While the main threat to attendee safety since spring 2020 has been COVID-19, there is another safety concern that should not take a back seat as in-person meetings begin to make a comeback. Indeed, the threat applies to virtual meetings as well. As long as the event involves valuable electronic data — whether on organizers’ devices or attendees’ — it is a potential target of cybercriminals.
Of course, this sort of crime is nothing new in the meetings industry, and planners have made some progress in how they help to stave off such attacks. At the same time, there is room for improvement, the main reason being that certain new forms of cybercrime are not being dealt with suitably. “When it comes to cybersecurity and privacy at meetings and conferences, to paraphrase Charles Dickens, ‘It is the best of times, but it is also the worst of times,’” observes Rebecca Herold, CDPSE, FIP, CISSP, CIPP/US, CIPT, CIPM, CISM, CISA, FLMI, Ponemon Institute Fellow, and CEO, The Privacy Professor. “Longtime cybersecurity risks are generally being addressed more adequately, but meeting organizers are still typically far behind in implementing protections for new types of threats, and rarely address new vulnerabilities.”
John Sileo, CEO of the Sileo Group, also sees improvement, together with a need to step up the responsiveness to new cyberthreats. Planners and host organizations “have definitely woken up and started to take the steps, and some high-profile breaches have forced that,” he says. “That said, the actual incidence of successful attack in the events and meetings world has gone up significantly, in spite of best efforts and new tools out there. It’s due to new methods of attack and what we call ‘known vulnerabilities.’”
Among the relatively new attacks are those based on internet connected devices and ransomware, respectively. Herold advises that “the use of [internet connected] devices to surreptitiously record those in the vicinity has happened many times. Back in 2017, a Las Vegas casino smart fish aquarium was used by hackers to gain access into the casino network, and then exfiltrate a large amount of casino data, including a large amount of personal data,” Herold says. He continues, at meetings, “the use of [internet connected] devices presents a significant risk, when these types of risks are not defended against. Meeting organizers need to make sure they communicate to vendors with booths at the events, along with speakers and attendees, what is and is not allowed with regard to implementing [internet connected] devices within the event networks, systems and overall digital ecosystem.”
The goal of a ransomware attack is not merely to steal data, but to hold it hostage and until a ransom is paid. “No meeting planner wants to have someone plant ransomware within the conference network, and hold all their attendees’ computers and data hostage, do they? That would be a true catastrophe, from which a meeting planner may never recover — financially or business-wise,” Herold says. The successful attack begins with someone on the planning team clicking on a link — typically sent through phishing — and downloading a type of malware that freezes the person’s computer, ultimately spreading to other computers in the system. The organization must then pay a ransom to decrypt the information the malware has encrypted. “If you pay the ransom, you have roughly a 50/50 chance of ever getting that data back,” Sileo says. “The cybercriminal knows how important it is for an event manager to get their event back up and running. When the event is coming up, the planner is not thinking rationally about ‘Do we pay this? Do we cancel the event?’ They don’t know what to do. That’s why it’s a perfect target for ransomware.”
Thus, it pays to think rationally about preventing ransomware attacks and other types of cybercrime, so that the host association and planner don’t end up in such desperate situations. One of the organization’s main responsibilities is to have the systems in place to safeguard the data they collect from attendees. “There are always new threats, and thankfully, the precautions the Drug Information Association [DIA] has in place have prevented access to our network, data and member/attendee information,” says Heather Seasholtz, CMP, DES, director, Americas operations for the DIA. “As a global organization, we are very proactive in securing our systems and take it very seriously.”
Attendee registration lists are among the member data that must be protected, although that is sometimes overlooked. Sileo explains, “We think of protecting financial data, but we don’t necessarily think of protecting ‘John Sileo is attending the NSA conference next week in Las Vegas.’ So that information gets hacked or scraped, and the cybercriminal can write directly to the attendee and say, ‘Hey, I know you’re going to this event’ and, boom, they have your trust because they have a little information about you.” Overall, it’s a good protocol to collect as little attendee data as possible. “It’s a great first strategy that rarely gets talked about: You collect only what you absolutely need, and even more importantly, you keep only what you absolutely have to keep,” Sileo adds. “So, if you don’t need to keep that credit card number or bank information or demographic data, don’t keep it. Clear it out of the system after a reasonable amount of time.”
