In an age where technology controls many facets of a business, attention to cybersecurity is becoming paramount as meeting planners recognize how technological breaches can rob corporations and meeting attendees of vital intangible assets.
As a seasoned meeting planner, Dana Ellis, owner of Ellis International in Minneapolis, MN, recognizes that cyber security should always be top of mind when planning events. Afer all, planners, clients and attendees all use online platforms for registration, including accepting fees/payments and then often live stream content meant only for a specific audience.
“We have helped clients host virtual events for product launches where they were very concerned that no competitor would be able to gain access to the meeting as it was an internal launch and not yet public,” Ellis says.
“The amount of data that my clients ask for when they host a virtual event is a big part of why they continue to do virtual events. They want to know where people are logging in from, how long they stay on each page, how long they watched the stream, and how many pages they viewed and if they downloaded any files.”
Michele Dobnikar, meeting professional and president at GlobalMeet in Phoenix, AZ, says that in a virtual setting, meeting and event security becomes a more complicated issue. As Dobnikar explains, when hosting in-person events, companies have complete visibility into who is in the audience and an even clearer view of the presenter. “Measures can be taken such as physical security and identification checkpoints,” Dobnikar says. “This entire dynamic changes with virtual events.”
In the virtual event world, authorization is a key factor in carrying out a successful and secure event. That’s why cybersecurity should be taken into consideration from the formulation of the event to its execution and through to its conclusion.
“From attendee permittance to live Q&As and guest speakers, ensuring secure passages for authorized audience members is critical,” Dobnikar says.
Many of the early examples of security breaches in virtual events occurred in the education industry with hackers breaking in and displaying inappropriate content to the students. More recently, cybercriminals have been targeting local governments.
“The California cities, Laguna Beach and Calabasas recently experienced virtual participants expressing hateful speech in city council meetings,” Dobnikar says.
Ellis says her clients’ first concern is always “locking down” their virtual events so that only the internal employees or paid attendees can access the virtual event or live stream. This is done by choosing a platform with a registration process so that a user needs a specific (unique) username and password and that can be limited to only one user at a time.
“We also have to be aware and concerned that our registration information or credit card information is not accessed by any bad actors and to adhere to data retention policies as well,” Ellis says.
Ellis has corporate meeting clients who are based in Europe and have strict corporate rules on what links they could use or apps that they could connect to, which left out Zoom and a few other options. Ellis and her team had to revise the agenda to include a link to a Teams meeting, which their internal team had to create so that they could actually access it.
“During the pandemic, there was an internet outage all along the east coast of the U.S., which was during a live stream event. It took over five minutes for them to recover internet access,” Ellis says. “This wasn’t a cybersecurity issue for us, but a reminder of how much is outside of your control when you are doing virtual events.”
According to Stephanie Benoit-Kurtz, lead cybersecurity faculty, College of Business and Information Technology at the University of Phoenix, in 2020, the virtual event market, according to Frost & Sullivan, was estimated at $1.57 billion with an estimate growth to $4.44 billon by 2025.
“Contributors of this significant growth pattern range from sustainability and reductions in travel expenses to significantly improved reach of target markets. As the popularity of these events continues to grow bad actors are starting to target the events and data associated with the attendees,” Benoit-Kurtz says.
Just like any in-person event, Benoit-Kurtz says organizations must take precautions to protect attendees, speakers and sponsors from bad actors, from the registration and collection of personal information to the security of the event itself while online, or even in recorded broadcasts that are shared at a later date.
“Organizations that hold these events are obligated to their stakeholders to protect data by providing secure registration processes, credit card transactions and a secure event that prevents unwanted attackers access to the event,” Benoit-Kurtz says. “From the theft of personal data to the selling of attendee and sponsor lists, attackers are looking for ways to monetize the information that is gathered from attendees.”
Beyond attendee information harvesting, there are other types of attacks such as “denial of service” attacks or virtual room hijacking that can also disrupt an event and tarnish the reputation of a sponsoring organization.
“Additional significant cybersecurity issues in virtual events include phishing attacks, ransomware, and unauthorized access,” says Gareth Young, chief architect and founder of Levacloud, a cybersecurity company in Alpharetta, GA. These can lead to data breaches, financial losses and damage to the organizer’s reputation, highlighting the importance of robust cybersecurity measures.
Young points to a recent case in Hong Kong involving a finance worker at a multinational firm who was tricked into transferring $25 million by fraudsters using deepfake technology in a video conference call. The scam used deepfake technology to convincingly mimic the appearance and voices of legitimate company employees, highlighting the sophisticated level of cyber threats facing virtual events and meetings.
Of course, breached virtual events also can have a lasting impact on a company’s reputation. Dobnikar says one of the biggest issues that can arise from a security breach is the divulging of sensitive information. Whether it’s the case of a new product launch or a quarterly investor meeting, an unwanted presence can be detrimental from both a culture and profit standpoint.
“This issue can be mitigated by controlling audience participation. If the event is an internal town hall, event planners must ensure that attendees possess the necessary authorizations,” Dobnikar says. “Tightly controlling the presenter space is also an important step in eliminating this issue. In a virtual setting, a few seconds can mean the difference between an enterprise-wide disaster and a successful event.”
