If information security at your meetings isn’t near the top of your list of things to worry about, it should be. Just ask the experts. Whether it’s a competitor trying to get the inside track on your company’s business plans or a hacker trying to grab your attendees’ credit card data, dangers are all around.
Let’s start with the physical security of your data. John Sileo, CEO of Sileo.com, is a keynote speaker on cyber security who has tested the system to determine just how easy it is for someone to gain access to the information they’re after. “I’ve personally been able to talk my way into more than 20 hotel rooms that weren’t mine (telling the maid I forgot my key), and have attended conferences for which I had no badge. At over 1,000 talks in conference rooms, I have picked up purses, tablets, phones and laptops more than 10,000 times without more than a handful of people (ever) noticing. In 1,000 conferences, I’ve probably been caught five times.”
“At over 1,000 talks in conference rooms, I have picked up purses, tablets, phones and laptops more than 10,000 times without more than a handful of people (ever) noticing.” — John Sileo
Sileo’s experience underscores the importance of reminding attendees to keep closer tabs on their electronics. It also leads to a couple of other questions: Just how easy would it be for one of your competitors to slip into your general session or a breakout session? Is anyone checking badges at the door? If it’s a large meeting, the attendees won’t all know each other, so a stranger could just blend right in.
He shares another alarming story about information security. “I’ve also been at conferences where the registration desk was left unattended and the entire set of laptops and printers was taken.”
Arturo Perez-Reyes, cyber, privacy and E&O practice leader for the insurance brokerage firm Hub International, has seen similar criminal activity. “I’ve been to two places where the speaker turned around and somebody stole their computer.” He explains why this situation is so tempting for hackers and those engaged in corporate espionage. “If the person who is speaking is someone like the CFO of (a major technology company), you definitely want their computer, especially if it’s on. If it’s off, you have to know the password. If it’s on, they’ve already logged on.” In other words, that makes it very easy for the thief to steal whatever confidential data is stored on the laptop.
Sileo offers this advice. “Don’t leave your computer unattended on the lectern, in the seating area, in the green room, in the registration area or in your hotel room. All of those areas are very common places where mobile devices are stolen during conferences. If you have to leave devices or files in your hotel room, hang the privacy sign on the door and call housekeeping to let them know that you don’t want to be bothered.”
In a blog post that Sileo wrote on information security tips for meeting planners, he states that almost 50 percent of serious corporate data theft occurs because a laptop computer is stolen. He recommends, “In addition to the standard forms of protection (passwords, encryption, anti-virus, etc.), carry as little data on your laptop as possible. Identity thieves target business travelers because they are generally rushed, distracted and carrying valuable data.”
Depending on the value of the information being presented at the meeting, it may be worthwhile to hire private security to protect data confidentiality. U.S. Security Associates, a security solutions firm based in Roswell, Georgia, offered the following suggestions in its “Threatscapes Risk Intelligence” newsletter:
“At events where participants are privy to sensitive information, security must work on the assumption that adversarial competitors are motivated to compromise the confidentiality of the meeting. Security agents are guarding not against the actions of the many but the determined few.”
The newsletter article goes on to explain, “Security agents for these events should be chosen with utmost care, because those with experience are more likely to know what to look for. People who are too curious, ask questions or try to cozy up to attendees and strike up conversations — these are just a few examples of behaviors that raise flags. Every security agent must remain alert for individuals behaving in suspect ways and intervene respectfully.”
According to the company, protecting data security requires a team effort. “To ensure that proprietary and confidential information is not compromised, security must establish liaison not only with hotel security but also with housekeeping and banquet staff, to coordinate daily room sweeps to capture and properly secure or dispose of potentially sensitive materials left behind by attendees. Plans also should be established to secure confidential information if there is an evacuation.”
U.S. Security Associates also addresses the use of recording devices. “Security staff may need to conduct sweeps of areas where recording devices might be hidden, and policies may need to be established regarding usage of personal electronic devices for recording purposes.”
