There was a time when data security meant "armed guards, closed circuit cameras and a good lock on the file cabinets," says Jason Neal, director of IT and web development for Brightspot Incentives & Events. "Today, the topic of securing data is a very
complex one, and that complexity has greatly impacted the business of managing meetings and events."
Cybercrime will cost the world more than $6 trillion annually by 2021, according to global research company Cybersecurity Ventures, and many cybercriminals target small businesses -- including plenty of meeting planners.
"All meeting planners, whether corporate, association or independent, should have standard language in their RFPs and service-level agreements with third-party service providers asking how their attendee data will be protected by third-party staff," advises
Kevin Iwamoto, speaker, author, educator and senior consultant at GoldSpring Consulting. "This can be augmented by asking if their data privacy protection standards are compliant with the General Data Protection Regulation [GDPR] regardless if the
organizer, event and attendees have European Union residents/citizens or not."
What else can meeting planners do to ensure their organizations don't become cyberattack victims and that their attendees' data is protected? Here are 16 tips:
1. Defend Against Malware
Ransomware, a malware that infects computers and restricts access to files, often threatening permanent data destruction unless a ransom is paid, has reached epidemic proportions and is the fastest-growing cybercrime. The statistic is harrowing: Every
40 seconds a business falls victim to a ransomware attack, reports Kaspersky Lab, a global cybersecurity company. Industry insiders predict that will increase to every 14 seconds by 2019
Malware is most often delivered via tailored spear-phishing emails or text messages that lure victims into clicking on links and downloading the ransomware or other malware. Critical steps that help defend against such practices include training meetings
staff and educating attendees to recognize spear phishing, using the most up-to-date security software and, most importantly, never clicking on links unless they have been verified as legitimate.
2. Create an ISMS and Establish a Data Security Policy
Meetings are vulnerable because they are generally very open events, with many people using many types of wireless computing devices. Attendees' devices usually connect to open networks, which by definition have no encryption, no password or one shared
password for everyone.
A good place to begin the fight against these attacks is to create an Information Security Management System. An ISMS is a defined management system that explains what needs to be done to protect data and to establish policies, processes and systems to
What types of activities should these systems be monitoring? According to cybersecurity expert Rebecca Herold, founder and CEO of The Privacy Professor, an information privacy, security and compliance consultancy, "There are many unique information security
and privacy threats within the meetings and events industry, including hackers and other malicious actors on wireless networks; malware being spread through WiFi; and skimmers placed in USB chargers, ATMs, credit-card readers, etc., that exfiltrate
data from the devices/cards using them."
This policy should define what type of data your organization is focused on protecting and the steps being taken to secure that data. Ensuring that your security efforts align with your policy will help you to identify and implement best practices and
can foster greater organizational support in the event of an incident, says Brightspot's Neal.
Iwamoto adds, "All planners should ask for their clients' Data Protection Policy and Standards. Knowing in advance what the policies, processes and protocols are from a company and client is not only prudent, it will also give the planner the roadmap
as to what necessary steps must be taken to adhere to the company and client expectations."
3. Create a Digital Safe Place
"Most organizations that host meetings are very concerned about providing accessibility to the Internet, and to collecting data from attendees. Yet very few actually implement security controls for these activities," says Herold. "Even in information
security conferences, they tend to implement insufficient -- and sometimes no -- security controls."
Herold suggests using a "digital safe place" -- a storage place for data that has been verified. This could be a corporate file server, a secure cloud storage solution or an encrypted thumb drive.
