How to Identify Event App Security Breaches and Other Threats
Introduction
Data is an integral component of your event. As a planner, you collect information about everything, from venue specifics and budgets to registrant details and vendor contracts. You preside over all kinds of private, personal and sensitive data from attendees, including email addresses, phone numbers, credit card numbers, etc. Your organization relies on you to be vigilant and take the appropriate measures to provide a safe and secure environment for all stakeholders and you have an ethical and legal obligation to protect them from threats and losses.
According to a report from Meeting Professionals International (MPI) and audio-visual company PSAV, 7% of event planners say they are lucky to have any process in place when it comes to system and data security, 25% mention that processes are implemented on a project-by-project basis and 32% state that organization-wide processes are in place. Obviously, there is room for improvement when it comes to data security.
Being familiar with the terms, issues and industry standards associated with data privacy and security will help you navigate the landscape, select the appropriate vendors, assist your IT and security teams and potentially save your organization a lot of time and money. Similarly, understanding the nature and risks of sensitive data will enable you to better assess your own requirements based on where data is being stored. In this unit, we will take a closer look at common threats, discuss how to safeguard data and examine best practices for event-specific data security.
Identify Event App Security Breaches and Other Threats
Anyone with the skills can compromise your data integrity, including:
- Malicious hackers
- Disgruntled former employees
- Resourceful competitors
- Underhanded vendors
- Exhibitors looking for lead lists
Safeguarding your computer network is increasingly difficult. The methods for exposing and exploiting vulnerabilities are always changing. The introduction and adoption of new technology tends to increase the number of avenues for compromise, and developing security protocols is always a game of catchup. Let’s take a look at some of the most common ways that information is lost or stolen and steps you can take to mitigate the losses.
Malware
Software that can undermine your organization’s security often comes attached to emails and SMS messages. Computer code (i.e. viruses, worms, Trojan horses, adware, spyware and ransomware) that infects your computer as soon as you click on a suspicious link or open an unfamiliar attachment is referred to collectively as malware, which is short for “malicious software.”
Threats on Mobile Devices
Malware for mobile is on the rise. Android’s less-prohibitive operating system makes it more vulnerable, but iPhones and tablets are not immune either. Bring your own device (BYOD) policies at workplaces make personal devices a target for hackers. They are often easier to compromise than computers, which are usually left in the office and are more heavily protected. Plus, if you access your work email from a mobile device, odds are that your device has cached sensitive emails in its memory. Cyberthieves know that your personal phone is often a gateway to your professional data.
Threats Through Apps
Apps available through official app stores must go through an approval process in which both Apple and Google test basic functionality through API calls to ensure that app developers are not doing anything malicious or violating the company’s terms of use/service. Still, maliciously motivated apps can sometimes appear in stores disguised as functional apps. They gain access to your settings, contacts, and other confidential information for nefarious reasons. When an app you have downloaded tries to access these, your phone should prompt you to give the apps permission. Be cognizant of which apps you are allowing to access your personal data and mobile settings. Not everything you download needs access to such information. We are so accustomed to signing away our privacy in exchange for convenience that we often do so out of habit when asked. If you are managing sensitive data on your phone, be especially cautious.
Phishing, Impersonation and Social Engineering
Phishing and social engineering schemes operate under the guise of providing a service or updating a service already in use to ask customers maliciously for sensitive information (e.g. usernames, passwords, credit card details, etc.).
Phishing
Phishing is the practice of impersonating a business or other trustworthy entity (your bank, for example) in an electronic communication in order to obtain sensitive information or to get the user to click on a link or install an app. Attackers may target you for phishing schemes, but they can also target your contacts. By stealing your contact list, hackers can send out a phishing email to all of the parties listed on it and make it look like the message came from you. Email lists, especially those containing contact names, company names and relationships, are highly desirable for phishing scammers.
Social Engineering
Social engineering is the practice of exploiting social rules, channels and behaviors to obtain and misuse information, such as when someone calls an elderly woman pretending to be her grandson and asks for her banking details. Social engineers also take advantage of any opportunity to peek at open computers, tablets and unlocked devices so they can collect the information needed to exploit or trick you later. Locking your laptops and other devices whenever you step away from them and requiring a password upon resuming use will help you guard against this sort of information theft.
