Adobe Stock

In an age when technology controls many facets of a business, attention to cybersecurity is becoming paramount as event planners recognize how digital breaches can rob them of vital intangible assets. More importantly, it can jeopardize the well-being of event organizers, staff and attendees.

With the internet comes many avenues for an event planner to further enhance their business practices within the realm of event organization. From online registration, social media marketing, and online access of presenters’ documents, nearly every facet of an event leaves a digital footprint. With this access comes the risk of receiving malicious programs, or malware, that allow a hacker direct access to business systems, credit card information, and other personal information of planners, presenters and attendees.

David Guse, vice president and data protection officer at Meetings & Incentives Worldwide, says phishing and spoofing continue to be a big concern as they become more believable. Individuals often voluntarily provide sensitive security information, such as passwords or routing numbers for payments, without verifying if the email is legitimate because of the convincing format or the “high alert for response” type of messaging.  “Never, ever, give out your passwords remains rule No. 1,” Guse says.

The meeting and event planners at Meetings & Incentives Worldwide are updated and well-trained on cybersecurity developments in the industry.

“We follow best practice guidelines in updating passwords – even though we know that it is tedious and repetitive,” Guse says. “We monitor industry standards and developments to stay ahead of the ‘bad guys’ curve and apply these practices. Yes, multi-factor authentication is your friend.”

Guse and other industry leaders turn to cybersecurity experts.

So what do cybersecurity criminals look like? Cybercriminals come in all shapes and sizes – and from any number of demographic backgrounds – but what they’re looking for is simple: access to personal information and data they can use for malicious purposes. These individuals often take advantage of an unprotected network where there are multiple users connected to the same network – such as at events and large-scale meetings. Open Wi-Fi networks allow cybercriminals to easily distribute malicious software (malware) to everyone connected in the blink of an eye. Cybercriminals also may attempt to gain access to restricted areas of a conference venue or to obtain information through social engineering tactics, such as pretending to be a vendor or conference staff member.

Jacqueline Beaulieu has worked across all sectors of the trade show, events and association industry. Currently with Poretta & Orr Exhibits & Events as the director, strategic marketing and client engagement, Beaulieu has spent nearly 16 years with Healthcare Convention & Exhibitors Association (HCEA). She is on the board of directors for Meeting Planners International Medical Meeting Planner Advisory Board, Georgia Chapter of Meeting Planners International, and the Exhibition and Events Workforce Development Federation.

According to Beaulieu, some of the biggest cybersecurity issues that meeting planners may encounter include unscrupulous people that pose as corporate, association or meeting planning staff trying to sell either mailing lists or room blocks.

“This is an ongoing problem and one that planning staff needs to educate others about,” Beaulieu says. “Inevitably attendees fall for this year after year.”

Beaulieu also points to phishing or malware attacks by criminals trying to obtain information via fraudulent ways, such as an email. Those sending the emails, and the emails themselves, look legitimate but they will be used for inappropriate purposes. In addition, attacks are now being directed to non-IT systems, which traditionally have been ignored, such as printers, security cameras and building control systems. Phishing and social engineering are also used to look for specific accounts or staff who may be easily spoofed into providing unauthorized access.

“Meeting planners collect information that is private, and a data breach could expose this information,” Beaulieu says. “Preventing this through a variety of security measures is advisable so as to not be exposed to legal or financial legal matters. Often this can happen via the Wi-Fi network and meeting planners may need to take steps to secure the networks and educate attendees on how to use them safely.”

Alyssa McArdle, director of events at NeuGroup, agrees that today’s meeting planners face several internet security issues when organizing meetings, especially data breaches, hacking and phishing.

“One of the biggest cybersecurity issues meeting planners face is the risk of data breaches,” she says. “This can happen when sensitive information about attendees, speakers, or the meeting itself, is stolen, leaked or exposed. Hackers can try to gain access to a meeting’s online platforms, such as video conferencing tools or virtual event platforms, to steal data or disrupt the meeting. Meeting planners and attendees may be targeted by phishing attacks, where fraudulent emails or messages are used to trick individuals into sharing sensitive information or clicking on malicious links.”

Digital criminals may also use social engineering tactics to manipulate meeting planners or attendees into revealing sensitive information. Social engineering isn’t a cyberattack. It is when bad actors gain the trust of their targets, so they lower their guard and give up sensitive information.

“As technology continues to play an increasingly important role in the meetings and events industry, it is incumbent upon planners to ensure data and information is safe,” Beaulieu says.

Adobe Stock

Steps To Take

Cybersecurity used to be viewed as an IT problem, but as the threats have changed, meeting planners have begun to include cybersecurity into the meeting planning management team, and for good reason.

Most cybersecurity breaches occur where care is not taken to secure network infrastructure from illegal intrusion. Also, operating systems and virus detection software must be kept updated with the latest security patches in place. Not only does this mean that networks, servers and PCs must be configured in the most secure fashion available regardless of event size, but ongoing logging of the network traffic must also be maintained. Security patches are a method of updating systems, applications or software by inserting code to fill in, or “patch,” the vulnerability.