The important thing to remember is that personal information that is not stored in this safe place should be considered at risk. If you download a list of meeting attendees from the safe place to your desktop or print a copy, you must be vigilant in ensuring
that those copies are destroyed, says Neal
4. Safeguard Data Privacy and Transference of Data
Planners can do their part in safeguarding data and its transference by doing two things Iwamoto recommends:
• Use a Virtual Private Network whenever you are online using your laptop, mobile phone and tablets, as it protects data and online activities from hackers, especially when using public WiFi. If your company doesn't provide VPN, there are many inexpensive
options to purchase VPN online. Get a plan that offers multiple-device protection. VPN also allows you to bypass Internet site blocking when you are in countries like China and protects your online activities from full-time aggressive hackers,
• Encryption of meeting and event data should be a standard operating procedure, especially on-site, when data could be accessed and compromised by nonauthorized people. Encryption of data for online and physical transference on USB drives should also
be standard practice for planners. "Planners and staff are responsible for safeguarding the encryption passwords, and these should never be shared casually," says Iwamoto. "Data protection is only as good as your weakest links and bad practices."
5. Toughen the Security of All Your Devices
When most people think of system security, they immediately think of servers and work computers. In today's workplace, mobile devices are used just as often to access sensitive attendee information. It is important that all phones, tablets and even digital
accessories that can open a file have the most current updates and that they cannot be easily accessed by a nonauthorized user.
6. Know if Your Data Host is SOC 2 Compliant
In many cases, we assume that our data-hosting company is following all the appropriate security best practices, but how can we truly know? A Service and Organization Controls 2 Report evaluates an organization's information systems relative to security,
availability, processing integrity, confidentiality and privacy, says Brightspot's Neal. SOC 2 assessments are conducted by a certified and independent third party that specializes in information-security audits. The audit process and corresponding
report can offer insight into how secure your data hosting environment is. If your provider does not have a SOC 2 report, you may need to conduct additional research to verify that they are complying with known security guidelines.
7. Outwit Phishing Attempts
Phishing is a commonly used tactic by hackers to get to sensitive information. Matthew Vernhout, a digital messaging industry veteran with more than a decade of experience in email marketing who is director of privacy with 250ok, an email analytic company,
explains that 91 percent of cyberattacks begin with a phishing email. It's crucial for all organizations to put proper protocols in place to avoid falling prey to an attack, he says.
Could you and your attendees identify a phishing attempt when receiving such an email? OpenDNS has an online phishing quiz to test your ability to spot the differences between fake websites and real ones. It is strongly suggested that your organization
invest in phishing-awareness training for employees.
"These days, hackers are increasingly skilled in getting people to respond and provide access to data," says Iwamoto. "Planners and organizers must remain vigilant against phishing. A best practice is to advise attendees and staff about the process that
will be used to request sensitive data and information. Include a disclaimer warning that any requests for data made outside of the processes described are most likely a phishing attempt and should be reported immediately."
8. Invest in Solid Technology
A good anti-spam solution is your first line of defense and will help catch many of the previously described fraudulent emails before they reach an inbox, says Vernhout. Increasingly, these tools work with email authentication solutions like Sender Policy
Framework, DomainKeys Identified Mail and Domain-based Message Authentication, Reporting and Conformance. Once you've properly authenticated your email, consider taking the next step with Brand Indicators for Message Identification. While it's in
beta now, you can get your affairs in order to opt-in when BIMI becomes available for broad use.
9. Train Staff
Human error is a factor in many data breaches, so staff training is imperative. It should be done often and include information on how to avoid phishing links, ransomware and other hazards.
"Event organizers and planners should train on data privacy policies and standards and educate staff and third parties on the expected handling of attendee and organizer data on a consistent basis," says Iwamoto. "Data integrity and safeguarding is everyone's
responsibility, including your designated third-party suppliers'."
10. Classify Data
Organizing data as public, internal and confidential is important, and encrypting sensitive data is an essential element of data protection. Since what may appear to be innocuous data can be harmful in the hands of a cybercriminal, it is crucial to consider
what data should be protected. Additionally, do not gather data that you do not need, says Steven J.J. Weisman, a lawyer and college professor who teaches white collar crime at Bentley University and one of the country's leading experts in cybersecurity.
11. Adhere to the Rules of the GDPR
Consider whether the European Union GDPR rules regarding data privacy apply to your meeting or conference. Even if they do not, adhering to those rules is a good practice.
