It can happen to anyone.
While in Orlando to give a speech on identity theft, security expert John Sileo took the opportunity to take his daughter to Walt Disney World Resort. The next day, he was informed by his bank that his credit card had been compromised. And it was no trivial purchase: Someone used it to buy $3,000 worth of online merchandise. Sileo’s theory is that a stranger used a cell phone to capture a picture of his card when he used it at the theme park.
This story, related by security expert Robert Siciliano of TheBestCompanys.com, is unusual only in that it happened to a security guru. Unfortunately, such incidents are all too common. And for meeting planners, taking steps to help prevent them becomes an imperative.
Obviously no one likes focusing on security when so many other details are crying for attention. But as we become more and more connected, it’s a necessary evil.
“Security issues, cyber security in particular, should be a high priority for event planners in today’s digitally connected world,” says Darren Guccione, CEO and co-founder of Chicago-based Keeper Security Inc. He says that a breach of security can not only create substantial financial repercussions but harm an event planner’s reputation. It also can lead to legal ramifications if negligence can be shown in securing the digital information held by employees or clients.
“Security issues, cyber security in particular, should be a high priority for event planners in today’s digitally connected world.” — Darren Guccione
“While physical security in the form of security guards to check for attendee badges may be at the forefront of security concerns, meeting planners should also ensure that the digital information of clients and attendees is safe,” Guccione says.
Greg Mancusi-Ungaro, CMO of Toronto-based BrandProtect, says there is no such thing as a physical-only event.
“From parades to trade shows, conferences and sporting contests, today’s physical events have a large and dynamic online and social media presence,” he says. The enhanced visibility and reach of these events can make them attractive to threat actors who want to make a dramatic public statement, he notes, citing the example of an outsider who has an axe to grind with a company and who may choose a popular event to make his views known.
“Disruptive actions, including bomb scares, active-shooter threats, threats to executives and political leaders or even flash-mob protests, are often first voiced, organized or confirmed over social media,” Mancusi-Ungaro says.
Even if security isn’t your responsibility, nobody wants anything bad happening to anyone for any reason while under their watch or attending their event, according to Steve Weisman Esq., an expert on cyber security and identity theft and founder of the blog www.scamicide.com.
“In the end, if something is lost or stolen or someone gets hurt, it’s a no-win situation for the planner,” Weisman says.
For meeting planners, the most fundamental strategy may be providing basic security tips.
“Planners need to not only plan for their own security, but should also warn attendees of the need to take steps to protect their own security,” Siciliano says. He notes that conventions and meetings are frequent targets for identity thieves, and that both planners and individuals should be concerned about the security of the Wi-Fi at the hotel or other venue where their computers, laptops and smartphones will be used.
“Identity thieves will set up alternative Wi-Fi that planners or attendees will unwittingly use and open their devices to being hacked,” he says. “Much sensitive information can be stolen if the electronic devices used by the planners and attendees are not protected.”
The key is vigilance, says Sergio Galindo, general manager of Durham, North Carolina-based GFI Software
“Advise attendees not to be tempted by the lure and convenience of free Wi-Fi when traveling and at conferences,” he says. “When connecting to a Wi-Fi network, they should be sure of the host’s legitimacy.” This includes looking for anything out of place, and avoiding hotspots called “free access” or “free Internet.” It’s important to check the spelling of hotspots before joining, he says, since cyber thieves trick users and spoof real hotspots by simply adding a symbol or adding or switching letters.
One step anyone can take in safeguarding information is to password-protect electronic devices. Experts recommend using strong, unique passwords that are at least eight characters in length and contain a combination of uppercase and lowercase letters, numbers and symbols. And a password manager can be a very beneficial safeguard because it helps to generate, store and manage passwords, documents and information in a secure, encrypted vault, according to Guccione.
Another basic move is ensuring that all devices are protected with the latest security software updates and encryption software. For best effect, users should be advised to make sure their wireless router has an encryption mechanism and that it is turned on, says Siciliano, who notes that new devices with encryption capabilities are often delivered with this feature turned off.
Conversely, the “identifier broadcaster” feature available on most wireless routers should be turned off. Otherwise, it will announce a traveler’s computer presence to other devices in the Wi-Fi area.
Siciliano adds that even if an identifier broadcaster is turned off, wireless routers come equipped with a standard default identifier for a particular computer. Since this default identifier is known by identity thieves and hackers, it should be changed by the user.
A Virtual Private Network (VPN) is another alternative.
“A VPN will encrypt your communications and route them to a server controlled by the VPN company,” Siciliano explains. “Then if someone is eavesdropping on you through a compromised Wi-Fi, all they will have access to is encrypted data, which is worthless to them.”
While theft of information via unsecured Wi-Fi is a major concern, the possible problems caused by lost or stolen hardware should not be overlooked, according to Weisman.
“Travelers should never leave hardware in a hotel room unless it is in a locked safe,” he says. “And they should never leave hardware sitting on a table when going to lunch or the restroom.”
Christopher Hawthorne, CPCU, CIC, vice president of Wakefield, Massachusetts-based TGA Cross Insurance Inc., touts the value of a wipe-clean mechanism so that if a device is lost, the data can be purged.