One of the best approaches for planners to use in convincing organization executives that funding directed at cybersecurity for an event is essential remains following a “best practices” cybersecurity framework. This also establishes a firm plan that can help with financial justification if a cybersecurity breach does occur at an event since you will have been adhering to a well-established security strategy, rather than arbitrary “off the cuff” security spending.

Poretta & Orr, on behalf of its clients, has had to work with partners to ensure various security measures were implemented at many of the events the company has planned. “We have found that these can be achieved in a variety of ways,” Beaulieu says. These include:

• Secured Wi-Fi networks.
• Encrypting information.
• Two-factor authentication, which provides an added sense of security beyond one password.
• Compliance with General Data Protection Regulation (GDPR) and implementing the nine steps typically outlined to keep data secure. California state officials have implemented data protection rules that need to be followed for those holding meetings in California.
• Training staff to recognize risks and educate them on how to conduct interactions online safely is also growing in popularity.
• Similar in concept to hazard insurance for meetings, cybersecurity insurance protects, in various degrees, attendees from digital threats.

McArdle and the team at NeuGroup recognize they have to make sure that all data is stored securely and encrypted, and that access to sensitive data is restricted to authorized staff only.

“We must ensure that any virtual or streaming platforms we use are secure and have robust authentication procedures in place to prevent unauthorized access,” McArdle says. “And we have to educate staff and attendees about the risks of phishing attacks and encourage them to take steps to protect themselves, like not clicking on suspicious links or downloading attachments from unknown sources.”

McArdle advises fellow meeting planners to take a comprehensive approach to cybersecurity: risk assessments; planning and ongoing monitoring; and training to ensure they can manage the various digital threats.

It’s also important to partner with trusted cybersecurity professionals who are well-versed in the meetings and events industry when appropriate. Cybersecurity professionals need to have a broad range of skills beyond IT, including business process, vendor management, physical security, threat awareness and business continuity management (not just disaster recovery).

Guse also recommends meeting planners remain vigilant with regard to security issues. “Protect yourself and the information you work with,” he says. “One additional email or phone call to confirm is so much better then to just give a response that can cost you much more in the long run. And by all means, simply look at the email address that is coming from the sender, for example, because you will probably catch that it was sent from another email address then the actual sender. This is a big red flag to help you identify spoofing.”

Meeting planners at Poretta & Orr always discuss with clients their security needs and goals, then the meeting planners work with professional cybersecurity partners to determine the appropriate level of security to keep safe the attendees’ information.

“This is an example of the importance of working with a partner that is an expert with a proven track record,” Beaulieu says. “Often clients don’t know what is needed, but an important step in determining this is understanding who their attendees are.”

Beaulieu recommends event planners work with reputable and expert partners in cybersecurity. Then, be sure to create a comprehensive checklist of tasks that need to be followed.

“Do not deviate from this list and take shortcuts,” Beaulieu says. “This is not an area that warrants ‘fast and easy.’ Making even the smallest change in a meeting registration format, adding a new field of information, or change to a database, can cause unintentional problems. Always consult your partners or experts prior to implementing data changes to understand the impact of that change.”

It’s also vital to remember that virtual events are just as susceptible to a variety of cybercrimes as are in-person events. And as virtual events continue to gain momentum as attendees recognize the ease and accessibility being offered to participate in events near and far, cybersecurity issues also need to be addressed in this realm. This type of cybercrime also includes data theft and conference interruptions or obstructions to the conference operation.

Meeting planners should choose a virtual event platform that is secure from potential cybercrime. These platform providers can provide the details needed for planners to adequately evaluate the safety and security of their programs.

So, what should a planner do if he or she suspects a cybersecurity breach? First of all, attendees should immediately be notified so they can run antivirus and other software to insure their laptops, tablets and mobile phones have not been hacked. Changing passwords is also paramount and this should occur across all emails and social media accounts. Attendees should keep a close watch on their financial accounts and credit cards. Meeting and event planners also should establish a contingency plan in case of a cybersecurity incident. This plan should include an established response team (as well as the roles of each member of the team), a backup system and a communication plan for all stakeholders.

Future Planners Could Become More Proactive

The line between business cyber-risk and personal cyber-risk within the meetings and events arena has never been blurrier. That’s why companies and individuals cannot afford to ignore it. Cybersecurity will continue to be a challenge. Lone wolves, terrorists, those engaged in espionage and even the disgruntled worker will continue to target industries, including the meeting and events industry.

Though training and vetting of security and data-management procedures are taking place throughout the events industry, experts agree that the planners must be mindful that procedures should evolve as threats change. Best practices must be adapted and efforts must be undertaken to ensure that others are adapting as well. Complacency or viewing cybersecurity threats as static, rather than dynamic, is a recipe for disaster. Many industry experts hope that cybersecurity in the meetings and events arena will switch from a reactive posture to one that is proactive, allowing meeting planners to better combat threats to security.

“I can’t imagine a time when we will be free of unscrupulous individuals,” Beaulieu says. “With technology evolving at warp speed, this is an area that meeting planners need to stay on top of with either their own internal cybersecurity staff or through a trusted expert cybersecurity partner.” C&IT