“The truth is various kinds of cyber threats lurk behind ANYTHING using the internet. In most cases, a threat is offensive and harmful in nature. Victims may lose intellectual property, have their online bank accounts exposed, or inadvertently distribute more malware to other machines in their network. At a higher level, hackers can retrieve confidential business information, and even disrupt critical infrastructure.” – Ahmad Mukaram, Recorded Future
In a single event, you, your staff, vendors, clients, and attendees may interact with hundreds of unique pieces of technology, both hardware and software. RFIDs, touchscreens, conference apps, social channels…For all the great that comes with increased connectivity, event managers are also faced with a harsh reality: each device is a potential target for cyber criminals.
In the last few weeks, we’ve looked at the growing threat of hacking and why live events are a desirable target. Today, we turn our attention to the specific types of cyber attacks you’re likely to find at your events and some commonsense ways to fight back.
(Note: We don’t claim to be experts in cyber security, nor are the suggestions we make intended to be exhaustive and/or exclusive. We strongly recommend you consult with cyber security and IT professionals to develop plans that are right for your events. Ok, back to the regularly scheduled programming.)
Types of Cyber Intrusions
[Any entity] “connected to the internet is a resource that can be exploited by criminals because of the data it holds.” – Warwick Ashford, Computer Weekly
Cyber criminals test your networks for vulnerabilities. Such doorways could be found in software codes or non-encrypted network traffic. They can use these opening to insert malicious code, gaining access to your sensitive data. Hackers could build false WiFi networks to confuse attendees and route people to fake websites designed to mirror your own. Or, they could simply create disruption in your systems, causing confusion and panic and threatening an event’s security.
Data Mining for Bad: Financial Scamming, Extortion, Intellectual Property Theft
Data mining is the examination and extraction of hidden information from databases. To many event marketers and analysts, data mining is gold. On a macro-level, it allows businesses to track trends and engagements with their products and services. What is performing well and what isn’t? They can use this information to alter their strategies.
Data mining can also be used to create hyper-personalized experiences for individuals. Using information that you often readily provide (e.g. personal info, likes and dislikes, search histories, etc.), companies can tailor what you see, when you see it (full disclosure: Propared, like most companies, also collects customer data in adherence with strict Privacy Policies. You can read ours here.)
In fact, data mining (or Big Data, as it’s often called) has exploded into an industry all its own, valued anywhere between $75-$150 billion. And there are companies whose sole function is to collect, store, and trade information about you and me.
Obviously, this raises privacy issues and regulators are scrambling to find ways to keep up. One of the biggest concerns involves finding ways to keep this mountain of data out of the hands of malicious individuals. Such criminals could use it to extract personally identifiable information (e.g. names, birthdates, SSNs), financial information (CC, banking information, login info), or sensitive communications between multiple parties.
Take the recent hacks of the Democratic National Committee and the Clinton campaign. While the long term effects can yet be determined, it has cleary altered the conversation and the current focus of the race.
How might this translate to your events? Suppose you allow attendees to sign in to a custom app by using their Facebook or Twitter credentials. This creates more gateways for hackers to access a person’s information. Indeed, social profiles often provide very specific information about individuals that allow hackers to build profiles of their targets (e.g. city you grew up in, mother’s maiden name, etc.). They can then leverage such information to access financial data, steal identities, even extort individuals.
Physical Mayhem and Process Disruption
Hackers might not be looking for personal data. They could be targeting utilities (e.g. power, internet, communication, surveillance), websites, interactive devices, or other processes that are running your event. These tactics could be diversionary for other attacks, or simply be to create confusion and incite panic.
Remember when SuperBowl XLVII came to a screeching halt due to a power outage? No, this wasn’t ultimately due to a cyber security breach. But it could have been. It’s a cautionary tale for what losing an important utility like electricity can do to an event. It rightly garnered massive media attention and embarrassed the city of New Orleans, the NFL, and the event production teams. You may not remember the game itself but you probably remember the blackout.
The blackout, thankfully, wasn’t a breach. But Stuxnet was. If you don’t remember this story, here’s a quick catch up. A malware program, reportedly built by US and Israeli teams was dropped into Iranian facilities used to enrich uranium. The goal? To destroy, or at least seriously set back Iran’s nuclear program. The results were devastatingly effective.