Scott Schober, president/CEO/cyber security expert for Berkeley Varitronics Systems based in Metuchen, New Jersey, explains, “One of the big concerns with corporate meetings is somebody listening in. Sometimes it’s the bad guy, sometimes it’s the competitive company looking for the edge or to see what the next product is coming out or what you’re discussing in the boardroom. (Companies are) very paranoid of bugs being planted.” He describes just how easy that is to do. “In many cases, what they’re doing is buying these cheap smartphones. You can get them prepaid so it can’t track back to anyone. You load an application on it. You take a piece of duct tape and you duct tape it underneath the table. You do it the night before the meeting or when the cleaning staff comes in. Then, remotely, when it’s 1:00 and the meeting is about to start, they can turn on the application and listen in with the microphone and transmit the whole conversation.”
He explains why this cheap, easy trick works. “If they pick the phone up and look at it and say, ‘Hey, who put this here?’ Guess what? It’s wiped clean. There are no fingerprints, there’s no traceability, because it was paid for in cash at 7-11. It’s a prepaid throwaway so nobody cares about it. It’s a simple way to kind of be a spy without getting into the spy business and finding microbugs to hide.”
All three experts we interviewed warned about the dangers of using unsecured Wi-Fi connections. “Be careful of the free Wi-Fi hot spots,” Sileo says. “If you aren’t logging in to them with a unique password and username, almost any cybercriminal can be sniffing what you send over the wire, including emails, account logins, intellectual property, etc.”
That advice also applies to the free airport Wi-Fi service attendees may elect to use on their way to and from the meeting. “When you go to an airport, you see the hot spots pop up, the free Wi-Fi that we all know is very dangerous. You should never click on those because you can get redirected,” Schober explains.
Perez-Reyes elaborates on the dangers. “What people will do is go to an airport or a hotel and they’ll create a hot spot. It will say something like “Free Ronald Reagan Airport Wi-Fi” and it isn’t Ronald Reagan Airport. It’s basically a hacker who has attached his or her hot spot and all of the data goes through that hot spot. It’s ludicrous how many people are doing that. The last time I was in Ronald Reagan Airport, I counted five of these fake hot spots. When I was in the Mexico City airport about a year ago, I counted 20. It’s really hard to distinguish who the authentic hot spot is because there are just so many impersonators. So basically, if you see an unlocked Wi-Fi anywhere, you should be suspicious.” He adds, “It’s easy for people in public spaces to just harvest everything everybody’s doing.”
So, what can planners do to ensure that a Wi-Fi connection is secure in the meeting room? Schober says, “They should ask (the hotel), what is the SSID? Do they have encryption in place and what level? Usually, WPA2 is pretty good encryption. Typically, when you ask somebody at a hotel, ‘How do I know it’s secure?’ They’ll say, ’Don’t worry, it’s really secure,’ and they have no clue. You’ve got to be careful. Most hotels will have multiple access points. You can ask, ’We would like to make sure this is a confidential meeting. We’d like to have a dedicated access point that we know the password for that we can access just for our group.”
Perez-Reyes says that the solution is to create a VPN (virtual private network) when using a Wi-Fi connection. “All of the modern operating systems have a control setting to create a VPN. What the computer does is use the public encryption handshake, and it will create an SSL (secure socket layer) connection. You’ve seen these with your browser like with your bank. It switches from http to https. That tells you that you’re now using the secure socket layer protocol and that the browser, in that case, is creating an encrypted tunnel between you and the bank.”
Bluetooth connections on mobile devices also can be insecure and the experts recommend only turning on the Bluetooth feature when it is needed. “It’s a pain, and yes, you can forget, but it’s a lot safer,” Schober says.
Perez-Reyes shares a story about how several years ago, two young hackers stood right off of the red carpet for the Oscars as all of the stars were coming in and they were able to harvest the address books of all of the major stars by hacking into their phones. In addition to recommending that people shut off their Bluetooth connection when it’s not being used, he says, “If you’re a likely target for industrial espionage, don’t carry your phone into places where the bad guys can get to you.” He even knows of IT executives whose companies will not allow them to bring their phones into China. “They just buy disposable phones randomly so that nobody can sell them a hacked phone,” he explains.
Schober is a big proponent of using a personal hot spot for Wi-Fi connections. “It can be hosted off of a 4G LTE connection and perhaps 12 people can tie into this hot spot. Then you have a secure password; you know who’s accessing it. The LTE 4G protocol is not easy to hack into. It’s a modulated signal. It’s complex. Only somebody with a million dollars worth of equipment in a van could easily intercept that. Basic hackers are not going to try to breach that.”
