Cybercriminals come in all shapes and sizes — and from any number of demographic backgrounds. But what they’re looking for is simple: They want access to personal information and data they can use to extort payment, infect computers with malware and other fraudulent purposes, such as identity theft and financial gain.
And, within the meeting and events arena, cybercriminals can easily take advantage of an unprotected network where there are multiple users connected to the same network. Open Wi-Fi networks, such as those found at a meeting or convention, allow cybercriminals to easily distribute malicious software to everyone connected in the blink of an eye.
According to Paul Lipman, CEO of the consumer cybersecurity company BullGuard in Redwood Shores, California, many conferences do not require passwords on conference Wi-Fi, which leaves anyone who connects open to hacks. “Additionally, even if a password is used, many times the password is easy to guess or is shared via paper or in a brochure with attendees,” Lipman says. “Any person at the conference — even if they are not an attendee and are just in the lobby or close enough to pick up a Wi-Fi signal — can easily ask an attendee to give them the password, and many attendees would offer it to be friendly.” They could, in fact, be giving a fraudster or hacker easy access to the network and leaving anyone who is accessing the Wi-Fi open to having their data and other personal information at risk for a potential hack or breach.
Unfortunately, the security technology within the meetings and events industry hasn’t changed much in recent years, and it certainly has a long way to go. Andrew Tyler, senior consulting engineer at Kelser Corporation in Glastonbury, Connecticut, was recently at a conference — a cybersecurity conference of all things — and the conference organizers provided an unsecure, general access wireless network.
“There was no preregistration for this network and the password was distributed freely to attendees. Most attendees wound up using the hotspots on their phones,” Tyler says. “More events need to implement Wi-Fi registration and access tracking to help secure wireless network users.”
“For many years, security technology was tied to a firewall. And the firewall handled all security issues.” Douglas C. Williams
Indeed, meetings and events planners and the software they utilize continue to be adversely impacted by security and safety threats. As Douglas C. Williams, president and CEO of Los Angeles-based Williams Data Management, explains, cybersecurity is always top of mind considering the very nature of the meeting business and the fact that so many attendees are connecting to unsecured event Wi-Fi networks. “For many years, security technology was tied to a firewall. And the firewall handled all security issues,” Williams says. “Since then, cybersecurity threats have grown exponentially, so that the firewall design can no longer handle security threats alone. New technology is being developed to handle those parts of security that easily bypass the firewall.”
Cybersecurity used to be viewed as an ‘IT problem’ but, as the threats have changed, meeting planners need to evolve into a multidisciplinary cybersecurity management team. The good news is that meeting and event attendees recognize the amount of data and information that can be gleaned from any size event and are eager to embrace cybersecurity measures.
Likewise, meeting planners are increasingly becoming aware that if a crime is committed using a specific internet access network, then the person or organization offering the service could be liable. “As a result, meeting planners are looking to solve liability issues stemming from providing unsecured or unmanaged wireless networking services that could well be used for illegal purposes,” Tyler says.
One of the best approaches to convince clients and other decision makers that funding directed at cybersecurity is essential is by developing and following a ‘best practices’ cybersecurity framework. Secured and regulated access, as opposed to open guest access, is a huge trend in network security, and conferences and events are a perfect example of a setting where this is a must. “There are a number of systems that make it easy for individual attendees to have their own login credentials for the network. If this isn’t the case, the conference Wi-Fi and anyone using it is vulnerable,” Tyler says.
In addition, Dave Warnick, COO at CMIT Solutions of Upper Cheseapeake — Columbia in Bel Air, Maryland, says there is a big trend in the meetings environment in the ability to have secure wireless communication and have it with adequate bandwidth for everyone demanding it. What’s more, meeting planners are worried about their participants and concerned about their own technology, particularly if accepting credit cards during the event.
“This requires PCI compliance, meaning a minimum security stance needs to be maintained,” Warnick says. “Today’s demonstrations are more connected and cloud-based than ever before. Vendors want to have the ability to demo their web-based products and pull up promotional materials at kiosks or show videos. They expect the event sponsors to provide a reasonably secure internet connection.”
One key step to take in securing the digital environment is for planners to ensure there is a WPA2 password on the Wi-Fi used at a conference. Lipman says meeting planners should also recommend attendees use a Virtual Private Network (VPN) solution as another layer of protection.
“VPNs enable consumers to safeguard their online privacy — flying under the radar and surfing the internet in stealth mode while retaining complete anonymity via military-grade encryption,” Lipman says. “VPN works by hiding a consumer’s origin IP address, preventing others — including ISPs and government organizations — from monitoring their online browsing activity, which websites they visit, what they download, or which services and applications they use.”
Attendees should always ask for the official convention Wi-Fi login details and the regularly changing password, and not assume the first ‘public Wi-Fi’ to pop up in their search is the correct one to use.
“To keep themselves even more protected, attendees could be encouraged to use their own personal VPN on their laptops, tablets and phones to protect themselves from potential cyber attacks,” Lipman says. “It’s actually really simple for hackers to set up a fake malicious network and pretend to be ‘Free SFO Airport Wi-Fi network’ or ‘Starbucks Wi-Fi.’ A personal VPN allows conference attendees to avoid putting themselves at risk while connecting to an unknown network.”
And, in the event that an event planner suspects some sort of breach may have happened, attendees should be notified so they can run anti-virus and other software to ensure their laptops, tablets and mobile phones have not been hacked.
Lipman says they should also take measures to change their passwords across their email, financial and social media accounts — and that their passwords are extremely difficult with a variety of letters, numbers and special characters. They should also keep a close watch on their financial accounts and credit, and consider putting a block on credit requests or inbound requests for credit.
