In an age where technology controls many facets of a business, attention to cybersecurity is becoming paramount. Meeting and event planners now recognize how technological breaches can rob them of vital intangible assets, but more importantly, jeopardize the safety and security of attendees and any proprietary information being shared. As a result of COVID-19’s impact on the meetings and events industry, with meetings and events being thrust into the virtual world, today’s meeting planners are altering how they’re investing in the appropriate resources to handle both privacy and cybersecurity perspectives, for virtual and hybrid gatherings and events.
In fact, cybersecurity was once viewed as an “IT problem,” but as the threats have changed and the use of virtual and hybrid meetings has skyrocketed, meeting planners have had to evolve into a pseudo multidisciplinary cybersecurity management team. And it is proving to be a vital facet of their role.
Avani Desai, president of Schellman & Company LLC, a global independent security and privacy compliance assessor, points out that the entire purpose of meetings and events is to bring a diverse group together, and when this is done virtually, a whole host of security problems can emerge. “Oftentimes, you have attendees from different geographical areas, companies and industries, each bringing their individual phones, laptops, etc., making the environment a hot bed for bad actors to steal data or compromise devices,” Desai says. “I haven’t heard about a large-scale attack, but I have heard about several smaller ones that saw attendees, or guests, connect to the hotel or conference Wi-Fi only to have their data stolen.”
In the current climate of hybrid meetings where meeting planners are going to have some people in attendance and some viewing the event remotely, you still have some of the above concerns, but you have to now factor in the remote participation. According to Michael Schenck, senior cybersecurity consultant at CyZen, as more meetings and events continue to be virtual or hybrid, the issue of cybersecurity has been altered by the increased use of online platforms for meetings and events. “The need for cybersecurity for such events has been magnified,” Schenck says. “The underlying issues themselves have not been changed, there’s just more sunlight on them now.”
Meeting and event planners have always been trusted with attendees’ sensitive and private information. This level of trust has simply increased due to the rise in virtual and hybrid events, but so too have the cybersecurity risks, says Lauren Weatherly, senior vice president of marketing at global virtual/hybrid meetings and events company PGi. “Cybersecurity is a pressing priority for organizations and attendees alike, and should be factored into virtual and hybrid event planning from the start, and prioritized throughout the entire experience,” she says.
What Lisa Love, founder and president of L2 Cyber Solutions, sees happening from her personal experience, and L2 Cyber Solutions’ client experiences, is everyone is working remotely — whether that be from home, or from an outdoor table at a restaurant, or from the neighborhood walking trail. “Attending virtual meetings from remote locations has expanded the cybersecurity footprint on a much greater level than prior to the pandemic,” Love says. “Today’s level of remote meeting introduces new risk for organizations, in that it makes it extremely difficult to apply cybersecurity consistently across the enterprise. As a result, we have numerous uncontrolled, unmonitored and unsecure access points.”
Another issue with virtual meeting and event attendance is that the meetings and events industry is increasingly relying on cloud service providers. Enterprises sometimes “assume” the provider is responsible for assuring cybersecurity. But with cloud services, and especially large conference-style virtual gatherings, comes increased entrance points. Love recommends meeting planners employ a “trust, but verify” approach with cloud service providers. “Company IT experts need to understand the shared security model and ask themselves, ‘Did the cloud provider really apply the latest patches and cover security risks to protect my data?’” Love says.
Right now, the cybersecurity industry is seeing a rise in ransomware events, phishing attacks and general privacy issues due to unsecured home devices and users not taking proper precautions. Many home devices and home networks don’t monitor for these types of threats. Additionally, people often forget to hide their backgrounds and turn their cameras off after attending virtual meetings. And users need to be cognizant of their surroundings when sharing information. “For example, participants shouldn’t attend a virtual meeting from your apartment balcony or a local coffee shop patio if the meeting will include highly sensitive content. Always remember to log out of the meeting and turn off your camera,” Love says. “Just because you’ve left the meeting doesn’t mean all attendees, including uninvited ones, have left.”