Interceptions and Data Stealing
Your event is a bounty of data transactions that all kinds of people would love to access, like registration lists (names, email addresses), credit card information passed through online transactions, and data stored on computers and laptops carried around the event. Hackers can intercept this data as it moves back and forth, extract the data from browser software or follow the web activity generated by the transactions.
Password protection is not as secure as it once was and hackers have developed methods of discerning simple passwords in seconds using programs that try every possible combination, starting with common permutations. If they cannot ascertain passwords using these methods, they will sometimes use “hotspot honeypots,” like the infamous Pineapple router, which can impersonate WiFi connections and record all the traffic that passes through them. Some conference venues provide WiFi that is either totally open to the public or protected by a password that is widely disseminated and easy to discover, so these malicious workarounds are not even necessary. A good rule of thumb is to assume that a third party is intercepting any data transmitted over an insecure network.
Data Loss
One of the most common reasons for data loss is misplaced or stolen hardware, such as leaving your laptop at the coffee shop or losing your phone in a taxi. It is essential that these devices be properly secured if they have sensitive data on them. Apple devices allow you to locate them using GPS services and wipe them remotely in the event that they are lost or stolen. Regardless, you should always protect them with passwords and require it anytime the device goes to sleep, shuts down or displays the screensaver.
Employ Common Practices for Safeguarding your Systems and Data
Now that you are familiar with some of the threats to your data security, you can employ some strategies to combat them. The tools and software you invest in (antivirus software, encrypted cloud storage, etc.) will depend on the type of data you are working with, and the extent to which it is publicly available. Regardless what level of data security measures you take, there are some common best practices that serve as a baseline. The best safeguard against malware, phishing and social engineering is awareness. Knowing the threats that exist and the ways in which your data is susceptible to theft will empower you to design security protocols that protect you and your data.
Level of Security
The first thing to do is define the level of security your particular data sets and data systems need. Your vendor list probably does not need to be that secure if such information is publicly available, but if it contains key contact information, it should be safeguarded. Phone numbers, emails, addresses and any other personally identifiable information should be highly guarded and your technology, like your event app and registration page, should never make this information publicly available. Social engineers can use this information to launch attacks.
You should limit requests to only the information that is absolutely necessary to provide participants with event-related services. It should be clear to them why they are giving you personal information at the point of disclosure and you should establish official channels for collecting it that are clearly communicated. Doing so will help guard against others impersonating you and asking for more details (or the same details again).
Password Policies
To create a strong password, length is as important as variance (including upper and lower case letters, numbers and special characters). The standard is a minimum of 8 characters, but the longer the password is the better. Hackers often begin with common permutations, which are words and character combinations that people commonly use for passwords, so a combination of letters and numbers, etc. is preferable. One way to generate a strong password is to think of a phrase or song lyric and use that, using numbers and special characters between words instead of punctuation, e.g. “signed6sealed6delivered6I9myours.” You can use online password generators if you are having a hard time coming up with a secure password for each device and account or you can use a rule to make your passwords easier to remember. For example, you could pick a poem and pick a different line for every account.
Protect Your Devices
The first step, and luckily a default for most people, is to password-protect all the devices you use to access sensitive data and networks. For example, if you get all your speaker images and bios by email and you access that email from your personal phone, you have to take measures to secure the information on your phone even if your email account is secure. Your device likely caches your emails in your offline storage, so you do not even need to be connected to access them. If one of your devices is lost or stolen, a culprit with enough technical savvy can access the information from the cache and use it against you.
Many mobile devices provide password options with varying degrees of security. Biometric measures like the fingerprint scan on iPhones and facial recognition on Androids are meant to be more secure, though some people find it unnerving that their authenticating features (re: fingerprints) are being stored in the cloud. Plus, both types of devices allow for bypassing the biometric measure with a personal identification number (PIN), so consider using a secure passcode rather than a simple 4-digit PIN.
Android’s operating-system settings offer a hierarchy of options that run from least secure to most secure:
- No lock screen (no security)
- Slide (no security, but at least there is a lock screen)
- Face-unlock (theoretically maximum security, but finding an image of your face is easy)
- Pattern (a medium-security PIN in a shape, such as a square, zigzag, etc. that you swipe over)
- PIN (a medium-security 4-6 digit PIN that you enter to unlock your device)
- Password (a password of your choosing)
You should also make sure that encryption has been enabled on your device. For Macs, this is a built-in feature called file vault. Encryption can be enabled on iOS and Android devices through the settings menu. Do not root or jailbreak the device as that removes software restrictions and native security provided by the manufacturer. For added protection, disable WiFi and Bluetooth when you are not using these features or apps that require them.
