You don’t have to be an IT professional to know that cybersecurity is among the top threats facing businesses and governments in 2018. Thanks to election hacking by Russia, regular data breaches at major retailers and a constant barrage of dubious emails from internet scam artists, it’s in the news on a daily basis. What you might not realize, however, is that cybercrime -- which is expected to cost businesses $6 trillion per year by 2021, according to information security firm Herjavec Group -- impacts consumers not only at voting booths and cash registers, but also at meetings and events. Meeting professionals therefore need to make cybersecurity a top priority today and in the future.
To find out what threats exist, and what meeting professionals can do to mitigate them, Successful Meetings spoke with cybersecurity expert Rebecca Herold, founder and CEO of The Privacy Professor, an information privacy, security and compliance consultancy, who shared her tips for making physical events digitally secure.
We all know that industries like retail have vulnerabilities. But what about the meetings industry? Is it vulnerable to cyber attacks, too?
There are many unique information security and privacy vulnerabilities within the meetings and events industry. Certainly it is vulnerable, in numerous ways, to cyberattacks. For instance, there are wireless network vulnerabilities and physical vulnerabilities.
Wireless network vulnerabilities exist because: Meetings are generally very open events, with many people using many types of wireless access computing devices; attendees’ devices usually connect to open (i.e., no encryption and no password, or one shared password for everyone) networks; it is very easy to get access to devices on open networks, especially when those devices are not secured, or poorly secured; and most people have poorly secured devices.
Physical vulnerabilities exist because: People often leave their computers (laptops, tablets, etc.) sitting unsecured on tables, etc., while they speak with others and go to meetings; such unattended devices are subject to theft, exfiltrating data from the devices, loading malware on the devices, etc.; and people pull up very sensitive information on screens that are often viewable by others nearby.
What threats exist for meetings and events, exactly?
There are also many unique information security and privacy threats within the meetings and events industry, including: hackers and other malicious actors on wireless networks; malware being spread through Wi-Fi; and skimmers placed in USB chargers, ATMs, credit-card readers, etc., that exfiltrate data from the devices/cards using them.
What’s your sense of how prepared or underprepared the meetings and events industry is with regards to cybersecurity?
I attend a lot of events and meetings. Some are very large conferences, all the way down to the more intimate lunch meetings with high-level executives. Most are very concerned about providing accessibility to the internet, and to collecting data from attendees. Very few actually implement security controls for these activities. Even in information security conferences they tend to implement insufficient -- and sometimes no -- security controls. The industry is generally complacent when it comes to addressing security and privacy risks.
Are you aware of any attacks or breaches that have affected meetings and events in the past?
Yes, there have been many instances. For example, just this year, the RSA Conference, which is specific to data security, provided apps to attendees to use that resulted in the app users having their data breached because of security vulnerabilities in the apps.
Let’s talk about regulation for a moment: The European Union (EU) recently enacted its General Data Protection Regulation (GDPR), for instance. What are meeting and event planners required to do in terms of cybersecurity?
Every type of organization that accesses, in any way, any type of personal data has cybersecurity requirements. Certainly, any organization -- located anywhere in the world -- that collects, stores or accesses the personal data of EU residents and citizens is subject to GDPR. Many such organizations come to the United States to attend a very wide range of conferences, meetings and events. The professionals organizing those need to determine the ways in which GDPR applies to them.
But even beyond that, we have 54 U.S. state and territory breach notice laws. So those holding events and collecting personal data need to know their responsibilities for responding to breaches of all the personal data they are collecting. There are also breach notice legal requirements in specific industries, such as in health care, financial services, and government, just to name a few. And in many other countries. So meeting and event planners at a minimum need to: 1) determine the personal data that will be collected, stored and shared; 2) determine the associated applicable data protection laws, regulations and other legal requirements they must follow; and 3) determine the associated legally required security controls.
What else should meeting professionals do in order to secure their systems and protect their data? What tools, tactics and strategies would you recommend beyond what’s required by law?
There are many things that need to be done. At the core of every meetings and events organization, the following need to be established, tested and implemented:
• If providing Wi-Fi or hardwired network access to the internet or other network, ensure there is a security connection required.
• Implement encryption on the networks provided.
• Ensure USB chargers, ATMs and credit card readers are secured.
• Provide signage or other communications to attendees reminding them of security controls.
• Collect the minimum amount of personal data necessary to support the purposes of the meeting/event.
• Ensure vendors and others attending know that they must implement security controls.
Likewise, what should meeting professionals stop doing? Are there common behaviors and sins they should avoid that are leaving their events vulnerable?
Great question! I’ve seen some really egregious information security practices within the meetings and events industry. Here are some of the most common I’ve seen:
• Stop using one password for everyone at the event.
• Stop over-collecting data.
• Stop sending personal data and other confidential data in clear text emails to those in attendance.
• Don’t throw about printouts with personal information in publicly accessible trashcans, and finely cross-shred them prior to throwing them away.
• Keep operating systems provided at the events updated and all security patches applied.
• Stop sending clear text data over networks.
• Don’t leave rooms containing computing devices unattended and unsecured.
This is a fast evolving space. So how can meeting professionals best stay on top of new threats and solutions?
There are many ways to stay aware:
• Attend security and privacy webinars. Many are available. For example, I’ve done several for ASAE, which many in the meeting and events industry probably belong to.
• Subscribe to my free monthly Privacy Professor Tips messages.
• Listen to my radio show, “Data Security & Privacy with the Privacy Professor,” and other security and privacy radio shows and podcasts.
• Join an information security and/or privacy association, such as the Information Systems Security Association (ISSA), the Information Systems Audit and Control Association (ISACA), the International Information System Security Certification Consortium ((ISC)2) or the International Association of Privacy Professionals (IAPP).
• Subscribe to one of hundreds of free email newsletters on information security and privacy.
• Subscribe to an information security and/or privacy magazine.
Any final thoughts or miscellaneous remarks?
No industry can think that it has no information security or privacy issues that it must address. There are many people involved in the meeting and events industry, which inherently creates many data security and privacy risks that must be mitigated for each and every meeting and event.