At a recent security conference Tyler attended, it appeared that the wireless access network was set up and left to run. It did not appear to be actively managed, which is what Tyler would recommend. “Any public access internet service should be monitored and managed for malicious activity or inappropriate browsing,” Tyler says. “There are tools that can assist with this so that it is not a major drain on the event staff’s time.”
In fact, rather than assuming your event hasn’t attracted the attention of cybercriminals, assume that it has. “Don’t provide an open, unmanaged network,” Tyler says. Regulate who can log on, manage the environment, make it clear to attendees the service has no guarantee of privacy, and that it should be treated as a hostile environment for all users.
One of the common mistakes Warnick sees meeting planners make is not ensuring there is adequate security around critical technology, such as credit card processing capabilities. Planners should make facility operators accountable to provide adequate secure connections for planners, vendors and participants alike.
“Planners should also require the facility to provide separate Wi-Fi SSIDs for the event planners, vendors and participants,” Warnick says. “This allows some segregation of data types and can allow you to at least limit access to certain types of data to a lower number of people.”
Robert Siciliano, security awareness expert and CEO of Safr.Me, says there is still a significant lack of security awareness training amongst associations, meeting planners and attendees. “For example, many are still using the same password across multiple accounts. This allows criminals to gain access to email and various databases which, in turn, facilitates various frauds and schemes,” Siciliano says. “When being approached by various vendors with different solutions designed to solve a problem, meeting planners should check in with other industry partners to determine if the various vendors and their solutions have provided value for the investment.”
George Baldonado, president and CEO of Oasis Technology in Camarillo, California, says the most prevalent mistake he sees meeting planners make is looking to old technology to solve the new challenges. “The solution no longer resides with a single department, device or simple plan,” Baldonado says. “IT professionals and meeting planners often do not want to adopt new approaches, devices, procedures or mindsets.”
Baldonado suggests the solution to this entire problem is a company and group effort that requires the buy-in cooperation of the entire enterprise.
“A layered approach is the most effective. The approach needs to combine several devices, plans, training and vendor cooperation to solve the problem,” Baldonado says. “The problem will continue to grow, and everyone must continue to evolve with the problem.”
So, as the cybersecurity issue continues to take center stage, meeting planners are looking to get their arms around how big the problem really is and how much impact it has on their job, the company, their clients, financial risks, their own future and the future of cybersecurity. And, once a meeting professional has policies and procedures in place, they need to train, test and drill partners, and others, on those policies and procedures to instill confidence in the meeting planners and in the systems themselves.
Of course, partnering with cybersecurity professionals is paramount to ensure the safety and security of an event. When evaluating partners, keep in mind that cybersecurity professionals need to have a broad range of skills beyond IT, including business process, vendor management, physical security, threat awareness and business continuity management, not just disaster recovery. As such, recruitment strategies should include security organizations, such as the International Association of Privacy Professionals. For privacy in particular, meeting planners should also look at professional associations because that’s where they will find qualified people who have the ability and expertise to hit the ground running.
Significant strides are continually made to improve cybersecurity technology to meet the changing needs of the meetings and events environment. Just as would-be thieves become more adept at their efforts, so too do the cybersecurity systems used to stop them. It pays for meeting professionals to do their homework and learn about the technological options available for their specific situation.
So what does the future look like for the cybersecurity of meetings and events? Rafael Moscatel, managing director at Compliance and Privacy Partners in Los Angeles, says securing private data is turning out to be one of the top concerns for planners in 2020, especially in light of the EU’s adoption of General Data Protection Regulation (GDPR), as well as stateside laws like the California Consumer Privacy Act (CCPA). “These new regulations have tightened the access rules around gathering information and the use of attendee data for marketing and promotional purposes,” Moscatel says. “There are very real penalties for misuse of this data, and we should expect stricter regulations to follow.”
As a result, it won’t be long before open versions of internet access services will be found to be of little value to the educated public. Tyler thinks that, in the meetings and events industry, it will soon become the norm for users to be required to register for Wi-Fi at events and give specific device details to gain access.
In addition, new tools using augmented reality (AR) and artificial intelligence (AI) are already finding their way into meeting and events, and helping engage attendees and enhance overall event security. “The best advice is for meeting planners to share what has worked for them and others that are engaged in this cybersecurity battle,” Moscatel says.
Tyler says, “Users will have to acknowledge that access is at no charge, use it at your own risk, and that the environment is managed and monitored. These steps will make it easier to catch cybercriminals who will be prosecuted to the full extent of the law.”
And take note that threats are becoming more sophisticated. “It is likely future malware will spread through devices at an event just like the flu would through the participants,” Warnick says. Those in the events industry are going to have to anticipate that and utilize technology to mitigate that risk, or face exposure through reputational and possible financial risk.
“Unfortunately, large data breaches continue to occur as a result of the ‘It-can’t-happen-to-me’ syndrome, which means industry leaders who aren’t taking decisive action and putting necessary systems in place become high-value targets,” Siciliano says. “And until additional security awareness training becomes a fundamental part of doing business, the meetings industry will continue to be targeted.”
Experts also hope that cybersecurity in the meetings and events industry will switch from a reactive posture to one that is proactive, allowing organizations to better combat threats to data security. “The need for dedicated, excellent, flexible, well-rounded cybersecurity experts will only continue to grow,” Williams says. “Product, software and service development also needs to fold security into their design. New security testing measures also need to be developed and incorporated. I see that this market will also become segmented into different areas as it continues to grow. No single person or department will ever have all of the answers.” C&IT