Another risk that’s cyber-related is potential loss of revenue for meeting planners. Many people can pay for a single ticket to a virtual event and receive a login, and then share that login detail with others. “Meeting planners can greatly reduce this type of risk by utilizing a number of cybersecurity options built into meeting planning software,” Love says.
For many remote meetings and events, organizations are using tools such as Zoom or WebEx, and have had to adjust security practices to control access to those meetings and to think about what they are sharing. Jacob Ansari, CISO, Schellman & Company, says perhaps part of why we’re feeling so much fatigue from these meetings is that we’re often sharing what we’ve considered to be somewhat private: our desktop workspace. “The other thing is that we’re sharing whatever else is running: other documents, browser tabs, applications or the like,” Ansari says. “Sometimes, our messenger windows pop up when we’re displaying our screen, which ranges from distracting to harmful.”
Probably the largest threat is when something confidential is discussed on a meeting with few controls to limit participants. “Everyone has read about ‘Zoom bombing,’ where someone crashes a meeting in some spectacular and rude way, but it’s just as possible to join a meeting surreptitiously and hear what’s going on when that’s confidential,” Ansari says.
While cybersecurity may seem like an extraneous expense to some, security breaches can be extremely expensive to recover from, and a breach can have a severely negative impact on the public image a company has with meeting and event attendees and others. Experts agree that most breaches occur where care is not taken to secure network infrastructure from a potential intrusion by cybercriminals.
So what’s a meeting planner to do? One of the best approaches to use in convincing the C-suite or other key decision makers that funding directed at cybersecurity is essential, is by developing and following a “best practices” cybersecurity framework. This also establishes a firm plan that can help with financial justification if a breach does occur, since a meeting planner will have been adhering to a long-term security strategy rather than arbitrary and disconnected security spending.
Since the beginning of the pandemic in March 2020, there has been ongoing discussions around the potential security concerns of virtual events. As Weatherly explains, the most obvious concern is that no one wants an unauthorized attendee popping up in their virtual event and capturing sensitive information. “Protecting attendees, and content, and keeping personal or valuable information safe are two security issues for virtual and hybrid events that must be a priority for all meeting and event planners,” Weatherly says.
As such, the most important strategy is to make security the top priority. To be effective, meeting planners need to ensure the virtual or hybrid event provider provides enterprise-quality grade security, including network security with password protection, login/two-factor authentication, and limited audience access. “Meeting and event planners should market only to their audience, making it an exclusive event that’s only accessible for registered attendees,” Weatherly says. “As with an in-person event, you don’t want just anyone showing up for your virtual event.”
Limit access to the virtual or hybrid event and to the information shared by requiring attendees to register in advance and enter a password to login. Also, consider sending meeting access details right before the meeting begins to ensure they’re only used by the authenticated attendee. Schenck says people often forget that availability is one of the core pillars of good cybersecurity. “It is about ensuring the required resources are up and running when authorized people need it,” Schenck says. “This includes protecting against ‘Zoom bombing,’ the bandwidth being sufficient for the task, and ensuring the service vendors can handle the tasks without creating a bigger compromise.”
Other areas of concern include ensuring the integrity and confidentiality of any content. Make sure the content vendors and presenters upload is malware-free, not manipulated after upload, and that only paying attendees can access the content. “No surprises here, as these address confidentiality and integrity, the other two pillars of cybersecurity,” Schenck says.
What’s more, Love stresses the importance of meeting and event planners employing end-to-end encryption. “Assuring all connections are encrypted from the meeting site to each end-user site protects data from being unintentionally released or shared,” Love says. “Multifactor authentication (MFA) is essential for cybersecurity purposes and helping keep the bad guys out of the event.”