“Stuxnet, as it came to be known, was unlike any other virus or worm that came before. Rather than simply hijacking targeted computers or stealing information from them, it escaped the digital realm to wreak physical destruction on equipment the computers controlled.” – Kim Zetter, Wired
Imagine such a program crawling through the systems of this year’s Olympics in Rio, or a big music festival, or a conference. The damage could be catastrophic.
How to Prepare & Defend Against Intrusions
Right off the bat, you need to accept that you can’t be everywhere all the time. The best thing you can do is to be vigilant and respond immediately when a threat is identified. Don’t wait to address issues after the fact. By then, it might be too late and the data you are trying to safeguard may already be lost. Try these 7 tips for instituting a robust data security plan.
1. Hire a Cyber Security Team
Many cyber attacks don’t show “symptoms.” What might look like harmless network activity to the untrained eye could actually be a the beginning of a significant breach. It is critical to monitor your network activity. Or hire a specialist to do it for you. Cyber Security Teams are trained to specifically combat such attacks. They will advise you on how to setup your network, monitor live traffic, and look for anything suspicious. Companies like ProtectWise identify potential malicious acts pinging your system and work to coordinate appropriate responses.
If you don’t have the budget for a full blown cyber squad, at least hire or consult with an IT professional. One who has a deep understanding of the vulnerabilities, protocols and best practices in setting up systems. No matter how good your anti-hacking technology is, you still need smart people who know how to use it.
2. Research Before You Buy
As we mentioned in a previous blog, you are probably using third-party providers to handle many of your processes, including ticket sales, website hosting, and event management software. That means you are putting your trust in their ability to safely and securely handle transmission of data to and from their servers. Are providers encrypting transmitted data? They should be. While it won’t necessarily prevent interception, it will ensure it can’t be read. Writing in The Hartford, Tim Marlin recommends that you vet all providers. Have they been hacked before? Do they have glaring vulnerabilities? Can they recover from an attack quickly? Look for any red flags before signing on the dotted line.
3. Create Cyber Safety Zones
It is important that you separate your networks based on their usage. An IT professional will be able to assist you in drafting a network map for your event. Critical infrastructure shouldn’t share any connectivity with other types of web traffic. The goal is to isolate your infrastructure so if one network does become compromised it does not allow access to all of your others. Keep important production, communication and utility networks off of an internet connection. If one aspect does need to be connected, make sure you only attach those pieces that need it.
4. Verify WiFI Networks with Attendees and Staff
Make it clear to everyone at your event which available WiFi networks are verified for use. Quite often, attendees will find multiple networks, not all of which are your’s. They might simply choose the first network available, especially if they find one that does not need a password.
This extends to any apps or websites that are officially sanctioned by the event organizers. In the end there is only so much you can do. You cannot account for someone’s decision to not follow provided event instructions. But at least you can offer up those instructions in the first place.
5. Check Links Regularly
Cyber criminals can create false websites that piggyback off of your real website in order to steal personal information. Such pages may look and act just like real websites, even with correct information and logos. Check that no redirects have been added to your pages. This may be a sign of a larger breach of your site.
6. Know Your Regulations
Officials are stepping up efforts to combat data mismanagement and protect it from criminal actors. It’s your responsibility to know the legal steps you need to take if your event is compromised. Many breaches are not reported, which makes it difficult for regulators and security companies to identify trends for combating attacks. The FBI and other organizations take complaints and reports of internet crime. By reporting an attack you’ve suffered, you help to make your colleagues safer.
7. Work with Your Venue (and Your Vendors and Everyone Else)
Identifying and preventing a cyber attack is an all hands effort. Event managers work with all kinds of people to pull of a project. Each one has a perspective that is unique and beneficial. By involving your team in your security plans, you extend your eyesight exponentially.
Technology shapes our lives to such an extent, we often take it for granted. And we don’t fully understand the implications of giving it such control. There are serious concerns to creating wholly realized, digital copies of ourselves.
As an event manager or producer, you don’t have the luxury of ignorance. You have a responsibility to safeguard your staff and attendees. This protection extends to the data they hand over to you and the systems you put in place to do the heavy lifting. By knowing where to look for vulnerabilities, hiring the right professionals, and remaining ever vigilant, you can begin to fight back against cyber threats and keep your data secure.