Proactively update your device’s operating system. Many users disable automatic updates, prohibiting the fixes from coming through, just because they do not want to be pestered with the update prompts. Your carrier or phone manufacturer release updates periodically, but those usually only coincide with major releases and fixes to issues that are known to affect many users. Minor bug and security fixes are released more frequently. Updating your operating system proactively will capture those as well. In recent years, we also saw an increase in anti-virus software for mobile devices.
Many devices also come with a function that allows you to locate your device if it is lost or stolen. For iPhones, this is called “Find Phone.” For Google/Android devices, this is called “Find my Device.” Both can be enabled within the privacy settings for your device.
Protect Your Accounts
It is a best practice to have a different password for every account. Each account could be an attack vector, and if you use the same password for everything, hacking into the rest is that much easier. Creating different passwords for your systems, email accounts and event software adds a layer of security that helps prevent people from accessing them. Passwords alone aren’t always effective for sensitive information. Sometimes, you need additional security. Many people who find the best practice of using complex, frequently changed passwords challenging save them in their phone or on their computer. This defeats the purpose. It is better to set up a security question based on personal information, that is not easily researched or socially engineered, to answer after entering the password.
Do not forget your social networking sites. Employ all the password best practices for your Facebook, LinkedIn, Twitter, and other accounts also.
EVENT PLANNER PRO TIP: Protect Data with Two-Step Authentication
Two-step (a.k.a. “two factor”) authentication is another powerful option, which employs a password of your choosing as the primary layer and then sends your mobile device or authentication app a one-use verification code as an extra layer of security. Once you get the code, you enter it within a limited timeframe (say 30 seconds) or the code becomes invalid.
Some of the software available may not offer two-step logins, so another option is to use a “password safe,” like Onelogin, Lastpass, and 1Password. These services attach complicated passwords to all of your accounts, but provide you with single sign on access through their platforms.
Protect Your WiFi
Because people can deliver malware through the network your guests are connected to, it is critical that you secure your WiFi networks so that only individuals with permission can access them.
There are a number of things you can do to protect your networks and connections. Lock down your WiFi. There are two standards for doing this: Wired equivalent privacy (WEP) and WiFi protected access (WPA) or WiFi protected access II (WPA2). WEP is an older standard but exists on almost all modern routers and establishes a password for the router that encrypts the data as it passes from the router to a device with the WEP key for unlocking it. The trouble with this is that it uses the same password for every device and hackers have proven able to decipher them. WPA and WPA2 emerged as a better standard for securing connections and encrypting the data on them.
When using public WiFi, use a virtual private network (VPN) to establish a secure connection to your organization’s network. VPNs use a combination of dedicated connections and encryption protocols to generate virtual point-to-point connections and can enable secure access over public WiFi networks.
Back Things Up
While malware is often designed to record, steal or manipulate information for a particular purpose, some just exists to destroy your data. This malware is delivered in the same way as the others, but guarding against it is, in some ways, slightly easier. While you should observe preventative measures, you should also back up your data so that, in the event of an incident, you have a record of everything you have lost. Backing up your data is an essential part of mitigating data loss. Whether the cause is malicious or not, data loss can have a detrimental impact on your business. You have a number of options for backing up your data that range from external hard drives to cloud storage.
A trusted vendor will also have back-up strategies designed to minimize the risk of data loss and they will be forthcoming about them in marketing and technical collateral. Options may include “high availability” or “failover” strategies. The former is when multiple servers share the load of hosting and delivering data so that, if some go down, others pick up the slack without a service interruption. The latter basically replicates a system exactly like the one currently servicing the data, standing ready to activate in case there is a failure in your current system.
Many people think that, having backed up their data, they can just delete it from their primary devices. The point of a backup is precisely to have it in two places in case one fails. External hard drives sometimes fail. If you are backing up your data using a cloud service, the same can be true. Cloud servers are, after all, still physical computers that simply exist elsewhere. They too are susceptible to failure, natural disasters, etc., although most cloud storage services have implemented their own failsafes to guard against such failures.