Dobnikar adds that the first step event planners should take is to ensure the technology they’re utilizing to host the event is equipped with the necessary tools to mitigate a cybersecurity event. Will emails be checked before admittance, will the event be password protected and how can we pivot if a breach occurs? These are all questions event planners should ask before ever executing the event.
The next step is to implement proactive security gates to prevent unauthorized entry to an event. Common tactics include whitelisted domains or IP ranges, pre-authorized guest lists and allowing entry to an event only when coming from a specific website (such as a corporate intranet).
“Finally, event planners need to assign resources to monitor the virtual auditorium and presenter space in real-time to identify any suspicious presence that may have slipped through the virtual security measures,” Dobnikar says. “While these are the proper steps to take from the event management side, utilizing your event technology vendor can also prove to be a valuable tool in elevating cybersecurity measures.”
Benoit-Kurtz points out that organizations must secure events by correctly implementing the security controls within the virtual event platform being used. Also, work with the event platform provider to make sure that the organization and cybersecurity is on the list for notifications of any vulnerabilities. “Understand exactly who is receiving invites to your event and monitor the event for signs of compromise. If an unexpected user shows up to an event remove them immediately,” Benoit-Kurtz says. “Do not wait for bad things to happen or when the user gains full control of the system. Configure and block re-entry of ejected participants. It is one thing to remove a user from an event, but if they can establish entry again, the issue generally continues. Also, investigate and subscribe to monitoring services that the vendor can provide for event monitoring.”
This approach can assist the hosting organization with a resource that is actually looking for anomalies during the event and trained to understand what to do incase suspicious activity starts to unfold.
In addition, Young says event planners should conduct risk assessments, use reputable platforms for hosting events, implement strong access controls to stop unauthorized access and educate participants on cybersecurity.
“Planners should ensure network security, communicate cyber safety best practices to attendees, and be proactive in managing disruptive activities during the event,” Young says. “Work with cybersecurity vendors to ensure your event platform is effectively securely and configured to best practice prior to use.”
The most common mistake made by event planners is the use of virtual meeting technology versus event technology, as the two have completely different use cases. As Dobnikar explains, virtual meetings are typically smaller, more casual and collaborative. In these use cases, security risks are lowered, and therefore, virtual meeting software isn’t equipped with as many built-in cybersecurity features.
“With exponentially larger audiences attending virtual events and the nature of the type of information being communicated, security becomes essential,” Dobnikar says. “It’s a common mistake for event planners to take a company’s day-to-day meeting platform and use it for larger events. There are many reasons a virtual event suffers when run on a virtual meeting platform, including a lack of a formal registration process, fewer options for branding and customization and reduced analytics, but the most significant difference is the lack of cybersecurity features.”
Additional mistakes in virtual events related to cybersecurity include using non-secure platforms, neglecting strong passwords and access controls, failing to educate attendees on security, and not having a cybersecurity incident response plan.
“These oversights can leave events vulnerable to cyber threats,” Young says.
A common mistake Ellis sees post-pandemic is that some people don’t give as much attention to their virtual event as they do to the in-person event. You need to test out the software you have chosen in advance of the event day to make sure that it operates as intended and you must make sure you have chosen a platform that can accommodate the number of attendees you expect to have.
“If you are expecting 500 people, most servers can easily accommodate that traffic, but if you are expecting 20,000 people, you need to ensure that your platform server is ready for that type of traffic,” Ellis says.
Because of the expected continuous challenges revolving around the security of virtual events, cybersecurity will play an increasing role in the future meeting planning. Dobnikar points to the recent pandemic, whereby companies sacrificed traditional procurement evaluations in favor of just finding a way to communicate virtually. Since the pandemic, most companies have been re-assessing their virtual event technology for cost, security, privacy, vendor reliability, etc.
“This trend will continue and force virtual event technology providers to ensure their platforms are strong in the areas of cybersecurity and privacy,” Dobnikar says. “As AI also becomes more commonly incorporated into event technology offerings, technology planners should be aware of security concerns that new AI features may introduce. Companies should ask themselves, ‘Is the platform sending data off to a third party network for AI processing and how is it being managed in this handoff?’”
Benoit-Kurtz says that inherently event platforms are complex to protect since a variety of the attendees are often unknown to the company. However, organizations that use these platforms must perform due diligence on securing the environment.
“Involving cybersecurity departments in the evaluation and selection process of an event product can go a long way to adopting a product that can conform to the organization’s security program,” Benoit-Kurtz says. “Subscribe to monitoring services, validate configurations with the platform partner and train your users and participants about how to secure their experience. Although there is no such thing as a 100% secure environment, take the time to develop a security strategy for the event platform and for each event. The time spent is an important investment that pays dividends in the long run and can be the difference between a successful event and a breach.”
Cybersecurity will become increasingly important in the future of event planning, especially as virtual and hybrid events continue to be more common. Event planners will need to prioritize cybersecurity to protect participant data and event integrity.
“New technologies such as advanced encryption, blockchain for secure transactions, artificial intelligence for threat detection and biometric authentication for secure access will be crucial for protecting against cyber threats,” Young says.
Planners should look for virtual event platforms that offer features like customization, networking and engagement features, automation, event management software integrations, sponsorship opportunities, virtual booths, live broadcast capabilities, pre-recorded content, social media integration, and recorded captured content to host successful online events. C&IT