When Mitt Romney’s now infamous statement that 47 percent of voters are too dependent on the government was secretly recorded at a private fundraiser in Boca Raton, FL, it was more than just a turning point in the 2012 presidential election. It was a lesson to all CEOs and meeting owners on the importance of taking the proper precautions to keep any content discussed at meetings and events secure.
“Whenever the head of a company says something at a meeting outside of company headquarters, he or she should assume that it might end up on the public record. With today’s technology, it’s so easy to flip on a smartphone and hit record,” notes Michael McCann, former chief of security for the United Nations and now president of New York City-based McCann Protective Services. “The Romney incident should be a warning to all meeting planners to pay increased attention to meeting content when conducting a threat and risk assessment to identify what level of protection is necessary for an event.”
According to a report by the Federal Bureau of Investigation, the theft of intellectual property costs U.S. businesses billions of dollars each year and robs the nation of jobs and tax revenues. McAfee, the Internet security firm, says companies worldwide are estimated to lose more than $1 trillion due to these kind of data leaks. “This threat to proprietary information increases during off-site meetings,” says McCann. But with the right precautions and participation from attendees, planners can greatly reduce that threat.
Assess the Risk
The level of security you impose at any conference or event is parallel to the sensitivity of the information being presented. During McCann’s tenure at the United Nations there were times when his team found listening devices planted in meeting rooms. Although security sweeps were conducted before every sensitive meeting, he says he could never guarantee complete protection.
“My team was excellent, but I could not guarantee 100-percent protection against a government entity with a budget of billions of dollars and the latest technology,” says McCann. “Again, it is important to identify the threat and risk. Anyone who claims they can provide foolproof content security is overstating his capability, especially if a foreign government or a commercial competitor being supported by a foreign government is the threat. But for most meetings, reasonable and cost-effective measures can significantly reduce the threat to the content being targeted.”
What are the main concerns? McCann says finding answers to the following questions during the risk-assessment phase of planning a meeting will help establish the level of security needed to protect its content:
• What is the meeting about?
• Who is attending?
• Who would have an interest in the content the meeting is presenting?
• If these parties did gain access to the information, to what purpose would they put it?
Aegis, a Miami, FL-based financial services company for the U.S. government and its agencies, as well as the military, conducts meetings where the content is highly classified and sought after by the media and foreign governments, and attendees often have high government security clearance. As a result, its content risk assessment has resulted in very stringent security measures. “When holding meetings at hotels and resorts, we make sure our security detail, which is comprised of former military and retired law enforcement personnel, has unrestricted access to the facility,” says Jim Angleton, president of Aegis, who also helps plan the company’s meetings. “Hotel and resort security staffs do not have the level of training to deal with the kinds of threats we face, so they do not monitor security during our events — our security detail does.”
Mary Keough-Anderson, director of meeting management and event strategy for Liberty Mutual Insurance for 34 years, and now a consultant, says some meetings require a higher level of security than hotels and resorts can provide. For many of her meetings for Liberty Mutual and the events she consults on now, she has sought out security specialists.
Early on in the planning process, Keough-Anderson compiles an event notification form that she sends to the client’s in-house risk-management team. If such a team does not exist, she engages the services of an outside private investigation company. The form helps her build a profile of the people who are attending the meeting and what the associated risks are. Then she sends a risk assessment form to the hotel that addresses all of the property’s safety and security measures.
“If proprietary information is being presented, it pays to employ a private investigation firm to sweep the meeting room for recording devices prior to the gathering and then to keep it secure until the group arrives,” says Keough-Anderson. “In some extreme cases, I’ve even had a guard stationed at the door of the meeting room during breaks.”
Private investigators help not only with the actual meeting, but also with preparing due diligence on participating vendors. “The first question you should get an answer to when checking dates is if any competitors will be in the house at the same time,” Keough-Anderson says. “Have a list of those companies you consider competitors to give to the hotel and your investigators, if you’ve hired a firm.”
Another tactic Keough-Anderson has used to mitigate the risk to proprietary information is having the guest rooms of the CEO and other senior officers swept for listening devices prior to their check-in.
“If the content of a meeting requires a heightened level of security, it’s also a good idea to have the property’s elevators swept for listening devices, as this is where many confidential conversations are held,” she says.
Promote Participant Awareness
Even the most meticulous security measures will be executed in vain if attendees are not aware of the confidentiality of the information being disseminated in the meeting. “Make sure your group knows to be aware of who is around them when they are chatting in the bar or other public places on-site that are outside of the meeting room,” advises McCann.
Aegis has extensive procedures that make sure attendees are aware that the organization places a high premium on content security. All participants are required to power down their cellphones, iPads, laptops, and other electronic devices. “These devices are also not allowed in the meeting space,” notes Angleton. “Lockers are provided for all of these devices, which must be shut off even when they are stored away.”
