Cyber hacking has evolved from a hazy IT concern to a public menace. In April, WannaCry ransomware hit hundreds of thousands of systems around the globe, including U.K.’s National Health Service, nearly 30,000 research and educational institutions in China, and police computers in the Andhra Pradesh state in India.
Weeks later, another cyber attack swept the globe in the form of Petya, whose malicious software infected machines in several global companies, including marketing communications company WPP and Mondelez, one of the world’s largest snacks companies.
And last month in Malaysia, the personal details of some 46.2 million mobile-phone subscribers were leaked online, in what is believed to be the largest data breach in the country.
As event planners, we accumulate masses of sensitive data every time we hold an event. And as the industry becomes increasingly digital, with more and more data gathered by smart gadgets and event apps, how can we safeguard events against a data breach?
Kai Hattendorf, managing director and CEO of UFI, the global association for exhibitions, said the industry is still grappling with how to manage big data.
“Data gathering and data analysis is still not structured,” he said. “Everybody is talking about it, but no one knows how it works.”
Speaking at the Singapore MICE Forum 2017, held July 27–28, Hattendorf said that we now have myriad tools at our fingertips that capture data, but there is often an argument over who owns the data and, therefore, who is responsible for its protection.
“Event organisers say data related to their customers is their data, but service providers say, ‘We’re collecting the data for you, so it’s our data that we’re handing over to you.’ Then venues argue, ‘This is happening in our space, therefore it’s ours.’”
Ultimately, it comes down to who’s gathering and providing data and who runs the server.
“Event planners have a duty of care to keep people safe,” Hattendorf said. “We need to apply the very same thinking in order to keep data safe.”
Michael Park, cyber security adviser and partner at international law firm Allens, which has offices across Southeast Asia and Australia, said that many event planners aren’t equipped to fight on the global cyber battlefield.
“Cyber security is like an arms race,” Park said. “There’s a continuing escalation so that the hackers are always one or two steps ahead of counter measures that are developed.”
According to the 2017 Verizon Data Breach Investigations Report, 44 records are compromised globally every second and two-thirds of data breaches arise from a deficiency in supplier systems.
Park strongly advises event planners and venues to manage third-party vendors with active due diligence — from both an operational and contractual perspective.
“Ensure service agreements include points on confidential information, security access, and notification in the case of a breach, as well as compliance,” Park said. “You need to look carefully at who you’re doing business with and, in particular, the sort of people you’re sharing data with.”
Event planners should also have an appropriate cyber response or data-breach plan that is practical, up-to-date, and easy to follow. According to Park, the plan should consider scenarios for both external and internal data breach (such as accidental loss) and appoint a response team with representatives from across various departments.
“Cyber security isn’t just an IT issue. It impacts all aspects of the business,” Park said. “Everybody needs to be trained and everybody needs to be diligent because if you have a lapse in security, it can cause a loss in visitor trust, reputational damage, and ultimately, a loss of business.”
The onus is now on company directors to educate employees and provide regular training and data audits. It’s important to ensure temp staff are also made aware of data-protection policies, like password protocol, and limit access to internal servers.
For events in sectors where content is highly sensitive, such as pharma or financial services, consider using private servers or setting up a virtual private network (VPN) to safeguard information from potential leaks.
There’s also a growing threat of cyber attacks on critical infrastructure. “A worst- case scenario would see a venue’s technology system compromised,” Park said, “leading to an external organisation taking control of the venue, locking doors and sealing exits. This has not yet been seen, but is considered a significant risk.”
An additional concern for event planners is not only the ease with which data travels, but also the changing nature of data-protection laws.
UFI’s Hattendorf gave the example of China, where companies must set up servers in the mainland in order to overcome the “Great Firewall.” Meanwhile, regulation in the EU dictates data must be stored locally or in countries with similar laws; and in Australia, companies are gearing up for mandatory data- breach notification laws, which will be rolled out in Feb. 2018.
Ensure you have a cyber-security policy that outlines codes of conduct for employees while they’re on the road, and warn against the risk of accessing company information while using public Wi-Fi networks.