Is Your Event App Secure?
Consider these issues to catch any vulnerabilities before problems arise.
Mobile apps for meetings and events have grown into more robust, comprehensive systems than when they debuted several years ago. Early iterations were simply a digital version of a show guide, offering venue maps, agendas, and sponsor information. As the use of mobile devices has continued to grow, planners now aim to make their event apps complete solutions that offer everything from detailed attendee profiles to private messaging and even payment options. As these apps become more complex, planners need to consider the security and privacy of the data they are gathering and storing.
We spoke to three executives from mobile app companies to identify the critical issues on this topic. Alon Alroy is co-founder of Bizzabo, Jon Phillips is C.E.O. of Gather Digital, and Lawrence Coburn is C.E.O. of DoubleDutch. Here's what they suggest planners keep in mind to minimize risk.
Get some peace of mind up front by finding out whether the app provider has experience creating mobile apps for other companies that value security. “Have they worked with financial services, Fortune 500 high-tech, pharma, government agencies? If you see some logos from industries that are known to have a low tolerance for poor security practices, then you know there are other customers that have surely put them through an audit,” Coburn says.
While it is certainly easiest to make an app completely open, without the need for a user to log in, it also means that all of the information in it is visible to anyone, anywhere. An intermediate level of security is to provide a universal password to all attendees, but Phillips cautions this has risks too. “When you are using a universal password you are absolutely trusting that everyone will be on their best behavior, and no one’s going to log in as their friend and post a stupid photo or whatever—even just to be funny—and that’s the best-case scenario,” he says. The most secure option is to require each user to log in with a unique password, either one they create themselves or one that is provided to them.
Guests should have control over whether they appear in a list of attendees and also how much of their personal information is visible. Some may want to show complete contact information, social network handles, and other information, while others may prefer to remain anonymous. This can be of particular concern for attendees in industries such as financial services or pharmaceuticals or those from European Union countries, which may have strict guidelines about attendee privacy. “We leave it to the choice of the event organizer to choose whether they want to have an opt-in or an opt-out networking community,” Alroy says. “As long as the attendee has the option, I think it solves that privacy concern.”
Vendor access and usage
Ask the app provider about its policy and processes around the event’s data. Do all of their employees have the ability to see your event’s data in their content management system? That may create an unnecessary vulnerability. Also ask how the provider plans to use the data. “It’s not enough for a vendor to say, 'We’re not going to sell your attendees’ data.' They also have to promise not to market to the attendees or the exhibitors that are in your app,” Coburn says. “The safest answer that you are looking for is the vendor that says, 'We will use analytics from the event in order to improve the product.'”
Find out if the app provider is encrypting data at each step of the process. This includes while it is stored on its servers, as it travels over the Internet, and as it is used on attendees' devices.
Ask which security tests are being performed by third parties and if they are willing to share those test results with you. “You want to think about what tests are being performed on the content management system,” Phillips says, "and is their network and infrastructure protected."
- Featured Venues/Suppliers: