What are the cybersecurity threats facing planners today — and what they can do to keep their event, and their attendees, safe from attack?
“Security tech vendors, the NSA, FBI, Homeland Security’s CISA [Cybersecurity and Infrastructure Security Agency], and other agencies around the world are tracking cyber-criminal activity, all have validated that Russian state-sponsored cyber operations that have been going on for years are still going on,” says Rebecca Herold, CEO and Founder of The Privacy Professor consultancy and cofounder of Privacy Security Brainiacs, as well as two other SaaS (software-as-a-service) businesses.
“Even before the Ukraine, we had Russian attacks against the Ukrainian government, and now we’re seeing attacks coming against the U.S. and European countries, as well as threats from cybercrime groups that have pledged to support the Russian government now publicly threatening to conduct cyberattacks again nations that are providing any type of support to Ukraine. Their goal is to digitally disrupt those countries in way possible.” And don’t forget about China, she adds. “While it may not be in the news, China is very active right now, and they’re a little sneakier about it than Russia is.”
But the cyber bad guys are mainly concentrating on government agencies and major infrastructure and financial organizations, not event organizers, right?
That would be a no, says Herold. Even if you don’t plan events for government agencies, the military or financial companies, if you have attendees who work for a juicy cyber target, your event could be at risk. That’s because you could serve as a weak point that gives them a back door into those critical organizations, she says. Even the tchotchkes your exhibitors hand out could be a conduit for exploitation, from malware to ransomware. Or bad guys could crash your event just to get to know some folks they want to target after the event. “There’s a lot of intel that gets collected during events, including at off-site dinners and other activities held by your vendors,” Herold adds. “These are perfect places for cyber criminals to befriend someone they want to exploit later. And no one wants to have their attendees attacked with ransomware a week or two after their event.”
Prevue recently caught up with Herold to learn more about the cyber threats facing planners today — and what they can do to keep their event, and their attendees, safe from attack.
Let’s start with vendor and third-party management — what can planners do?
Herold: It’s important to lay down ground rules in the contract for what activities will be allowed. For example, many want to take advantage of the venue’s connectivity to enable QR codes, cryptocurrency use and IoT [Internet of Things] devices. Every one of those things can be a pathway for a cyberattack if proper security is not implemented ahead of time.
Ask your venue about the possible vulnerable technologies they are using — there’s a whole list of them the government has compiled. Just give the list to the venue and ask if they use any of them within their network system’s hardware and software. If they are using any of the technology on the list, ask what they are doing to ensure they are secure against these already exploited areas of vulnerability.
During the event, it’s also a good idea to have someone with training in cybersecurity on site to watch for social engineering of the kind that can lead to problems later on. I know many planners, especially now, are short-staffed and may not necessarily have someone whose sole responsibility is to address cybersecurity, but it’s a good idea to invest in having a cybersecurity expert to monitor what’s going on in the digital ecosystem and run their vulnerability testing tools on site during the event. You could even impose a vendor cybersecurity surcharge to help pay for it.
What are some of the red flags event organizers should be on the lookout for?
Herold: Cyber criminals are using what’s called “advanced persistent threat actors” to launch attacks that just keep hitting on certain types of technologies. They use a variety of tactics to send fraudulent communications that appear to come from a reputable source to steal sensitive data like credit card and login information or to install malware on the victim’s machine. One is phishing, which usually comes through email. There’s also smishing, which is phishing or social engineering using text messaging. It’s so easy now to create an attack vector through texting. People click on the links and all of a sudden, boom, they have an infection, but they don’t know it until the infection trigger goes off at some later point. There’s even vishing, which uses voicemails and calls from spoofed numbers.
Also, IoT and smart devices are becoming more popular in exhibitor booths. While it’s fun to be able to ask Alexa wacky questions, those devices also could be used to record conversations and collect information that can later be used to contact attendees without their consent or sell their data to data brokers.
Speaking of data brokers — entities don’t even have to break into your databases to collect attendee data to sell. Some just have someone hanging around the lobby collecting information from attendee badges, which they use to create databases of email addresses used by people who work at those companies. Those badges contain a lot of information these folks can use.
One idea for a great conference giveaway: The Juice Jack Defender. Any public charging station (at the airport, at hotels, even in the conference venue) could have a tiny skimmer in it, too small to even see, that could skim all the information off your phone without leaving a trace. These small devices can attach to your charging cord to keep your data from being sucked out by these little skimmers in public charging portals. I look at people lined up to use the public charging stations at airports and it’s like they’re lining up to use the same toothbrush — you should know you’re going to get infected.
What advice do you have for planners to help them improve their cybersecurity?
Herold: Be aware of potential vulnerabilities and make sure people know that encryption, multifactor authentication and other security measures are not enabled by default — everyone needs to check the security levels on all of their IoT devices, from Tiles to Echo Dots, both of which are popular, cool giveaways. [Geolocating gadgets you can affix to keys or other often-lost objects] are one of the most common ways stalkers and assaulters track down their victims.
The same goes for wayfinding apps, and apps that will provide a discount automatically for attendees, like at a nearby restaurant, for example. You need to look at the privacy and security policies first — and watch out for language in those policies that are more anti-security. These usually say, “We reserve the right to share this data with anyone we consider to be a trusted business associate or trusted business partner.” Well, that could be anybody they trust because they want their money.
Are virtual meetings any safer than in-person events when it comes to cybersecurity?
Herold: You need to take precautions there too. While things like Zoom-bombing are visually apparent, you also could have attendees sharing files that are contaminated with malware and ransomware. There could be attendees who are collecting information on other attendees or intellectual property being shared that should not be shared outside of the meeting. Planners need to make sure the platform they use is implemented properly, and with strict security settings in place. Also, whoever is admin for that meeting needs to control who can share what during the event.
Even though you want the online event to be as easy as possible, you don’t want it to be so easy that malware also is easy to spread.
For both in-person and online events, criminals are going to use what they know works because it’s easy to take advantage of people when they’re in an environment they trust. You need to make sure attendees truly can trust the environment they’re within.