"Many U.S.-based planners feel that as long as their events [are domestic] and attendees are U.S. residents, the GDPR laws don't apply to them and their events. We have many Canadians and ex-pat E.U. residents who live and work in the U.S., so the assumption
that you have a 100 percent U.S.-citizen audience is false. Many U.S. companies have elected to follow the stricter GDPR data-privacy laws rather than operate separate privacy standards," notes Iwamoto.
12. Limit Access
While much of the focus of data protection has been from outside threats, protecting data from misuse by rogue employees or insiders is also essential. Limiting access to data within an organization to only those who have a need to know is essential,
13. Implement Dual-Factor Authentication
To protect data from ransomware and similar threats, data should be stored securely in the cloud, and dual-factor authentication should be utilized.
14. Watch Physical Security
As a meeting planner, it's important to make sure that attendee data is secure. To do so, the systems that store registration information must be protected from cyberthreats, including hacks, phishing attempts and unauthorized disclosure, advises Jack
Plaxe, a 30-year security veteran and founder/managing director of the Security Consulting Alliance LLC. Equally important but often overlooked is the physical protection of meetings, Plaxe says. It doesn't make sense to focus on the cyberprotection
of data if someone can walk up and take a packet of information given to all attendees, especially if that packet includes a detailed listing of all registrants.
15. Back Up Your Data
With all the best security measures in place, it is still possible to find a vulnerability. That's why backups are vital. Even if data gets infected, or security is breached, if you have backup, a comeback is easier.
"Data portability was transformed with the invention of the cloud. Cloud data storage revolutionized technology and changed best practices overnight," says Iwamoto. "Backing up data using cloud data storage will be less traumatic and stressful if something
happens. Don't ever give anyone your credentials. Also, make sure your cloud storage supplier encrypts all data, and read their fine print when it comes to their responsibilities to safeguard your data."
16. Craft a Response Plan
Mistakes happen. Knowing a plan is in place in the event of a successful phishing attempt will organize your team around minimizing the access given to the attacker, says Vernhout. Have you considered cyber-risk insurance? It may be worth looking into,
"If you are one of the U.S. companies using GDPR standards, then having a data-breach response plan and notification of such a breach to all who are affected is spelled out in Article 33 of the GDPR," notes Iwamoto.
He adds that the good news is the U.S. is prepared for the data-breach notification provision under GDPR. "Planners should always check, verify and communicate what those data-breach state laws are to all staff and third parties to ensure compliance.
While all 50 states have these laws, the requirements vary from state to state.
Recently, California announced it will have a "GDPR-like" set of laws called the California Consumer Privacy Act (CCPA). "The bill, AB 375, is similar to GDPR in some ways but still has a lot of undefined areas that we expect will get more detailed as
the January 2020 launch date approaches," says Iwamoto.
Data Protection Do's and Don'ts
What else should meeting professionals do to secure their systems and protect their data? Cybersecurity expert Rebecca Herold, founder and CEO of The Privacy Professor, an information privacy, security and compliance consultancy, has put together this list:
- If providing WiFi or hardwired network access to the Internet or other network, ensure there is a security connection required.
- Implement encryption on the networks provided.
- Ensure USB chargers, ATMs and credit card readers are secured.
- Provide signage or other communications to attendees reminding them of security controls.
- Collect the minimum amount of personal data necessary to support the purposes of the meeting/event.
- Ensure vendors and others attending know that they must implement security controls.
- Don't use one password for everyone at the event.
- Don't over-collect data.
- Don't send personal data and other confidential data in clear-text emails to those in attendance.
- Don't throw out printouts with personal information in publicly accessible trash cans, finely cross-shred them prior to disposing
- Don't use operating systems provided at the events unless they are updated and all security patches applied
- Don't send clear-text data over networks
- Don't leave rooms containing computing devices unattended and unsecured.