There have been increasing concerns voiced in the media about how Russia may retaliate against sanctions imposed by the U.S. and other NATO countries in response to the Ukraine invasion by encouraging and/or sponsoring cyberattacks against entities in those countries, especially those related to infrastructure and financial organizations. Are the U.S. and other NATO countries at an enhanced risk for Russian-based cyberattacks now compared to before the recent Russian invasion of Ukraine? And, closer to home, are event organizers are at an enhanced risk for cyberattacks now compared to before the recent aggression?

To find out more about today’s event cybersecurity landscape, MeetingMentor tapped into the expertise of Corbin Ball, CSP, CMP, DES, MS,  an international speaker, consultant and writer about all things related to technology; and MM’s technology columnist Brandt Krueger, a technical producer, educator, speaker and consultant for the meeting and events industry.

Is Russia a Threat for Event Cybersecurity?

Ball said, “Russia is trying to hack Ukrainian infrastructure including the electric grid but has not been very successful. With the rest of the world against them, there is likely lots of work being done by governments, the private sector and individual hackers to counter their initiatives. The U.S. government alone has very sophisticated tools and, although they are not publicly disclosing efforts, my guess is they are working quite hard on this.”

He added, “Anywhere there are databases with personal information, especially financially sensitive information, is a target,” Ball said. “The SolarWinds hack in late 2020, the network-monitoring software used by the Pentagon, nuclear labs, intelligence agencies, and many Fortune 500 companies was significant and still being sorted out. Financial institutions have been hit hard in past years, major retail groups such as Target, MGM’s database of 10.6 million users, Sony, Marriott’s database of 5.2 million, Facebook’s database of 533 million user records, Amazon’s vendor database to name a few.

“Many meeting and event organizers may not be the highest on the target list, as many companies and associations are smaller. The larger the database, the more tempting the target.”

But that doesn’t mean event organizers should let down their guard. In fact, said Ball, “Hackers, in general, are becoming more numerous and more sophisticated in their capabilities.  Planners, event hosts and attendees should definitely be on guard.”

Yes, Cybersecurity Is a Planner Problem

While it may be easy for planners to think that someone else — IT? Online event platform and registration vendors? — is on top of keeping their event cyber secure, it’s up to planners to ensure they aren’t opening up a potential threat vector by, say, leaving the registration platform password on a sticky note at the reg desk.

“The types of data event planners are responsible for is incredibly personal, especially now that we’re returning to in-person events,” said Krueger. “We’re talking about names, addresses, email addresses, flight times, hotel booking and car rental reservations, spouse names, personal cellphone numbers — we have tremendously valuable information just in our registration systems.” And, he added, cyber bad guys also could want to use our information not just to hack the event organizer, but as a side door to gather the information they need to attack attendees who may represent even juicier targets. Think about the Home Depot breach, where hackers got in via the point-of-sale system, and Target, where the bad guys got in via an HVAC supplier that was working on their system. “We’re the side-door access where they can get some important and personal information about our customers,” Krueger said.

But what about the General Data Protection Rule (GDPR) — didn’t all the backflips through hoops everyone did to comply with GDPR make data more secure? Not really, said Krueger. “GDPR doesn’t require you to have a good password on your registration platform. You can be 100% GDPR-compliant, but if your password is 123, it’s not going to help.” However, added Ball, “GDPR compliance is also desirable (and mandatory if anyone in your database is from Europe) for privacy protection.”

So What’s a Planner to Do?

• Use a password manager. Krueger said, “If they have your username and password, hackers will immediately try to use them against all the major banks and big players — now including Zoom. If you’re reusing your passwords, they’re in.” In the case of Zoom, they can send an email saying, ‘We see you’re registered for this Zoom event, click here to confirm your reservation.’ Of course, that link doesn’t take you to registration, it takes you somewhere that downloads malware onto your computer. Since no one can remember thousands of unique passwords, a secure password manager is essential. It also enables you to share passwords with other staffers and volunteers without them actually seeing what the password is since it autofills — eliminating the need for that highly unsecure sticky note.

• Use multi-factor authentication protocols. While authenticators that text a code you need to enter are better than nothing, they still can be spoofed. That’s why Kruger prefers using an authenticator app that generates a code you can log in with.

• Put a password on your event Wi-Fi. “If you hit anything other than an actual operating system asking you for a password, say a splash screen for the hotel or event, it’s not secure,” said Krueger. “Put in a password. Even if it’s just ‘123456’ and you print it on every piece of paper in the hotel, it’s still more secure than not having any password at all because it turns on the network’s encryption. This means that nobody just driving by can pick up what’s going on on that network.”

• Practice good cyber hygiene on the production side as well. “There’s a lot of sensitive company information on all those USB keys filled with PowerPoints and Excel spreadsheets meant for internal purposes that someone could just slide into their pocket and sell to the highest bidder,” said Krueger. “That’s a whole other attack vector.”

Ball had a few more suggestions to add to the list:

• Keep firewalls and antivirus protection up to date.

• Keep PC and mobile software up to date.

• Carefully limit staff having access to personal data.

• Ensure proper encryption protocols from your event tech vendors.

• Educate your staff and yourself on phishing scams (there are many free online sources for this).

• Don’t click on attachments or even a link unless you are certain they are not from a hacker – even from someone you know (some hackers can pose as someone you know using spoofing software) . If it doesn’t seem right, don’t click before verifying.

• Use encrypted weblinks only (especially for financial transactions).

“Make sure that your event software/AMS is PCI and ISO compliant, especially any that handle personal and financial data,” he added.

“The event industry (especially event tech providers) has come a long way in the past few years,” said Ball. “I think if everyone follows these basic precautions, hacking dangers would be substantially reduced. Much of this depends on individual education.”

Among the available resources for more information he recommended are:

EIC Industry Insights: Internet Access and Cybersecurity

EIC Industry Insights: Poach and Piracy

MCI: Cybersecurity in the Events Industry