Be sure that your data is being encrypted wherever you are backing it up, and that you have cleaned out the offending malware from any devices connected to your backup. You should also test your backup periodically to make sure it works.
Protect Event-Specific Data
As mentioned, events deal with large numbers of people and it is your responsibility to provide them with a secure place to conduct business. The basics begin with securing your WiFi and other networks, limiting access to event software like your event app and game, and so on. As an additional layer of security, you can employ white/blacklisting policies for websites and mobile apps that cannot be verified as secure.
With the growing number of information and security offenders, whitelisting policies are becoming more popular. While blacklisting includes a “default-allow” approach letting everyone in, except those specified, whitelisting is much more restrictive and implies a “default-deny” approach. This, however, limits one’s liberty, preventing their access from pretty much anything except for those resources that are approved. Blacklisting on the other hand, is more appropriate when you know where the potential threats are coming from; such policies are widely applied in casinos and retail malls against banned individuals. Either of these policies can come in pretty handy depending on your security requirements.
One thing to keep in mind though, is that you cannot guarantee the best possible security with blacklisting policies; while giving more freedom to user, you open up opportunities for hackers. That said, blacklisting is usually applied to limit people using your WiFi for unrelated activities, which will reduce your bandwidth requirement and encourage people to engage in the event activities. Moving past the basics, you need to be diligent about protecting the data used in all your event-specific software. You may wish to hire a security company to protect against advanced threats such as attacks on the cellular network, jamming of signals for audio-visual equipment, etc.
Data Encryption
Data encryption should be a fundamental offering of your service providers, particularly those that deal with sensitive or personal information like your registration system and your event app. Encryption basically requires the use of passwords to protect your data. It often stores them in a password-protected bundle. You should also think about what data needs to be encrypted. Publicly available information does not have to be encrypted. If your app contains personally identifiable attendee data, their emails, details in hidden fields, etc., the information should be encrypted.
Another consideration is whether your data is being encrypted “in transit,” when it is being submitted and passed from system to system, or only “at rest” wherever it is being stored. Many services will give you the option of encrypting data or not, and there should be both support and documentation for determining whether their security meets your needs. One standard for data encryption is the Secure Socket Layer (SSL) certification. Websites that meet this level of encryption begin with “https” rather than “http” and have a little green lock next to the website address when opened in Chrome.
|
Registration and PCI Level 1 Compliance
Whether online or onsite, registration systems collect all the data required for guests to attend the event, stay updated and pay for tickets and accommodations, etc. It is imperative that your registration systems be secure. Onsite, self-registration kiosks and computers used for registration must be protected.
Payment card industry (PCI) Level 1 compliance denotes the highest level of security for credit card and other transactions. Any registration site or widget that processes payments must be compliant. The PCI Security Standards Council is the governing body that determines the standard of security for all transactions. It is earned by ensuring a required level of data encryption and by meeting the Data Security Standard, which can be found on the council’s website. Your registration system may not need to be PCI Level 1 compliant if the service it uses to process payment transactions is compliant.
Cloud Storage Precautions
The introduction of cloud storage opens new possibilities for breaches in data security and requires some vigilance in managing your data, particularly since data-privacy legislation tends to fall way behind the development and application of technology. It is unrealistic, given the direction technology is going, to avoid putting anything on the cloud. Rather, keep sensitive data off the cloud and employ security standards and measures to protect what you do store there. Ask vendors and service providers a few questions about how their cloud storage service works: Who is the vendor’s data-hosting (cloud) service? Is it reputable? You can review cloud security standards from here.
In Conclusion
As an event planner, it is critical for you to take measures to provide a safe and secure environment in which your attendees can exchange personal, financial and other sensitive information. It is also important to ensure that your organization’s confidential data is protected by implementing systems, processes and training that are up to date and compliant with security standards and best practices. When selecting software and service providers, look for those that comply with the established security standards in the industry as well as those in your organization. All vendors and service providers should be transparent about the security measures they have in place, and you should be diligent in checking them.
Related Resources:
[Blog] How Technology can Help Event Professionals Plan Smarter and Manage Risk
[Blog] Event App Security: Access & Data Privacy Best Practices