In addition to these organizational protocols, the planner is responsible for taking steps to mitigate the risk of cybercrime. He or she should “ensure the hosting venue and the attendees are practicing good security for the areas where the meeting host does not have the capability to provide such security,” Herold says. Communicating cybersecurity best practices to attendees is especially important at association meetings, where participants are not employees of the host organization and guided by corporate data security policies.
“For all meetings, we send a ‘Know Before You Go,’ which includes a link to our online cybersecurity statement,” Seasholtz says. “For in-person meetings, we specifically state what Wi-Fi network attendees should use at the meeting. We include information in our meeting app, signage in the facility, along with transition slides, which display on the screen prior to sessions. For our virtual meetings, we include specific instructions for types of browsers to use, how to optimize the experience, and we communicate the steps we are taking to ensure the meeting is secure.”
Sileo recommends putting together a short video explaining how to have a secure online transaction and alerting participants about what to watch out for. “A 90-second video that is a little humorous and engaging can talk about and show ‘Here’s the type of phishing campaigns that go on, here’s the type of phone call you might get pretending to be the event organizer,’ etc.” In addition, he suggests that the master of ceremonies remind attendees to use secure Wi-Fi, to turn on their personal virtual private network (VPN), to not leave their computer under the chair when going to get a coffee, etc. Whether a video or an announcement, these means of communicating cybersafety tips tend to be more impactful than a written message attendees may or may not read.
Phishing campaigns are increasingly targeting events recently because of the amount of online communication tied to events. Attendees register online, pay online, select sessions online, etc. “The communication electronically has skyrocketed, and that leaves openings for these fraudsters to say, ‘Hey, you’ve got this meeting coming up, click here,’” Sileo says. “And the word ‘click’ is where the risk starts, because they’re downloading malware [ransomware in most cases], and secondly, they’re giving their credentials either for the meeting, for their company, and sometimes for their credit card or bank.” The “bait” to click may be something related to the attendee’s interests — which the cybercriminal may learn about through the attendee’s social media — or news/instructions related to vaccination, which can draw the attention of soon-to-be eventgoers. Attendees should be made aware of these specific tactics.
For in-person events, protecting computers from physical theft is also vital. “It goes beyond just their laptops and tablets,” Herold says. “Meeting attendees now have fitness trackers, smart watches, security cameras they use when traveling, and many other types of computing devices. These are often left within their hotel rooms when attendees go to the meetings. Meeting planners need to ensure the hotel accommodations, for the hotel they are meeting in, or at the hotel they are using for their attendees, have safes large enough to keep computing devices within when the meeting attendees are out of their room. Hotel staff should not have access to get into those safes, except for the person responsible for such access. This will maintain accountability for determining inappropriate access into room safes.”
Meeting rooms are an even bigger target for this sort of crime, since they are usually lacking in surveillance. “As someone who has given hundreds of talks at these types of events over the years, I can attest to the fact that the security in those types of rooms is usually nonexistent — even at security conferences.” Herold says. “The same goes for the rooms where sessions, or even full-day or more classes are held. Those usually have breaks during the session or class, and attendees still love to leave their computers at their space on the tables when they leave the rooms. Usually, the computers are left turned on, and even connected into their business networks, their online financial or other critical services businesses. It only takes a few seconds to snatch a computer from a room, taking along with the physical device all the data and other files within the device, and also the access to all the sites and systems to which the computer can access.”
Attendees should also be advised that data can be stolen from their computers simply by recording from the screens. “Conferences in particular are highly susceptible to having data taken surreptitiously by others in attendance, or in the same venue facility, through video and audio recordings and photos,” Herold says. “This is especially true when people do not protect their computer screens, and when they discuss confidential topics in lobbies and other areas where those in the vicinity may hear, see and record them.” Apart from warning attendees of this practice, Herold suggests posting personnel in strategic locations to keep an eye out for this kind of theft, “especially for meetings and conferences where confidential information is discussed.”
Yet another means of stealing data is the use of USB skimmers to extract data from a device plugged into a USB charging port. “These are similar to credit card skimmers, only they are much harder to notice,” Herold says. “I recommend to always use a type of ‘juice jacker’ device whenever you need to charge a device somewhere other than within your home, where you know your USB charging ports do not have skimmers within them.”
