It hasn’t happened… yet. “The big one.”
But it will.
It’s not a question of if it will happen, it’s only a question of when.
I’m talking about data breaches, specifically ones where the point of entry for the bad actor is the events industry.
Sure, we’ve had a few data breaches on the hotel side, but these stack up in the same vein as Target, Home Depot, or T-Mobile - huge numbers of people’s personal information being exposed, but without any real consequence for most users.
No, “the big one” will be a Fortune 500 company, most likely in finance or medical, where the entire corporate network will be accessed, including employee and client financial records, corporate secrets, future product releases, short-term and long-term strategies, succession planning - all of it.
And some piece of event technology - app, registration system, or online platform - will be “how they got in.”
How Most Event Managers Think of Digital Security
Most planners, when thinking of digital security, think of it as someone else’s responsibility, such as the IT folks down the hall. Or maybe the vendor providing the software. “Look here! This one’s got ‘military-grade’ encryption!”
But the fact is that we all need to start taking responsibility for our attendees’ data before we let “the big one” happen.
Attendee Data as a Data Security Risk Goldmine
Even pre-pandemic, attendee data was already a potential gold mine for evildoers, especially the data contained in reservation and registration systems.
Think about it:
- phone numbers
- job titles
- assistant names
- Arrival and departure times.
- Flight numbers and transportation reservations.
- Hotel reservations.
Maybe even spouse and children names, if they’re coming along for the ride so an exec can extend their trip for a little R&R with the fam.
You see, it’s not your or your attendees’ credit card information that is the “crown jewels” of data, it’s all the rest of it. If a bad actor gets access to your registration system and access to all of the data listed above, it would be trivial for them to generate an incredibly authentic-looking email out of it, and send it to executives at the company.
“Dear Ms. Jones,
We’re looking forward to hosting you in Orlando this week! We currently have you coming in on Delta flight DL2712 and arriving at 2:44 PM. We have a car scheduled to pick you up, and will be waiting for you in baggage claim.
To confirm this information is correct, please CLICK HERE. See you at the 2022 Versatosity Conference!”
Click. Boom. Hacked.
That was just with our pre-pandemic data.
Data Security Risks Have Increased With Pandemic Event Tech Tracking and Data Integrations
During the pandemic, the field of event technology leaped ahead about ten years of where it would have been. Planners were suddenly completely immersed in a world of attendee tracking and data integrations (It would be interesting to compare the number of event professionals that knew what an API was before and after 2020).
The benefits were huge- unprecedented insight into attendees’ preferences regarding educational content and keynote speakers, exactly when they logged in and logged out, how many people and with whom they networked. Sales and marketing pushed for the ability to integrate with their sales databases, and as groups returned to in-person, those that “got it” sought to find similar layers of data with their in-person audiences through RFID and other tracking and scanning technology, and a renewed interest in networking, audience engagement, and other event technology.
And all of it is creating more and more data, spread across more and more platforms.
So what can we do to protect it?
4 Ways to limit your event data risk
It’s actually pretty simple, and here are four things you can start doing right away to limit your risk:
Step one: Only take the data you need.
The less data you have, the less data you have to secure. One of the fundamental tenets of GDPR is that you have to not only tell people what data you’re collecting, but what you plan on using it for.
This, in theory, prevents people from just hoovering up as much data as possible, keeping it forever, and then figuring out what to do with it later. Instead, you should work with your stakeholders to figure out what data is necessary to put on the event itself, what data will need to be analyzed and for what reasons, and how long should it be kept before deleting.
And then… delete it.
Step two: Integrate with caution.
Most of the time when internal IT groups are saying, “No” to you when you bring the latest and greatest event engagement app to the table, it’s because they want to limit access to data and the corporate network.
The more apps and online services you bring into your event stack, the more attendee information usually needs to be shared between them, and the more potential avenues there are to exfiltrate data.
If one of those services gets hacked, it might be a way into your network so be sure to vet all companies carefully, and maybe try them out on smaller events with fewer attendees to reduce risk until you (and IT) are comfortable.
Step 3: Control access.
Along the same lines, you want to make sure you only share the data with people who really need it, and guard access to it like it was the crown jewels.
I can’t count the number of times I’ve been standing at a registration counter and seen the username and password for the registration system on a sticky note next to the worker’s laptop.
Even more often, the number of times I was handed PowerPoints with top-secret internal-only presentations, but that’s a topic for another day.
Suffice it to say that we need to do a better job of only granting access to those that really need access.
One of the best ways to do that is to use a password manager, which can help on a lot of levels.
First, they encourage the use of single-use passwords. Most people who just “remember” all their passwords have a tendency to re-use them, but password managers encourage you to use randomly generated passwords since you don’t have to remember them.
You might think you’re clever, but unfortunately, you’re not the first to set a password to “monkey123”- not by a long shot, and the first thing that criminals do when they get a hold of a password list is to try those passwords on all banking sites, Microsoft, Google, Apple, Amazon, etc.
Zoom and Cvent went from being niche players, well-known and “big fish” in their respective ponds but not by any means household names, to being, well... household names. As a result, they’ve been added to the list of places to try these types of password attacks.
All the more reason to keep those passwords unique and safe.
Secondly, most password managers allow you to share passwords with other people without them even seeing the password, and then revoke and change the password easily when the job is done.
Step 4: Consider getting help.
If you’re ever concerned about the safety of your attendees’ data, don’t be afraid to say something. If your organization has an IT department, give them a call and get their take.
Talk with your vendors about their security procedures, and ask who has access to your data on their platforms. Some have very limited access, others have “God mode” and can see everything, and as any comic book fan knows- “With great power comes great responsibility.”
If you don’t have an IT department, then it’s even more important that you follow the rules laid out above. Depending on the size of your organization, you might want to consider bringing in an outside security consultant to do a little poking around and see how easy it is to get it.
Whatever you do, it’s important to realize how precious our attendees’ data is, and that it’s all our responsibility to protect it- not just the folks down the hall or the military-grade encryption.
Don’t let your event be the open back door that lets the bad guys in.
Don’t be the one responsible for “the big one."
Brandt Krueger is one of Nifty Method's favorite guest authors and speakers. Find out more and hire him at https://www.brandtkrueger.com/ or drop by on Fridays for Event Tech Chat.