“This along with a GPS finder application can save a traveler with a lost technology device much stress,” he says. He also says it’s important for all devices to have an option for automatic shutdown mode. “This will prevent an unattended device from being accessed easily,” he says.
Care also should be taken with the use of public machines or hotel business centers. Galindo points out that closing down the browser after checking email or online banking is not enough.
“You must click ‘log out’ and never click boxes that offer to remember your information for next time,” he says. “Where possible, clear the history and cache. Remove as many obvious traces as you can.”
The same type of cautionary thinking applies to information that is not in electronic form.
“Business travelers need to be aware that they have their personal documents, such as I.D. cards, passports and credit cards on them at all times,” he says. “They should always be aware of their surroundings and who is nearby when using them.”
Any efforts to share such tips should be more than worth the trouble, according to Weisman.
“Certainly reminding attendees of their security responsibilities is a great first step,” he says. “This can be done in a handout or in the brochure with meeting registration.”
Even the best set of tips for individuals can only go so far. Considering the nature of potential problems when groups assemble, meeting planners would do well to take their own security initiatives.
Matti Kon, CEO at New York City-based InfoTech Solutions for Business, says, “Security is always important when a large group of users gather together, as hackers tend to prey on larger groups and look for vulnerabilities within the network.” He suggests as a first step for any meeting, assessing the nature of the information to be shared and discussed. If the information discussed in the meeting is common knowledge, with public data that anyone can access, moderate security measures may suffice. If on the other hand the information discussed is of a secret or confidential nature, it may be best to apply all security measures possible.
Taking things further, Kon advises performing a preventive security risk analysis. This might include, for example, identifying and evaluating who would benefit from interrupting the meeting and accessing the data. The task then would be to do as much preventative network security as possible. In some cases, retaining an IT consulting firm can be the best approach to ensure all network security measures are in place.
Kon says his IT firm is regularly asked by their clients to set up and secure their meetings.
“Several of our clients in the financial industry run daily morning meetings where the key decision-makers gather to review confidential data and make critical decisions for the day. Since we approach these meetings with preventative security maintenance, our clients have not been breached.” Perhaps the most basic strategy is to secure free Wi-Fi offered to attendees.
“A simple step to ensure that meeting attendees feel secure is to password-protect your private Wi-Fi network and only issue the password to meeting attendees,” Guccione advises. He notes that restricting attendance to meetings only to people with badges limits the accessibility of hackers having access to the meeting’s Wi-Fi.
Guccione adds that since meeting planners have access to sensitive data from clients such as credit card numbers, hotel information and contact information, it’s essential to take into consideration how it is shared and who has access.
“For this reason, meeting planners should have internal file-sharing capabilities that are secure,” he says.
“In the case of an employee being fired or leaving the company, the files need to be controlled by the stakeholders of the company so the employee cannot access them upon termination.”
In the field, planners should make sure that any computers being used for presentations are protected from hackers and identity thieves, according to Siciliano. In addition, any material sent through the Internet or brought on CDs or plug-ins should also be security screened.
“Also be careful when using faxes and copy machines at meetings if you are copying or sending documents with personal information,” he says. “Keep in mind that this information is stored on the machines and accessible by identity thieves.”
Even with the best of efforts, security may still be breached. What then?
“Be sure to have a plan in place beforehand,” Galindo says. “Never think ‘if’ but rather ‘when.’ Once a breach has occurred, that network should be isolated and shut down.”
The details of the breach should also be determined, he notes. Was it intentional? Was it disruptive or was something taken? Was it for attention or for gain? What were its origins?
To answer these questions, forensics and network monitoring tools would be employed.
Speed is of the essence once a breach is discovered, Kon adds.
“Immediately evaluate the situation and react as quickly as possible,” he says. “If you discover that there is a data leakage or data compromise through a specific URL you have been using, cut the access to it, even if it means that users will be temporarily restricted from accessing valid data.” This “cut your losses” approach will save other users from being compromised, he notes.
Also important is communicating with others about the problem.
“Be sure to let attendees know immediately that a malicious breach has occurred and warn them to take measures to protect their own devices,” Galindo says.
It’s also important to cooperate with security professionals.
“Planners should already have a working relationship in place with event security personnel, which generally means someone from the hotel,” Weisman says. “Knowing what the existing protocol might be in the event of theft would help to determine the next move.”
Depending on the nature and scope of the breach, detailed reporting may be necessary.
“Know your state laws on reporting and action requirements, as well as the state privacy laws for all those whose data has been compromised,” Hawthorne says.
He says that all business entities should have a WISP, a Written Information Security Plan (or protocol) as dictated by some state laws. (See page 63.) This serves not only as a prevention plan but also as an emergency response plan in the case of a data breach.
“Having a WISP and following it is critical to reducing the size of the loss,” Hawthorne says. “Also if travelers maintain a cyber liability/data privacy insurance policy, notify the carrier immediately. The fines and penalties for not reporting promptly can be larger than the actual loss experienced.”
Even when things go wrong, it’s not just a truism that good planning pays.
“The best problems are the ones that never occur because people have taken the proper precautions,” Siciliano says. “However, damage control is always important because people will not always be able to protect themselves from identity theft.” He stresses that determining what information had been compromised, changing passwords, alerting businesses and people with whom you do business of the data breach and possibly putting a credit freeze on your credit reports are all steps that should be considered. I&FMM