration provider’s security practices, specifically how data is stored, retained and transferred,” Donahoo says. “They should ask how the provider conducted website and web app security testing and penetration testing. They should consider bringing in a security consultant to review the provider’s responses.”
Registration providers must also do their part, “by ensuring that website and applications are secure, by developing products with security in mind from the beginning and by conducting security testing and evaluation,” Donahoo adds.
Schaffer also points to the possibility of fake websites. “Online event registration can certainly pose risks, for two main reasons,” she says. “First, cybercriminals may set up a fake registration site, and given their growing sophistication, these can be quite convincing as legitimate pages. Anyone who is duped into entering their data, likely including payment information, would be providing that information directly to the criminals.”
But even fully legitimate registration sites may pose an issue, Schaffer notes, “as nefarious parties may be able to simply hack these pages to steal registrants’ PII. It’s difficult to say that online registration is always safe or always dangerous, as the truth of course lies somewhere in the middle. However, it is quite evident that entering personal information almost anywhere online can pose a threat, and this is certainly not limited to event registration sites.”
There’s no question that technology is getting more sophisticated and infiltrating deeper into contemporary life. At conferences, the use of technology has increased dramatically over the past few years — not just in terms of online registration and payment, which are now the norm, but in terms of conferences using mobile apps, digital badges, interactive education sessions dependent on mobile devices and ever-increasing bandwidth at venues so that more and more attendees can be online at the same time, to name but a few possible problem areas.
“Identity theft and fraud risks naturally increase in line with the number of users connected to a given Wi-Fi network,” Schaffer says. “Especially with open, public Wi-Fi, which is extremely common at large events, savvy criminals can utilize the connection to easily steal sensitive information contained on other connected devices. Additionally, it’s common for malicious parties to set up fake, open Wi-Fi networks at events that appear legitimate, similar to their strategy of establishing phony registration websites. Of course, any unsuspecting attendee connecting to one of these networks would essentially be opening a direct line between their data and the fraudsters.”
Because of these increasing risks, Schaffer says it’s critical to avoid connecting to open Wi-Fi networks whenever possible. “While even secure networks that require login credentials to connect are not immune from cyberthreats, they are far less likely to result in data theft than open, unsecured networks.”
Donahoo points out that this risk isn’t new. “We’re already there and we’ve been there for awhile,” he says. “Most of the technology used at a typical conference has been exploitable for years. Add in potentially poor cybersecurity practices and it’s just a matter of time until conferences become another routine target. Conferences have the potential to bring all of the top industry professionals to one location. That’s going to peak someone’s interest.
“It has to be about changing the mindset of both the planner and the attendee. Planners can start baking cybersecurity into their budget and plan. Attendees should not let their guard down just because they aren’t in the office.”
And what of conference apps and scannable badges? The first is a bit more complex.
“Like any other app, if it’s not secure it can be exploited,” Donahoo says. “At a minimum, the app should not be storing or transmitting sensitive data in the clear. To mitigate potential problems, planners should ask the same security questions they used regarding their registration website. And again, planners should consider bringing in a security consultant to review the app and security documentation. Moreover, since many conference apps are ‘re-skinned,’ meaning the same app with a customized event look, if an app is not secure it can affect more than one event.”
Scannable badges, Donahoo says, should not contain any information you would not want a stranger to have. “Ideally, the only info would be your registration number and the scanner/system marries that up with the personal info. Keep in mind that badges get lost and that people wear them around their hotel or resort and the conference venue.”
With so many vulnerabilities and so much at stake, what should planners be doing to prevent attacks?
“First,” Schaffer says, “event planners should designate specific personnel as ‘trusted event employees,’ who are solely responsible for handling attendee PII. Identity theft risks decrease in line with a lower number of total individuals who come into contact with sensitive information. Additionally, as noted previously, establishing secure Wi-Fi networks is critical. Event staff should have their own separate network as they will have the greatest access to attendee PII. Limiting that information to one network significantly decreases the risk of identity fraud. As cybercriminals often set up phony event networks, conference organizers must make it sufficiently clear which networks are legitimate so that attendees can better avoid connecting to the wrong ones.”
Schaffer points out that there are a number of secure data handling processes that planners can implement to better protect personal information, and they include both high- and low-tech solutions. “Encrypting emails that contain sensitive information is one effective, preventative measure as is utilizing technology that allows for the remote wiping of data contained on lost or stolen devices. Low-tech considerations are also important, such as keeping sensitive documents in securely locked areas and thoroughly vetting staff members who will handle PII. Additionally, it’s critical that organizers validate their employees’ event IDs or badges.”
Donahoo strongly advises planners to make cybersecurity part of the planning process. “The earlier the better,” he says. “Planners won’t think twice about hiring consultants for everything from swag to tablecloths, but cybersecurity is rarely in the plan.”
He also discourages planners from relying solely on their IT, network or internet providers/consultants to cover security. “If you think they have it covered, you’re probably wrong. Their job is to handle bandwidth and connectivity. Adding items to their Statement of Work (SOW) such as encryption and daily, rolling passwords is a good start. But,” he notes, “cybersecurity consultants can go beyond that to such preventive measures as conducting active threat monitoring throughout the event.”
Donahoo says planners should make use of the right tools and practices together. “Use a VPN (virtual private network). I strongly recommend IDVector (www.idvector.net). Utilize encryption, full disk and email. Use only strong, unique passwords. Remember that free Wi-Fi isn’t free. And use smart browsing and email habits, meaning don’t be ‘click happy.’ “
Making cybersecurity part of meeting planning is no longer an option. It’s a must. As Donahoo notes, “It’s only a matter of time until potential data thieves realize that most of the event industry is an easy target.”
For that reason and others, once planners have put the right security measures into place, Schaffer says they should not be afraid to promote that.
“This actually serves as an educational method as it informs event attendees about security best practices, which should influence them to take the requisite steps to ensure that their own data is protected. This type of transparency will also showcase that organizers are committed to keeping their customers’ information secure, instilling trust in the organization.”
It also may send a message to would-be cyberattackers that this group is not, in fact, an easy target.
Despite all of the identity theft and fraud risks that come with the territory of large events, Schaffer says the events must go on. “It’s critical that event organizers, conference attendees and anyone in any profession or situation is aware of the cyber risks that exist today, and that they take the right preventative measures to protect their information. We must all remain vigilant as threats continue to increase in severity,” she says.
“However, at the same time we must all go on with our lives. We cannot let the fraudsters beat us through fear and intimidation. Countless events take place without any cybersecurity or identity theft issues.” C&IT