TRIPinfo.com logo
Internet Travel Monitor - Industry News

November 29, 2017

The Meetings Industry Is Not Worried Enough About Cybersecurity

When news broke in September that the credit-reporting firm Equifax was hacked, compromising the personal data of 143 million people, it was a wake-up call for everyone. Individuals and companies started to implement long-overdue steps to protect their data and identities.
But many meeting planners still havenÕt gotten the message, according to cyber security experts.

ÒThe meetings industry is not taking this seriously at all,Ó said Sean Donahoo, CEO of Disruptive Solutions, a provider of cyber security solutions for the meetings and events industry. ÒIt kills me; I see how things are done, and all of the planning that goes into events. Everything is planned for down to a T, except this part; and itÕs maybe the most important part, if you look at it from a reputation standpoint.Ó

He added that hackers could be looking for data to use or sell in another hack, or in a spear fishing campaign. They might be getting data for credentials to use to move money around or access a network, or it could simply be a practice test.

Research bears out this potential threat. A 2017 report from the Ponemon Institute and IBM found that the average total cost of a data breach is $3.62 million, and there is a 26.2 percent chance of a recurring data breach in the two years after a breach.

Nearly every major industry has been hit in some way with an attack within their secure network, so itÕs logical that the threat extends to a less secure environment, like a meeting or a conference.

There is no data on how widespread hacking is in meetings and events, because planners and venue managers are hesitant to discuss it publicly, but that doesnÕt mean breaches arenÕt happening. In fact, it can take months or even years for an organization to discover it has been hacked.

ÒI probably get a call a month or more from [a planner] who has had a meeting breached, or one of their attendees was breached, which happens as much if not more, and thatÕs where the huge liabilities come up,Ó said John Sileo, CEO of the Sileo Group, which conducts cyber security training for organizations including the U.S. Department of Defense.

WHAT ARE HACKERS LOOKING TO EXPLOIT?

Planners and event managers need to start having tough conversations about cyber security.

According to Sileo and other experts interviewed by Skift, there are numerous reasons to hack a meeting Ð from identity theft to corporate espionage; social activism to practice hacks Ð and no one is immune.

ÒOften this is about corporate espionage or corporate ransom,Ó said Sileo.

LetÕs say thereÕs a conference for the federation of employee benefit plans. Managers of the plans have social security numbers, credit card numbers, and retirement account information on employees for 5,000 of the largest companies in the US.

ÒItÕs a concentration of data that you just canÕt get elsewhere else. If I want to know how the employee benefit world runs, thatÕs where I go to steal the data,Ó said Sileo.

Next on the list is the venue. Donahoo explained that a location can be a soft target due to weak security (physical and digital networks), or the venue itself may be the target for reasons unrelated to your event.

Finally, there is the keynote speaker. A big name can be a big draw for a conference, but it can also be a risk.

ÒThere are people who carry a message that people want to suppress; former public officials, civil servants, military generals,Ó said Donahoo. ÒSomewhere along the line theyÕve done something to upset someone.Ó

HOW HACKERS WIN

The easiest way to get at data is through Wi-Fi, either by hacking the system or simply setting up a hotspot with an official sounding name. When searching for the local Wi-Fi, people see the name and assume itÕs connected to the event, and sign on. But even the official Wi-Fi is not secure, according to experts.

ÒWhen hotels call their Wi-Fi secure, itÕs the biggest laugh in the world,Ó said James Spellos, president of Meeting U, which specializes in training for technology and meeting planning applications. ÒThe real danger is when planners arenÕt aware of how phones and devices can be penetrated.Ó

He recommends a multifaceted approach to safety.

First, planners and their staff need to have good anti-virus software installed on all devices, and make it active.

Step two is to install anti-malware; Spellos said malware is a bigger issue than viruses. Next, planners need to encrypt all information associated with the event, but even thatÕs not full proof.

ÒWhile the planner can make sure itÕs encrypted, if IÕm at a coffee shop and IÕm registering for a conference, a lone hacker can still be sucking all the info being sent on the Wi-Fi,Ó said Spellos.

He, and all the experts who spoke to Skift, said individuals need to get a virtual private network (VPN) installed on their mobile devices and keep it running. They also advise using password managers. Choosing the right software or system can be daunting, and there are a lot of Trojan horses out there.

ÒUse what your colleagues are using,Ó said Spellos. ÒTalk to people and get guidance. If you have something pre-installed, donÕt try to change it. If you are using a company-owned device, donÕt play around with it; let [your information technology deparment] handle it.Ó

A FALSE SENSE OF SECURITY

The next time youÕre at a conference, go to a meeting youÕre not a part of and see if anyone stops you. There might be a badge checker at the door, but how closely are they scrutinizing your badge?

Chances are, if you are nicely dressed youÕll sail right past the gatekeepers. Thieves know this, and use it. So while your attendeesÕ digital identities might be locked down, their information and property are still vulnerable to real-world theft.

The night before presenting at a conference, Sileo checks out the room where he is to speak, and often walks across the hall to what he calls the Ôwar roomÕ: the plannerÕs command center.

ÒI canÕt tell you the number of times I can get in,Ó said Sileo. ÒAnd there are their laptops, their manifests, and the badges. ItÕs just rampant but we donÕt hear about it.Ó

The next day, he visits meeting rooms while attendees are out at lunch. He was recently speaking at an event with 5,000 people, and touched 220 devices left unattended. When he gave his presentation he asked if anyone saw him. No one had noticed.

ÒThey go in, they put down their gear to get a coffee, and people steal [them] at every meeting,Ó Sileo told Skift. Agents can also sneak into conferences and take photos of laptop screens, grabbing sensitive data with their smartphone.

The experts who spoke to Skift agreed universally that meeting planners arenÕt doing enough.

ÒUnfortunately thatÕs how we work in our society, we need a big slap in the face before we take something seriously,Ó said Donahoo, Òand even then, our memories are short.Ó

Copyright 2017 Skift. All rights reserved. From http://www.skift.com. By Jaimie Seaton, Skift.

To view all articles, check out the Internet Travel Monitor Archive