Metal detectors are sometimes utilized at points of entry at Aegis events, and no recorders, open phone lines, or uninvited guests are allowed. All notes taken by the attendees are reviewed after the meeting and redacted to ensure sensitive data does not leave the meeting environment. PowerPoint presentations are maintained on one laptop that remains with Angleton and never leaves his possession. “We do everything short of bodily frisking our attendees, which may be next,” he says.
It’s important to communicate to the attendees the specifics of the content-security procedures that will be in place before the meeting. “Stipulate on meeting registration material, on the conference website, and on signs on the meeting room doors, that no audio or video recording can occur during the meeting, and if someone is discovered recording, he or she will be ejected from the meeting, the registration fee will be forfeited, and the recording device will be confiscated,” says Stephen Barth, president and founder of HospitalityLawyer.com, a worldwide network of attorneys that focus on hospitality, travel, and tourism issues. Barth is an attorney, and is the founder of the annual Hospitality Law Conference series.
If sensitive or confidential information is being presented as part of a multimedia production, Keough-Anderson recommends getting all production crews, A/V technicians, and other vendors who may be in the room during the meeting to sign confidentially agreements.
Thwart Gate Crashers
At trade shows and conferences, safeguarding information starts during registration. Some planners go so far as to ask each attendee for identification. Barth says that if security is a concern, planners should take the registration process even one step further.
“Ask each attendee how many years he or she has been with the company or who his or her supervisor is, and then call and verify that they are who they say they are,” says Barth.
If an extra layer of scrutiny like Barth describes was present during a major e-commerce conference in Los Angeles last summer, Jerry Jao, co-founder of Retention Science, a data startup that helps businesses figure out ways to retain customers, would not have been able to crash it. At the time, Jao had the concept for his company but that was about it. “I wanted to get my idea validated. I didn’t want to start building on something that no one would pay for,” says Jao.
He knew this event would be an ideal forum for him to network. The problem was, he couldn’t afford to attend. “I hadn’t had a regular salary for two-and-a-half years,” Jao says.
So, he did some research online and found an attendee list and identified an attendee who had a similar background as him. He scoped out the registration desk and at an opportune moment approached an attendant and told her he had left his badge inside the conference and was hoping he could get a new one. The attendant complied without asking for any identification.
In situations like that, preventing an event from being compromised often comes down to training. “That registration attendant may not have been given the proper instructions for dealing with a situation like that,” says Barth. “It’s not enough to just tell someone not to give out a badge without seeing some form of ID. You have to give them some training which can be as simple as a short script that helps them explain to folks there is proprietary information being discussed and they need to see some identification before they can give anyone a badge.”
Keeping Off the Grid
Many companies that hold meetings where sensitive content is disseminated do not want any signs onsite or at the airport, as they want the meeting to remain under the radar. “I never post signage for events like that, because once you post it, you’re a target,” says Keough-Anderson. “Even at the airport, I make sure the driver’s sign just has the name, no company name or logo.”
It’s also a good idea to avoid publicizing the event on the Internet and to curtail usage of web and cloud technology for transmitting or discussing content. At Aegis, meeting dates and information are not promoted to the attendees or even emailed to them. The invitations are physically shown to attendees, not released to them. “They get to view the invitation and see who the guest speakers are, what the agenda is, and what the dates and times are,” says Angleton.
Not all of your attendees may be aware of the fact that the Wi-Fi network in the hotel may not be safe. Without the proper precautions, the prying eyes of hackers may be looking at your information and files.
It is advisable that you find out which provider your hotel uses, and research the safety measures it has in place. A provider that uses a virtual private network connection is much more secure.
If you’ll be using a closed connection, investigate what type of encryption it utilizes. Specifically, look for YWPA2 encryption. You can typically locate this information by clicking on the name of the network.
Eva Casey Velasquez, president and CEO of the Identity Theft Resource Center, a non-profit organization, and Sam Imandoust, an attorney and legal analyst for the organization, stress the importance of not allowing any visitors to use removable data storage devices on any computers connected to a secure network. They also recommend setting up a computer designated just for presentations. When permitting guests to access your wireless network, ensure that the wireless connection is segregated from your server and other sensitive data, recommend the two.
Andrew Schrage, co-owner of Money Crashers Personal Finance, a personal finance and lifestyle website, stresses the importance of a secure content-management system. “There are many available, and most feature encryption for both online and offline services, encryption when transferring data to mobile devices, document tracking, and more,” he says. If laptops are permitted in a meeting attended by executives from different companies, privacy filters should be used to secure data from roving eyes.
Attendees will appreciate that you took the time to ensure their company’s information isn’t seen by intruders during their meeting. “Our responsibility as planners is to mitigate risk, and safeguarding proprietary information should be a key aspect of that effort,” says Keough-Anderson.