Do you know just how vulnerable your meetings, and your attendees, are to being hacked by a cyber criminal? Here’s a sobering thought: The Black Hat USA convention, which gathered hackers from around the world to perfect their craft in Las Vegas this summer, itself got hacked when attendees set up a fake website that mimicked the conference’s own app.
While a hacker convention is perhaps begging to be hacked—and well prepared to fend off attacks when they occur—your event may be a more tantalizing cyber crime prospect than you think. After all, your registration list alone is a rich pool of names and email addresses ripe for a phishing expedition.
Unfortunately, protecting your data and your attendees is getting more difficult as hackers have gotten more sophisticated. Where once a hacker may have resembled the stereotypical 15-year-old in his parents’ basement looking to make a little mischief, today’s “black hats” are professional criminals who spend eight hours a day or more looking for vulnerabilities, said MaryAnne Bobrow, CAE, CMP, CMM, president of Bobrow Associates, at a session she co-led with Jonathan Howe, Esq., founding partner and president of Howe and Hutton, Ltd., at the American Society for Association Executives Annual Meeting in August. And their tools are equally sophisticated: Think port scanners, vulnerability checkers, password crackers, denial-of-service attackers, tools to hack passwords from wireless networks, and tools to launch brute-force attacks against Wi-Fi–protected setups to snag Wi-Fi–protected access passkeys, she said.
Here’s what you need to know to keep your attendees’, and your organization’s, data secure.
1. Who and What Can Put You at Risk?
“Anything that attaches to your computer can do you harm,” said Bobrow. So those flashdrives that your speakers want to plug into your system—what assurances do you have that they aren’t infected? Mobile apps are popular hacker targets—how secure is your meeting app? All it takes is one attendee to pass along your meeting’s Wi-Fi password to make it insecure—what measures do you have in place to make sure it stays secure?
One audience member shared that he only became aware that he was hacked after he got a call from a bank that wanted him to OK a wire transfer while he was on site. He had no idea what the bank was talking about and looked into the situation. It turns out that hackers had created a website that mimicked his organization’s, spoofed his email, and sent an email purportedly from him authorizing the wire transfer to his financial officer.
If you allow staff to bring their work computers home, or use their personal devices at work, you need to train them on cybersecurity policies and procedures that prohibit things like downloading unapproved apps and software programs, said Howe.
You first need to figure out which information you need to protect, then identify potential threats. Know how your data is stored, who has access to that data, and how that data is protected, said Howe and Bobrow.
2. What Do You Need to Protect?
If your organization accepts credit-card payments and stores, processes, or transmits cardholder data, you need to ensure that you are compliant with the Payment Card Industry Data Security Standard, said Howe and Bobrow. While the best solution may be to store your data on a PCI-compliant hosting provider, you can still be PCI compliant using paper forms—but there are steps you have to take. Bobrow added that those who use an association management system that encrypts data off your site should be safe, but do check to be sure that it is compliant.
You also need to protect the confidentiality of your attendees’ personally identifiable information. Do you allow vendors access to your member and exhibitor lists? Do you ask your attendees’ permission to use their data before the fact? “You have to worry about getting permission before the fact, because there’s not much forgiveness afterward,” Howe noted. He added that a California court has said that the more you can give people the opportunity to read the terms and conditions, the better, which is why you see more “click to accept these terms and conditions” boxes up front nowadays, rather than buried in an appendix.
Also, consider purchasing insurance that covers cyber losses. “Data breaches can cause small associations to go bankrupt,” said Bobrow. Weigh the costs of cyber insurance against the cost of a data breach. According to a Ponemon Institute Research Report relased in June 2016, which focused on cybersecurity issues in 383 companies in 12 countries, the average total cost of a data breach is $4 million, or an average of $158 per lost or stolen record. And the cost is rising, up an average of 29 percent since 2013.
3. What Do You Do if a Breach Occurs?
Forewarned is forearmed, said the presenters. Before you face your first attack, know what your mission-critical needs are. Would you be hobbled if your website went down? What if your staff emails go haywire? What if a cyber criminal steals your attendee database and starts a phishing campaign masquerading as your organization?
Develop and update regularly an action plan to combat potential breaches. Make sure you have the right technology and services in place, and that you have people authorized to monitor the network. Make sure everyone involved understands cyber-crime management, including your legal council, and that your organizational policies align with your cyber-response plan.
Developing a communications plan also is a key preparatory step. It should include using social media to get the message out. You can choose to have a straightforward message—along the lines of, “We are currently under cyber attack and our website is experiencing issues”—or couch it in more conservative terms, such as, “High traffic is causing online and mobile issues,” said Howe and Bobrow.
While the attack is happening, conduct an initial assessment, shut down affected systems, and put your communication plan in play to let attendees know what’s going on—do whatever you can to minimize the damage until you can plug the breach. And document everything that happens.
Once it’s over, do not use the compromised equipment—and don’t get complacent, thinking cyber-lightning won’t strike twice. In fact, the presenters said, hackers often return to the scene of previously successful hacks.
Here are more details on how you can protect your meeting from cyber threats, including six best cybersecurity practices.