Cyber security: Is your event safe?By Kim Benjamin
09 Oct 2017
Is your event at risk of getting hacked? It’s likely to be a question that hasn’t crossed many event planners’ minds, but with instances of event-related cyber attacks on the rise, it should.
Earlier this year, AEG-owned festival promoter Goldenvoice revealed that hackers had accessed personal information from users registered on coachella.com, the website for the annual US music festival, including names, email addresses and phone numbers.
A Linux conference held in Australia two years ago also suffered from security issues when the event’s database was breached, while participants attending a UN climate summit in Paris in 2015 had their personal registration data revealed online.
With meeting planners entrusted with a high volume of information, much of it sensitive, such as flight schedules and hotel check-in details, it’s easy to see why the events sector is a tempting prospect for cyber criminals. And that’s before the event has even started.
Other potential ways information can be compromised include the exposure of schedules during the event—such as government minister agendas and data breaches at on-site registration kiosks. Hackers can access details such as users’ names, addresses and dates of birth to plan more sophisticated operations such as money laundering or further hacking of personal accounts.
And it’s not just a question of stealing data—it’s about interference too. Sean Donahoo, CEO of Disruptive Solutions, a provider of cyber security services, says that hackers can disable conference wifi and even access event apps to send fake updates. He also cites an example of how a QR code on a conference poster was replaced with one that redirected the user to a malicious site.
With drones becoming more prevalent in the event space, Donahoo adds that drone exploitation is another area to consider, with interception and/or manipulation of data feeds a concern.
“It’s only a matter of time until potential data thieves realise that most of the event industry is an easy target,” he says. “Planners won’t think twice about hiring consultants for everything from swag to table cloths, but cyber security is rarely in the plan. Start by putting it into your planning process now. ”
The very nature of cyber attacks, where vulnerabilities in computer systems can be exploited in a number of ways, means it’s often hard to identify and track any problems until it’s too late. Hackers may use one or several methods at the same time, a misconfiguration in one of the system components or even a ‘backdoor’ from an earlier attack.
It can seem tempting to rely on your IT department, if you have one, or your internet providers/consultants to manage security, but, says Donahoo, if you think they have it covered, you’re probably wrong.
“Their job is to handle bandwidth and connectivity. Adding items to their statement of work like encryption and daily, rolling passwords is a good start,” he says.
Frank Chan, executive director at Hong Kong-based agency X2 Creative, identifies the biggest potential risks for planners as information being leaked by staff and those involved in the event (many speakers share sensitive information even before it is announced publicly, for example), data leaked through technical error, guests feeling insecure or not confident in the security being provided and hacking issues.
“There is absolutely a greater risk of hacking given the data available to event planners,” says Chan. “At X2 our plan is to reduce the number of people involved from the agency, client and hotel side, to ensure that there are less opportunities for leaked information.
"Sometimes information is shared that people don’t even know is sensitive, but they may re-communicate this in passing to vendors or friends. Less people [involved] ensures less risk of this happening.”
One option the agency has used is private servers for specific events or clients. The servers have a limited number of access points, with the number of people able to login at the lowest minimum possible.
Online, X2 says it needs to ensure microsites for registration are secure, which can help high-profile guests feel more comfortable about filling in their information, for example. For large-scale events, or those featuring high-profile guests or speakers, Chan advises hiring a cyber security manager to manage all central systems and data flow to identify risks and track the flow of data.
Educate and empower
While one part of cyber security is about identifying what is at risk and investing in systems to protect this, Laurence Julliard, ICT business director at MCI Group believes that education is just as important too, particularly to safeguard from cyber attacks without limiting data gathering potential.
“Humans are the weakest link in data protection and an easy target for hackers,” she says. “This kind of hacking is defined as ‘social engineering’, the act of taking advantage of human behaviour—or that one little mistake—to steal confidential information. The most important line of defence is to educate employees about these threats and put in place protocols to help prevent social engineering attacks.”
Julliard suggests offering training on risk exposure and the consequences of data being stolen, and creating guidelines for employees to regularly change their passwords for their computer systems, accounting software, email and other programmes where sensitive information is stored. It also helps to test these on a regular basis.
“Following training, employees should occasionally be tested to ensure they understand typical social engineering and hacking scams and don’t hand out sensitive information,” adds Julliard.
Charmaine Wong, business development manager at BCD Meetings & Events, likens having a plan of action for cyber security to responding to a fire drill—any policy should be regularly practiced so all employees know what to do in the event of a breach.
On a practical level, she advises not to delay updating your antivirus software or other security applications, as these will help guard against the latest threats and keep your infrastructure secure.
Verify financial requests and confirm details by phone instead of relying on email to initiate or complete any financial transaction—whether you are dealing with your bank, vendors, clients or employees. Use a two-step verification process to add another layer of security when approving outgoing funds.
“Never upload your personal data ‘unencrypted’ to Dropbox, Google Drive or any online file sharing service,” she adds. “Pop-ups are another challenge with regards to cyber security, they can contain malicious software which can trick a user into verifying something.”
Anton Bonifacio, chief information security officer at Philippines’ based Globe Telecom, says for those companies that don’t have their own infrastructure in place and which rely on free online tools such as SurveyMonkey or Google Apps to fill in forms or complete on-site surveys at events, ensuring web security can be more tricky.
“I don’t think there are any specifics to ‘events’ per se outside of what is already out there for end-users, such as ensuring you have some form of antivirus on your workstation and don’t follow links you’re not supposed to,” he says.
Keep it safe
For events in those sectors where data or session content is likely to be highly sensitive in nature, such as pharmaceuticals or financial services, Neil Wang, Greater China president at research and consulting organisation Frost & Sullivan, recommends using a virtual private network (VPN) and firewall.
“The VPN server is used for allowing authorised staff to log on to the intranet by entering a passcode to perform regular operation and maintenance work,” he says.
“It can also be used for communication between different networks under a safe environment. Firewalls are the major method used to prevent hacker attacks from outside and from the software side, using certificates to ensure safety when sharing information.”
X2 Creative’s Chan says some of the agency’s clients that operate in sectors where data is particularly sensitive prefer to use multiple vendors for different actions, to ensure certain duties are carried out with respected and trusted vendors.
“This could include CEOs using their own private security firms for transportation, while many financial clients have extremely capable cyber security departments who are deeply involved in the event planning with the agency and vendors,” he says.
It’s also vital to revisit any cyber security policy for those travelling away from their normal work environment. As MCI’s Julliard points out, travellers are more exposed to unsecured connections such as networks and wifi that may be unsafe, while using devices in large public areas such as airports may provide an easier target for hackers.
“Because social engineering involves human behaviour, risks are increasing when employees are travelling or are away from their usual work environment,” she says. “They become more vulnerable and are exposed to different practices, rules and laws from the countries crossed or visited.”
Julliard adds that it’s important to establish a standard framework for how information is shared throughout the company as well as specific processes for those travelling.
Create a policy for how sensitive information is asked for and given; and with event agencies and in-house planners relying heavily on freelance staff to help out with events, often at short notice, it’s vital that they are also made aware of any cyber security policies.
If data and systems are compromised, Frost & Sullivan’s Wang points out that it’s vital to have a solid recovery plan in place—it may be too late to prevent the misuse of data, but planners can reassure attendees that steps are being taken to recover data.
He says: “Set up a good backup and restore mechanism. When attacks cause losses, use backup and restore functions to recover lost information, thereby mitigating the loss.”