What Every Event Professional Should Know About Data Security

Keeping your attendees' data safe at virtual and hybrid events should be a priority for your entire team. Here, two event tech experts break down what you need to know.

Fly D M T7l Xz Pjk7 U Unsplash
Photo: FLY:D on Unsplash

In a May 2020 article, Forbes noted the cyberattacks on virtual and hybrid events had increased a whopping 1,000% in the few months since the pandemic had begun. And while that number has likely improved with the quality of virtual events, it’s undoubtedly still an important issue that event professionals should understand.

“Because these events involve sensitive user data—like payment, account credentials, intellectual property and personal identification—they become more vulnerable, and it takes just one vulnerability for a hacker to exploit and wreak havoc,” explains Devin Cleary, vice president of global events at Bizzabo.

Saroosh Gull, CEO of Eventcombo, agrees. “The amount of information we collect from attendees is a goldmine for hackers, and keeping this data safe should be a top priority,” he says. 

So, how can event professionals begin to understand and combat this complex issue? We asked Cleary and Gull to break it down and share their top tips.

Why is the event industry such a big target for hacking?
“What makes the event industry so valuable? The people,” points out Gull. “The gathering of professionals who are willing to share knowledge through networking and presentations is the main value proposition of live events.”

But with that high concentration of people and content, he adds, comes a high concentration of data. “The event industry is a data-rich soft target for cyber thieves. Every event you create generates a mountain of data—ranging from contact details to residential details to payment details to dietary requirements all the way through to sponsor leads. As the event approaches, this data is typically shared across a variety of roles, from colleagues and exhibitors to advertisers and hotels. The nature of our industry means this data also moves across international borders.”

Gull adds that it’s up to every event professional to understand the vulnerabilities and take steps to properly secure the data their attendees have entrusted them with. “Failing to do so not only puts the event brand at risk but more importantly, the livelihood of their event attendees,” he says. “Spend a little time to learn about the topic and adopt best practices for your organization.”

What aspects of an event are the most vulnerable?
“Virtual and hybrid events are only as protected and secure as the platforms they use,” explains Cleary. “Cybercriminals can see them as ‘easy’ targets, especially if the software or network (or both) is weak.”

Cleary cites several security holes that hackers are likely to exploit:

1. Unsecured URLs and attendee code distribution for access sharing

2. A lack of multifactor authentication to verify attendee identity

3. Poor (or missing) implementation of encryption technologies to prevent “gatecrashing” and prevent unauthorized monitoring/eavesdropping of sessions

4. Software vulnerabilities within the event platform itself

5. Minimal (or missing) security controls to obscure personal data, like participant names, companies and email addresses

“The two most common attacks, according to event planners, are malware and phishing attacks,” Cleary says, adding that while many event organizers use multiple virtual platforms to capture data or build their ideal experience, be aware that can lead to more points of attack. “Although these platforms are all equipped with security mechanisms, there’s a greater chance of a security breach because the systems must work together and exchange information. Without a pre-existing integration between software, the vulnerability increases.”

What are some steps planners should be taking to protect data security?
Cleary and Gull offered up several best practices for reducing your chances of hacking.

1. Be very aware of who on your team has access to personal data. “The ownership and responsibility for data security now rest on everyone,” explains Gull—adding that it’s crucial that access to attendee data is only given to credentialed individuals. “We have seen organizations share very private data with interns or volunteers—which inherently isn’t a terrible thing, but when you’re talking about precious data, it can lead to problems for any organization.”

Along the same lines, ensure that all staffers are trained to recognize phishing attempts and malware, adds Cleary.

2. Partner with tech companies that make data security a priority. “It only makes sense for event tech platforms to lead the charge in being responsible, accountable and transparent with how they manage data across the event journey,” says Gull. “Ultimately, it comes down to a partnership between the event platform and the event producers and organizations to ensure these best practices are adopted from day zero.”

3. Make sure data is encrypted. “Encrypt all documents, even if everything is cloud-based,” says Cleary. “Multifactor verification should be nonnegotiable.” On a similar note, he adds, “Using a cloud-based event platform decreases data storage on devices, which can significantly reduce the number of data security threats.”

4. Develop a strong registration process. Cleary calls registration the first real checkpoint to help mitigate risk. “Introduce a preregistration screening via email to further reduce the chance of an event breach,” he suggests, adding that planners should also use two-factor or multifactor authentication and single sign-on.

5. Regulate event access. “The cardinal rule for any virtual event is to know exactly who is participating,” adds Cleary. “Limit event-access link-sharing to one time versus multiple emails, and refrain from sharing access links externally, such as on social media.”

Gull takes a similar approach at EventCombo. “Our unique URLs for [our virtual platform] Fireworks are only meant for single use, single user and contain security parameters to prevent fraud and abuse,” he explains.

And if your content is living on after an event has ended, Cleary suggests creating “a separate on-demand page or site—and once the event ends, lock its access to block future unauthorized access.”

Are there any red flags event planners should look for when partnering with a tech company?
Of course, one of the strongest defenses against this issue is partnering with a strong tech company that can think about much of this for you—but not all platforms are created equal. 

“When it’s time to vet and choose an event management platform, companies must find one committed to prioritizing data security and—especially in an event where attendees might be joining a virtual or hybrid presentation from anywhere in the world—meeting all data protection and privacy legal and regulatory requirements, since they differ from country to country,” points out Cleary.

Gull adds that event tech companies should be talking about security from the initial sell stage. “A platform should want to market the fact that they are a strong data steward,” he notes. Another thing to watch for? Make sure security discussions are part of the onboarding process with a tech client. That way, teams can clarify what security aspects the tech company is responsible for, and what aspects the client and planner are responsible for. “That ownership and that requirement needs to be transparent, and called out early in advance,” he says.

Finally, pay attention to the contracts and agreements, which Gull says should also be mentioning data security. “If one or two or all three of these points are missing, it's a red flag.”

Is there anything event attendees should be doing to protect themselves?
“Whenever possible, attendees should access events from secure networks with strong network credentials and avoid using public Wi-Fi,” says Cleary, suggesting that participants should even consider using a personal VPN to join. 

Verify the source of event-related emails, and make sure you use passwords unique to this event only, he adds. Also, “It’s a good idea to ensure the technology (browser and OS) are fully patched and up-to-date before joining any virtual event, and verify the URL destination of shortened or tiny URLs within the event itself and all emails," Cleary says.

Gull also suggests that attendees research the platforms they’re registering on, and reach out to event organizers if they have any concerns about their data. “Thanks to enhanced UI/UX and technology, we register for events so easily that we overlook some potential risks with sharing our emails and data,” he notes. “One-click registration or no-click registration features are great, but you have to educate the attendees about post-registering tracking and protection.”

How does vaccine verification and COVID-19 testing complicate this issue?
Since many events are currently requiring proof of COVID-19 vaccine or a negative test, these issues can become even more complicated. Many tech providers now have built-in capabilities for this, and Gull notes that many of the same questions and considerations should apply: “Who has access to this data? Are you planning on sharing this data with any third or fourth parties? Where is the data stored? Is it encrypted? Who is responsible in the case of data breaches or corruption?” he asks. “These are the questions you have to ask yourself and then ensure the platform you’re using enforces best practices.”

To help keep this medical information safe and streamlined, Cleary advises planners to gather the information at the time of registration and use a mobile-based verification program like CLEAR’s Health Passthat complies with HIPAA requirements. “But it’s necessary to include asking for permission during registration to comply with GDPR and HIPAA,” he adds.

Page 1 of 26
Next Page