Technology security experts worry about meeting planners who fail to implement even the most basic of safeguards to protect attendee information on computers, laptops and handheld devices.
Such planners don’t include Cassie Brown, chief experience officer of Charlotte, NC-based TCG Events, which plans corporate meetings, events and incentives. Brown takes several basic measures to protect her own data and that of clients. “We use a technology company that deals with all of our computer issues. We change our passwords every three months, and they aren’t all stored in one place. Most of our information is on a server that is backed up twice offsite. When interns leave, we change passwords they used,” says Brown.
She also makes it a point to inquire about the security of meeting registration and management websites and software that TCG may use onsite to collect attendee and client information. “We have always asked a lot of questions and delved deep into the security of websites. It comes down to having a conversation about how they secure data and what happens to it at the end of the event. You also want to know if there is an online backup and how they secure credit card data,” Brown says.
According to security experts, planners must make information security a top priority for several reasons:
• They use a growing variety of PCs, laptops and handheld devices to store and transmit huge amounts of client and attendee data.
• They increasingly use standalone meeting planning and registration software available for free or for a fee.
• They hire third-party meeting management services that often use their own proprietary systems to manage meeting information.
• They hold meetings at the growing number of hotels, convention centers and other venues offering free and open Wi-Fi, which is notoriously vulnerable to hackers.
Needless to say, hacking is a growing problem. According to the latest study from the Identity Theft Resource Center, during the first six months of 2012: “Malicious attacks involving ‘hacking’ continue to represent an ever increasing growth, with 30.5 percent of the breaches so far this year identifying hacking as the root cause, up from the 27.7 percent reported for the same period in 2011. If this rate increase continues, 2012 will be on pace to have another record-high year in this category.”
Some planners, especially small independent shops, have weak information security measures because they lack computer savviness, are too busy to obtain it, or don’t have an in-house or third-party IT consultant.
However, securing information isn’t rocket science. Following are examples of actual information security practices and the areas they cover.
Robert Glowczwski, DMCP, director of operations, Access Destination Services–Orange County, describes practices for protecting his company’s information. “Our general practice is to use an enterprise anti-virus system because it’s easier to maintain at all work stations instead of having individual products that would have to be updated at individual work stations,” he says. “We have multiple backup systems on- and off-premises. A good firewall and password authentication are important as is a good spam monitoring system because there are many phishing emails and viruses.”
Access educates employees on anti-virus practices, creating strong passwords and avoiding unknown websites, pop-up ads and links. The company also uses third-party registration systems that follow industry standards for handling credit cards and have state-of-the-art security and efficiency, says Glowczwski.
He adds that Access works with IT professionals to ensure optimal security. “That would be a smart thing to do for those who aren’t technically savvy. If you can’t afford to have an IT person on staff at least try to have regular conversations with a reputable IT professional who can help you with the basics,” Glowczwski advises.
American Meetings Inc. (AMI), a Fort Lauderdale, FL-based meeting management and event marketing firm, guides its security practices with an 82-page security policy document. AMI, which handles meetings worldwide, provides the document to potential corporate clients who request it as part of an RFP, says CEO Andy McNeill.
The company continuously updates and strengthens its security policies following a few security close calls early on in the company’s founding. “We have independent, cloud-based servers for each client, and each one is an encrypted enterprise server to ensure 100 percent uptime,” says McNeill. “We have four levels of backup both onsite and at remote servers across the U.S. and in Europe.”
Unlike many companies, AMI doesn’t keep client information indefinitely because it’s a security risk. “We keep all data for at least 12 months, although some clients require up to 36 months. We deal with large corporations, and we are often the conduit between one division and another, one brand manager and another. They sometimes come back to us needing information for a program because they don’t have it internally, so it’s critical that we have it, and that it’s secure,” McNeill says.
AMI’s information security measures reflect those that large corporate clients typically require as part of master service contracts. “They might require us to have multiple backups of their content or attendee information they are using our servers to hold,” says McNeill. “That’s pretty common. Another question might address our policy on physically guarding computer equipment and information. We get asked that a lot. They ask what we do with credit card information and registration forms after the event. Some require us to hold the information and then delete it after a certain length of line, depending on their policy.”
McNeill takes steps to ensure that any Wi-Fi network AMI offers is secure. “If we are providing a Wi-Fi network, we will make sure it has encryption and work with the venue to make sure that it’s in place. If you are on an open or free Wi-Fi network, you must assume that someone else is looking at your data,” says McNeill.
Many information thefts occur via Wi-Fi. Such thievery should be a big concern to planners due to the vulnerability and growing use of free Wi-Fi in a wide range of meeting venues, experts say. According to an ITRC survey, about 40 percent of people don’t know there are ways to protect data when using Wi-Fi, and nearly 80 percent believe that using the technology can lead to identity theft.
That finding isn’t surprising because it’s relatively easy for anybody with basic technology knowledge to obtain software online that monitors and “grabs” information via Wi-Fi connections, says Robert Siciliano, an identity theft and personal security expert, author, CEO of idtheftsecurity.com and a McAfee online security expert.
Siciliano explains that there are generally two types of Wi-Fi available to meeting participants. One type is free or public Wi-Fi that anybody can easily access. Free Wi-Fi usually doesn’t require a password and lacks encryption, says Siciliano. The other level of Wi-Fi requires a password or username, and usually includes encryption, which is often not an option at most large venues and functions, Siciliano says.
As a result, attendees and planners typically access the free variety. That is unsafe, says Siciliano. “If they have their devices set up in certain ways, for example if they are sharing files on their devices, they are at risk. Open wireless is generally subject to ‘sniffers,’ a hacking term for software that seeks out vulnerable connections to free wireless,” says Siciliano.