A planner’s due diligence when it comes to cybersecurity also includes confirming the venue’s preparedness. “Conversations about Wi-Fi, network security and the venue’s monitoring of activity happen long before the on-site pre-con,” Seasholtz says. “Some of the questions planners should ask include: Do the public internet network facilities have a password or a verification process? Is the venue’s public Wi-Fi password protected and does it make use of the latest security protocols? What are the differences with the network in the sleeping rooms versus the meeting space?”
Arguably, a venue should go further than answering questions about its cybersecurity measures; it should also accept liability and provide documentation for the security of its networks. “The hosting facility may very well assume that the meeting host is taking care of all security; they may even have this in their contract. I would advise against using such hosting venues who try and contractually remove themselves from liability and responsibility from implementing security safeguards within their venue,” Herold says. She adds, “Meeting planners need to ask the venues where they are holding the physical meetings for validation that the systems, networks and computers being used are verifiably secured. This can be accomplished by requiring results of recently completed risk assessments, security audits or similar types of reports. [The planner can also ask] the executive at the venue to sign an attestation for the security of the networks and systems, and, ideally, be accountable for harms caused by any security failures that were preventable by the venue.”
In particular, the venue should provide secure Wi-Fi hotspots with encrypted connections, not just free ones. “I have seen clients who purchase external Wi-Fi hotspots instead of using an insecure hotel network,” Sileo says.
Password strength is also critical. “Most event organizers still give one password for all conference/meeting attendees to use to authenticate to the Wi-Fi,” Herold says. “And it is usually a really horrible password. I still see many that use ‘password’ as the password. Instead, they need to set up each person to use their own ID with a password that is not shared with others.” Relatedly, she adds that “The administrators for the Wi-Fi network need to be more careful. Too many leave their laptops that control the Wi-Fi in areas where the laptop is left open when they get up to get some snacks, have lunch, talk to others, etc. I’ve seen many situations where it would have been quite simple to take down the entire Wi-Fi network at a conference/meeting because the admin laptop/PC was sitting unattended, with no one even trying to protect it.”
Network security also depends on implementing strong firewalls, as well as intrusion-detection systems and anti-malware protection. “And, very importantly, [planners] must ensure they do not have any open access points into the network,” Herold says. “This happens when computing devices, such as attendees’ laptops and tablets, connect and then are also connected to the internet, and the Wi-Fi network has not been configured to block those types of connections, which could lead to network ingress of malicious parties, and exfiltration of data from those who are attached to the network. Network tools are available to identify and block a large number of such risks and remove them.”
NextGen Cisco Firewall is a tool that the DIA has found effective, Seasholtz says, along with CrowdStrike Falcon AI-based endpoint protection for all servers and user devices. “While we have the infrastructure in place to ensure we are as protected as possible externally, we also believe vulnerability comes from within,” she says. “Since bad actors target each of us every day with phishing attacks and hidden malware, our IT team has implemented the Knowbe4 Security Awareness and training system. This system tests our internal users with simulated phishing emails and provides training to help our team identify malicious emails. It also allows DIA to create special training campaigns to educate the team about specific vulnerabilities and provide reports to let IT know how the team is doing and what additional training may be necessary.”
For virtual conventions, DIA uses its website and Association Management System (AMS) as the gateway for attendees to access the meeting. “This allows DIA to add an extra level of authentication and control access to the virtual platform,” Seasholtz says. “This also allows us to control any write-back from the virtual platform to our systems. Our IT team works with our vendor partners to ensure no information is coming back into our system that would impact our systems or security. We are also very aware of file sharing to ensure we are receiving safe files that don’t infect our systems, nor do we want to send bad files to our attendees.”
But prior to researching tech tools and systems to stave off cybercrime, an understanding of the current modes of attack on the part of planners and attendees is essential. That knowledge guides the choice of tools and safety precautions. “The most effective way to prevent cybercrimes is through knowledge and raised awareness of the cybercrime tactics used,” Herold says, “and then applying the appropriate actions, tech tools and physical protections to thwart the cybercriminals’ actions.” And the learning processing is ongoing, as cybercriminals evolve their tactics. “New threats are always on the horizon, and vendors must have strategy for staying ahead of the bad actors,” Seasholtz says. “Technology is constantly advancing, and with that, planners need to stay ahead of possible risks with utilizing new platforms, apps and tools for attendees.” | AC&F |