Timothy M. Banks
An event should be remembered for what it offered attendees—networking opportunities, great food, stunning location and engaging keynote speakers. It shouldn’t be remembered for the chaos at the registration desks when ransomware took the registration system down or the notice informing attendees of a breach that exposed their registration and credit card data, their medical conditions, dietary restrictions and travel documentation.
Cybersecurity breaches cripple organizations operationally when information technology resources are forced offline. But this is only the beginning. The cost of replacing or upgrading systems and hardware, recovering or recreating data, informing regulators and individuals can drain financial health from many organizations. I’ve witnessed smaller organizations taken to the brink of closure because of the costs.
Although it is not possible to eliminate cyber threats, advance planning can substantially reduce the risk of a cyber breach at your next event. Here are three steps to start incorporating into your event planning to lower risks.
1 | Create a cybersecurity culture. In the rush to wow a client with an online portal, one travel management company used software that left passport information and credit card information of their clients exposed because of defects in the online tool. This could have been avoided if the travel management company or the event planner had made cybersecurity a factor in every decision. Event planners can stand out from the crowd by putting cybersecurity questions on the list of evaluation criteria when choosing vendors. Vendors can also distinguish themselves by proactively explaining their approach to cybersecurity.
2 | Train employees to recognize cyber threats. Don’t skip the investment in training just because staff members are part-time or temporary. The vast majority of data breaches involve an employee taking a misstep that allows a hacker or malware onto a system. That USB stick that was left on the table might contain a late presentation or it might contain a virus that will quickly spread through the event registration system once it is plugged into the registration desk computer. The email from the caterer with new wire instructions for payment came from “jane@cakessaplenty.com” not “jane@cakesaplenty.com”, so the money is now gone. That unsolicited call from the hotel’s IT security asking to update software remotely was actually a hacker. Employees need to be aware of common scams. Make the training relevant to the work the event staff will be doing.
3 | Look beyond compliance. Compliance doesn’t mean that data is secure. The payment card industry has data security standards known as PCI-DSS that merchants and payment card processors must adhere to. However, PCI-DSS didn’t protect customers of the event and venue management software provider whose systems were exploited. To protect systems and data, ensure that there is an ongoing program of vulnerability scans and patching of all software. Make sure all data is backed up on separate systems so that it can be recovered or accessed if the main system is infected. Look for ways to segregate different types of systems. For example, email and payment processing should not run on the same servers given that email attachments and links in emails are commonly used to spread malware.
The hospitality industry generally is a target for cyber criminals. Clients want to be wowed with the latest technology and easy-to-use websites and mobile applications. In an attempt to decrease any friction in the experience of clients and attendees, cybersecurity often gets relegated to an afterthought at best. But, the complimentary WiFi isn’t free if it results in a data breach. It is time to make digital security an important part of an event.
–Timothy M. Banks leads the Cybersecurity and Privacy practice at the law firm Dentons Canada LLP and has advised numerous companies in the hospitality industry on data breaches and cybersecurity preparedness.