Finally, consent is also vitally important. Assure attendees consent to how the data will be used, whether or not the meeting will be recorded, available for replay, etc. Desai advises meeting planners to make sure when they start the conference, also have people disable rogue Wi-Fi and Bluetooth, and discuss the reasons of not having those on when not in use. “Other useful avenues pertinent to events include utilizing a secure file-sharing system on a secure network rather than sending files via text message or email,” Desai says. “And make sure that both attendees and planners understand what can or cannot be posted on social media, as that is the first place bad actors go to mine data for social engineering — they identify a person, where they are, what they are speaking about, and through that data, will try to obtain unauthorized access to systems.”
While the task of ensuring an event is cybersecure mainly falls on the shoulders of meeting planners, they shouldn’t carry the full weight of the responsibility. In fact, meeting and event attendees themselves have a role to play in ensuring a meeting stays secure. For example, meeting or event attendees can do their part by signing in from a secure device on a private connection (i.e., laptop from a home network, or a password-protected Wi-Fi connection). “Many of us do this, but they shouldn’t fall into the trap of using the same password for multiple sites, sources or logins. Have a separate, secure password for each login required,” Weatherly says. “While the user or attendee might view this as a pain, it’s one of the easiest ways to protect themselves online.”
Love also stresses that attendees should assure they have a firewall in place, and anti-virus software on their device; attend the meeting in a secure location within their home or other private location; and attend the meeting on a secure network. “They should also block their background so no one can derive personal information that can be used in a phishing scheme,” Love says. “And attendees should disable and log out of the meeting app, and camera, immediately following the meeting.”
All of these steps can be communicated to meeting or event attendees via any marketing materials or links upon signing up to attend. Clearly communicating to attendees the important role they play in keeping an event secure is vital. “Prior to the start of any events, organizers should send around a pre-recorded, five- to 10-minute video on cybersecurity training from someone who is an expert in the field — make it mandatory as it is essential,” Desai says. “It’s in the best interest of show sponsors and organizers to make attendees cybersmart. They learn something, and at the same time, they are prepared and aware of vulnerabilities, attacks, techniques — and what it means to exploit an environment.”
While virtual event security is important, it’s equally important not to overwhelm your attendees. Let them know security is paramount, but make event access easy for them. Like others, Weatherly suggests meeting planners do this by password protecting meetings, authenticating attendees with a single sign on or two-factor authentication, and protecting URLs to limit unauthorized sharing of information. “I’ve attended quite a few virtual events — especially during the pandemic — and the No. 1 mistake I see is related to multifactor identification,” Love says. “Not all planners require MFA, and meeting attendees can just join the meeting immediately. MFA will keep unwanted attendees out and help protect sensitive information.”
Experts think virtual and hybrid events are here to stay, even when the pandemic recedes into the past. This means cybersecurity must remain a top priority, and a critical component to the overall event experience. Weatherly says the biggest lesson industry professionals have learned from the pandemic is to find the right platform that is user-friendly and supported by enterprise-quality grade security. “Make it easy for attendees to attend, and always do everything you can to protect their sensitive information,” Weatherly says.
Schenck says hopefully cybersecurity will be a primary focus of meetings and events, especially now that we’ve had time to adapt and adjust to a fully remote approach. “Prior to COVID-19, I don’t know if anyone fully addressed a risk-related event that would force a change of venue to online only,” Schenck says. “The ‘doomsday’ scenarios are always a week or month delay at the same venue, or a cancellation and reschedule. If anyone ever entertained the thought of this kind of extended shift in how we do business, it was only a brief discussion with no real planning or contingency as it was deemed too improbable to spend any real time or resources on that level of response.”
While Love thinks cybersecurity — as it relates to meetings — will always be a concern, she doesn’t think it will be as heavy a concern as it has been during the pandemic. “I think we’ve learned a lot of best practices for meeting and event cybersecurity during the pandemic,” she says. “And we’ll carry those practices into regular customs moving forward.” C&IT