John Sileo, CEO of the Denver, CO-based Sileo Group, an information economy think tank that trains organizations to secure and leverage the power of their digital privacy, identity and reputation, is also an author and speaker. He describes the risk of using free Wi-Fi another way: “What’s free is not the Wi-Fi service, but your data because it’s beamed out with little or no protection. The issue is how to set up a secure connection between attendees’ computers and the device providing the wireless service. The ideal would be that every person registering for meetings gets a username and password. That’s time consuming and expensive, and that’s why people don’t do it,” says Sileo.
Most planners appreciate free Wi-Fi as an attendee convenience. However, planners typically don’t consider the security risks of Wi-Fi, says Brown. “For planners, using free Wi-Fi to access things like registration systems and getting into your own network or cloud to look at things like client information and budgets is just not a great idea. But it’s not uncommon to do so because of the cost of setting up hard lines in conference centers and hotels,” says Brown.
Give attendees a heads-up. “Make them aware if it’s not secure,” says Brown. “You see it sometimes in registration and conference materials where it will say, ‘Free unsecured Wi-Fi available.’ ”
Turn off file sharing in computers and mobile devices. “You might have file sharing running in your home or offices so you can see files on other devices in your network. You want to turn it off because hackers may be able to access your files,” says Siciliano.
Use a virtual private network (VPN). Individual planners can do this by purchasing a wireless card to use in a computer. Or planners can use a smartphone with wireless service to “tether” to their computers, says Siciliano. The VPNs are considered more secure because they are encrypted by carriers. “There are also free and paid tools anyone can download that allow them to surf on Wi-Fi more securely using a VPN that basically encrypts communications,” says Siciliano.
Read the terms and conditions of Wi-Fi services to understand the risks and encourage attendees to do the same.
Don’t forget to ask questions. “Know what type of Wi-Fi security is in place,” says Brad Neuman, director, Attend-eSource Technologies, a suite of web-based planning solutions at metroConnections, a Minneapolis-headquartered company that plans corporate meetings, events, incentives and conferences. “Ask if anyone is going to help monitor activity on the Wi-Fi network so that you have assurances there are no hackers trying to get information from attendees. A monitored network helps protect users,” says Neuman.
Neuman also suggests asking: How many other groups will be using the network at the same time? Is there technical service available during the actual meeting and when planners are working? What is the maximum bandwidth we will use? Do you have the total bandwidth we will need?
There is one step that planners can take to limit the damage — minimize data collection and storage. “Planners are so used to collecting attendee information and keeping it for historic reference,” says Brown. “We don’t always go back and get rid of information we don’t need anymore. As an industry, we have always collected addresses, phone numbers, credit card data and other information. You have to be aware that you don’t need to keep some information,” says Brown.
Sileo agrees. “Planners tend to collect more personal information from attendees than they need. They may intend to use the information for marketing, feedback or future meetings, but for whatever reasons they don’t and end up keeping it,” says Sileo.
Planners’ information can never be truly secure unless they have a policy for creating and securing passwords. “Creating safe passwords is a huge issue and managing it is even huger,” says Siciliano. “Managing several passwords correctly can be an overwhelming task for some people. One way to do it is have an IT person install password management software.”
Short of that, there are several basic precautions that planners can take to thwart password theft. Make sure that each password includes upper and lower case letters and at least one number and character. Never use the same password for two accounts. Many people create one long and complicated password and use it repeatedly, making only small changes at the end. Such passwords are relatively easy for hackers to exploit, says Sileo.
Technology experts also suggest that planners ask questions about the security of meeting management software they download online or use via third parties. The tip applies especially to free software available online, says Siciliano. “Generally with free software, they may not have allocated the resources for application security, which involves basically trying to hack the software during stages of development so that it’s relatively bulletproof when it’s ready for prime time. With free software, you want to know the pros and cons and ask questions,” he says.
Experts suggest asking: What part of the budget went into application security? What risks do I take by using the software? Is the software periodically updated or improved? Also read the terms of service agreement for any mention of security or encryption. The following question is especially important for registration systems: Does it comply with the Payment Card Industry Data Security Standard for processing, storing and transmitting credit card information?
There is more to information security than preventing access via technology. Planners must also guard against data thieves who pilfer laptops, computer notebooks and handheld devices at meetings, says Sileo. “If a thief can go to a conference where there are 1,000 executives and steal three or four devices, not to mention a planner’s equipment, why should he spend hours and hours trying to hack into a system that has security?” asks Sileo.
Sileo conducts tours of meeting rooms to show how vulnerable the equipment is: “Before speaking, I have somebody walk around the room with me, sometimes planners. I touch laptops and notebook computers, or pick them up and put them back down, to show how many I could have taken. At one conference, I touched 87 laptop bags, and told them during the speech,” says Sileo. He also sees planners’ printed documents and paper notebooks and files left unattended.
Brown agrees. “Unfortunately, it happens all the time. That (non-computer) notebook is a planner’s bible that has all kinds of documents. Sometimes planners have been working long hours and haven’t had a lot to eat, and as the conference progresses, they may leave it where someone can get it. You can lose client and personal proprietary information,” says Brown.
Implementing all types of information security measures requires planners to work closely with their clients. That will continue to be true for independent and corporate planners, says Neuman. “While many corporate planners have an IT team to guide them, both corporate and independent planners should know the meeting owner’s security policies and be an advocate for the owner when looking at protecting attendees’ private information. Be sure to capture best practices from each event so you can handle security better in the future,” Neuman advises. C&IT