Schober’s company designs and manufactures wireless test and security products and equipment that can detect contraband cell phones. He has some clients whose board meetings are so confidential that they don’t allow anyone to bring mobile devices into the room. Despite that ban, some people will try to smuggle phones in by hiding them in their clothes or even body cavities. “They know metal detectors can’t pick up on a phone, because there’s very little metal in phones,” he explains. “So we have a portal system called the SentryHound. It’s essentially two poles you walk through, kind of like a metal detector, but it’s not. We pick up on the high-powered magnets in the speaker, the microphone and the vibrator motor. We can pick up and tell where on the body (the phone) is. It’s not dependent upon whether the phone is powered up or transmitting.”
Perez-Reyes also warns that phones can be hacked through the apps that are downloaded on to them. “Android is the most insecure operating system on Earth,” he says. “It makes Windows look like a paragon of security. It’s not the Android system itself. It’s the fact that people load apps. IBM published a study and they found that over half of the dating apps were malicious. The dating apps not only harvest your address book, but they can take over your phone. Your phone is ‘poned.’ It’s cybertalk for when you own a system. The phone is now poned, which means the bad guys can turn it on any time they want. It doesn’t matter what the app is. What they do is they go fishing with applications that people find useful — the flashlight one, the dating app. The problem with Android is that nobody is validating the apps. On the Apple operating system, Apple is basically looking at everything that goes up on their store.”
According to Schober, cyber criminals could even enlist the help of drones. “You could take a modified access point and a stealthy little drone and fly over people, where you’re maybe 200 or 300 feet above them where they can’t hear it or see it, and you could actually take over somebody’s phone and hack it and pull the contact list and compromise emails and other content.”
His company recently purchased a drone as Schober was preparing to present at a cybersecurity event where he will talk about how easy it is to hack data by using a drone. When one of his employees took the drone on a test flight, it really drove the point home. “I’m here in my office and I’m up on the second floor and he put the drone one foot outside of my window and took live HD footage of me inside my office. I turned around and nearly fell out of my seat! It shows you how easy it is to spy on somebody.”
Perez-Reyes says there are four basic ways to manage cybersecurity risk: avoid it, prevent it, mitigate it or transfer it. Avoidance would include steps such as not using public Wi-Fi and not taking a phone into places where there is a higher risk of being hacked.
Prevention would include steps such as using a VPN connection to connect to Wi-Fi. “Mitigation means, ‘All right, so I suffered a loss, but I want to make sure that it’s as small a loss as possible, so you’re mitigating by encrypting your hard disk,’ ” Perez-Reyes explains. “If somebody steals your hard disk and it’s encrypted, basically, it’s useless. It’s a brick.”
Transferring the risk would involve buying cyber insurance that protects against liability in the event of a data breach. These types of policies may cover costs such as credit monitoring for individuals whose data was compromised, forensic analysis and crisis management. “We’re shocked at how little people buy the cyber insurance,” he states. “What is it going to take? How many companies can operate without a computer? They’re not insuring their brain.”
Perez-Reyes is seeing somewhat of a sea change in this area, however. He shares the story of a major vendor he knows of that serves the movie industry. “Prior to the Sony breach, it was like ‘We don’t need this stuff. Get out of here, you’re wasting our time. After the Sony breach, it was, ‘How much can I buy?’ ”
In his blog post on data security tips for meeting planners, Sileo recommends additional steps such as securing your online reservation system to protect attendees’ personal information and shredding registration information when it’s no longer needed. He also recommends educating attendees. “Before they ever begin their travels, attendees should read through a quick, two-minute tip sheet on how to protect themselves while going to a conference. Simply making them aware of some of the risks that exist traveling (laptop theft, unprotected Wi-Fi, smartphone hijacking, etc.) will cause them to pay greater attention onsite.”
He’s also seeing planners paying more attention to this issue. “Lately, I’ve been at more conferences with badge-checkers, before-break reminders to take your valuables with you and password-protected Internet access. These are all great trends!” As Schober states, “Sometimes just controlling your own environment, your own security, just gives you peace of mind.” C&IT