When news broke in September that the credit-reporting firm Equifax was hacked, compromising the personal data of 143 million people, it was a wake-up call for everyone. Individuals and companies started to implement long-overdue steps to protect their data and identities.
But many meeting planners still haven’t gotten the message, according to cyber security experts.
“The meetings industry is not taking this seriously at all,” said Sean Donahoo, CEO of Disruptive Solutions, a provider of cyber security solutions for the meetings and events industry. “It kills me; I see how things are done, and all of the planning that goes into events. Everything is planned for down to a T, except this part; and it’s maybe the most important part, if you look at it from a reputation standpoint.”
He added that hackers could be looking for data to use or sell in another hack, or in a spear fishing campaign. They might be getting data for credentials to use to move money around or access a network, or it could simply be a practice test.
Research bears out this potential threat. A 2017 report from the Ponemon Institute and IBM found that the average total cost of a data breach is $3.62 million, and there is a 26.2 percent chance of a recurring data breach in the two years after a breach.
Nearly every major industry has been hit in some way with an attack within their secure network, so it’s logical that the threat extends to a less secure environment, like a meeting or a conference.
There is no data on how widespread hacking is in meetings and events, because planners and venue managers are hesitant to discuss it publicly, but that doesn’t mean breaches aren’t happening. In fact, it can take months or even years for an organization to discover it has been hacked.
“I probably get a call a month or more from [a planner] who has had a meeting breached, or one of their attendees was breached, which happens as much if not more, and that’s where the huge liabilities come up,” said John Sileo, CEO of the Sileo Group, which conducts cyber security training for organizations including the U.S. Department of Defense.
WHAT ARE HACKERS LOOKING TO EXPLOIT?
Planners and event managers need to start having tough conversations about cyber security.
According to Sileo and other experts interviewed by Skift, there are numerous reasons to hack a meeting – from identity theft to corporate espionage; social activism to practice hacks – and no one is immune.
“Often this is about corporate espionage or corporate ransom,” said Sileo.
Let’s say there’s a conference for the federation of employee benefit plans. Managers of the plans have social security numbers, credit card numbers, and retirement account information on employees for 5,000 of the largest companies in the US.
“It’s a concentration of data that you just can’t get elsewhere else. If I want to know how the employee benefit world runs, that’s where I go to steal the data,” said Sileo.
Next on the list is the venue. Donahoo explained that a location can be a soft target due to weak security (physical and digital networks), or the venue itself may be the target for reasons unrelated to your event.
Finally, there is the keynote speaker. A big name can be a big draw for a conference, but it can also be a risk.
“There are people who carry a message that people want to suppress; former public officials, civil servants, military generals,” said Donahoo. “Somewhere along the line they’ve done something to upset someone.”
HOW HACKERS WIN
The easiest way to get at data is through Wi-Fi, either by hacking the system or simply setting up a hotspot with an official sounding name. When searching for the local Wi-Fi, people see the name and assume it’s connected to the event, and sign on. But even the official Wi-Fi is not secure, according to experts.
“When hotels call their Wi-Fi secure, it’s the biggest laugh in the world,” said James Spellos, president of Meeting U, which specializes in training for technology and meeting planning applications. “The real danger is when planners aren’t aware of how phones and devices can be penetrated.”
He recommends a multifaceted approach to safety.
First, planners and their staff need to have good anti-virus software installed on all devices, and make it active.
Step two is to install anti-malware; Spellos said malware is a bigger issue than viruses. Next, planners need to encrypt all information associated with the event, but even that’s not full proof.
“While the planner can make sure it’s encrypted, if I’m at a coffee shop and I’m registering for a conference, a lone hacker can still be sucking all the info being sent on the Wi-Fi,” said Spellos.
He, and all the experts who spoke to Skift, said individuals need to get a virtual private network (VPN) installed on their mobile devices and keep it running. They also advise using password managers. Choosing the right software or system can be daunting, and there are a lot of Trojan horses out there.
“Use what your colleagues are using,” said Spellos. “Talk to people and get guidance. If you have something pre-installed, don’t try to change it. If you are using a company-owned device, don’t play around with it; let [your information technology deparment] handle it.”
A FALSE SENSE OF SECURITY
The next time you’re at a conference, go to a meeting you’re not a part of and see if anyone stops you. There might be a badge checker at the door, but how closely are they scrutinizing your badge?
Chances are, if you are nicely dressed you’ll sail right past the gatekeepers. Thieves know this, and use it. So while your attendees’ digital identities might be locked down, their information and property are still vulnerable to real-world theft.
The night before presenting at a conference, Sileo checks out the room where he is to speak, and often walks across the hall to what he calls the ‘war room’: the planner’s command center.
“I can’t tell you the number of times I can get in,” said Sileo. “And there are their laptops, their manifests, and the badges. It’s just rampant but we don’t hear about it.”
The next day, he visits meeting rooms while attendees are out at lunch. He was recently speaking at an event with 5,000 people, and touched 220 devices left unattended. When he gave his presentation he asked if anyone saw him. No one had noticed.
“They go in, they put down their gear to get a coffee, and people steal [them] at every meeting,” Sileo told Skift. Agents can also sneak into conferences and take photos of laptop screens, grabbing sensitive data with their smartphone.
The experts who spoke to Skift agreed universally that meeting planners aren’t doing enough.
“Unfortunately that’s how we work in our society, we need a big slap in the face before we take something seriously,” said Donahoo, “and even then, our memories are short.”