Four tech experts explain why event profs need to protect themselves against cyber attacks, sooner rather than later.
When it comes to cyber security, there are no absolutes.
“Security is a line,” Simon Clayton, chief ideas officer at RefTech, tells EN. “At one end you’ve got a machine that’s really easy to access, on the internet permanently and has no password: accessible but not secure.
“At the other end of the scale you’ve got a computer that’s not connected to anything, has no power and a flat battery and is buried in concrete: secure but not accessible.
“Security is finding your happy point along that line.”
Over the past several years, a number of high profile hacks have been making headlines in the UK and internationally. In October 2015, a massive cyber attack against internet provider TalkTalk saw 157,000 customers’ details stolen, costing the company an estimated £60m.
Another data breach saw the personal information of around 32m users of infidelity dating site Ashley Madison stolen and published online.
With these large-scale attacks causing such chaos, event organisers may well be wondering what more can be done to protect the information of their visitors and exhibitors.
The good news (or perhaps the bad news) is that a huge number of data breaches are the result of human error.
In early 2016, Google teamed up with the Universities of Michigan and Illinois to conduct a cyber security experiment, which posed a simple question: would users plug in a USB drive they found in the street?
The answer, at least 48 per cent of the time, was yes.
“Most data breaches come from mundane, stupid stuff,” says Clayton. “In 2003 there was a study that asked commuters at London Waterloo to reveal their network password in exchange for a free pen. Not even an expensive pen. Ninety per cent revealed their password.”
While this does mean that no matter how much a business spends it cannot completely guarantee security, it also means that there are some simple and inexpensive steps organisers can take to make their data safer.
“Passwords is one of the most common weaknesses that people don’t take seriously enough,” says David Chalmers, senior marketing director, Europe, at Cvent. “Strong password formats should be enforced, with regular expiry and updates.
“They should never be shared or stored publicly, and if you do use shared accounts always remember to deactivate accounts for users who leave your company or change roles.”
Sharing information between large groups, emailing (rather than sharing) important spreadsheets and transporting information on unencrypted machines are also behaviours that are best avoided when it comes to cyber security.
“Emailing a spreadsheet of personal data is possibly the worst thing that you could do, and it happens all day every day,” says Clayton.
The types of attack a website or business can experience are incredibly varied, ranging from amateurish spam to sophisticated and specifically targeted acts of sabotage or theft.
One common type of attack, which almost everyone with an email address will have experienced, is ‘phishing’. Phishing frequently takes the form of a malicious email masquerading, or attempting to masquerade, as a trusted source.
This could be anything from a foreign prince looking to share his vast fortune to a seemingly mundane email from a local bank.
One particularly stomach-churning example has taken advantage of the Syrian refugee crisis to try and trick well-meaning internet users out of their hard-earned cash.
“Phishing can also come in the form of a fake web page asking you to provide your login and password,” adds Chalmers. “Any reliable software company will never ask you to do this in any of these ways. Your event webpage can be copied and used for phishing, so watch out for that.”
Event organisers should also pay attention to what happens to the data collected from visitors and exhibitors, adds digital law specialist Heather Burns.
“No one is a happy bunny when they register for an event and start getting spammed off the exhibitors,” she says.
Organisers should be clear on their event registration page about what will happen to the data that is being collected.
“Is the data being passed to third parties?” asks Burns. “Is it being transferred overseas?”
Hold it ransom
Another common type of attack is ransomware, which commonly attacks private businesses but has also made headlines internationally for targeting police forces and universities.
“Ransomware is the fasted growing malware in the world at the moment,” explains Clayton.
“You accidentally open an email attachment that you shouldn’t, it encrypts your entire hard drive, and then says if you want it back then you need to pay this ransom. They’re making millions of dollars.”
Certain events can be subject to attack because of particular people speaking at or even just attending them.
“Tech events have been targeted and hacked, the G20 was targeted and their attendees were revealed, a high profile security conference was hacked,” says Clayton. “There are different pockets of problems.”
The worlds of tech and gaming in particular have been enthralled in an on-going controversy, known as Gamergate, since August 2014. Gamergate saw several high profile female figures in the gaming industry being intimidated and targeted, some of which continues to this day.
“There’s a woman who is central to that, and it’s got to the point where bomb threats have been called into schools where she has been speaking,” explains Burns. “But that is an extreme case, it’s not something that the average event organiser will have to deal with.”
“The event you are undertaking should relate to the security planning you undertake in the cyber arena just as in the physical world,” adds Kieron Garlic, MD of Present Communications.
“The potential rewards for a hacker vary according to the nature of an event, from corporate jeopardy, the accessing of confidential information or even state sponsored attacks.”
On 25 May 2018, a new data protection regulation will take effect, one with significant and far-reaching implications for event organisers in the UK.
“Many organisers are completely oblivious to the fact that they have not only a moral but a legal responsibility. It’s really scary,” continues Burns. “The new regulations have teeth. There are penalty fines and all sorts.
“We never like to scaremonger people, but it’s actually really good in the lead up to 2018 for people to be a little bit scared. It’s going to make everyone sit up and get to grips with it. We are telling people to start now. Data protection is about on-going business processes, this isn’t a tick box exercise you can slot together the week before it takes effect.”
The rise of the Internet of Things (IoT), adds Garlic, could also prompt a sea change in cyber security.
“As every light bulb, speaker and microphone becomes a network connected device, there is much more to do to protect from a cyber-attack that could terminate your event and ruin a reputation,” he says.
Whatever the future holds for cyber security, event profs need to be prepared for the huge impact that it will have on businesses in the EU, Even Brexit won’t prevent UK businesses from being subject to the new regulations set to take effect in 2018.
“In order to continue doing business with Europe, the UK will have to prove that it has a data protective regime that is equal to the EU’s regime,” explains Burns.
“If it’s not adequate then we can’t do business with them. Brexit is irrelevant.”