Failing to deal with IT security breaches can be costly; the UK loses £30bn a year through financial fraud alone, according to its National Fraud Authority.
Criminals are targeting industries that collect valuable personal or company credit card data.
Today’s viruses, or ‘malware’, are invisible; anyone could be collecting data from your machine while you are using it. Cyber criminals want data they can either use or re-sell, and corporates are increasingly seeking a degree of anonymity when they stage or attend meetings, in order to protect their brand and their delegates. Events are a major source of client and prospect data, including credit card data from fee-paying delegates, and as such are in the front line of cyber crime.
What information security processes and systems should meeting buyers have in place, and what role should the agency play? Dave Wagner, Technical Program Manager at CMG Events and Studios at Microsoft gives a buyer’s view and Warren Hillier, Head of Commercial Finance at Grass Roots, answers for the agent.
What is the greatest danger to information security for meetings and for their delegates?
Events are a key source of consumer data. The biggest risk, depending on the size of the event, comes from registration companies not being secure. If they are collecting money, it is about how it is stored, where and who has access to it.
There is a code of conduct in the US for handing credit card data. Microsoft will not do business with any registration companies not certified to the PCI standard for data security (which can cost up to £252,000), and neither should anyone else.
It depends on the nature of the event and the audience profile. Healthcare and biotech organisations are concerned about breaches by animal rights activists or ethics campaigners, whereas IT and Telecoms businesses are more concerned by information security lapses or the leakage of sensitive data into the public domain.
Each sector and business has its own priorities around critical information security concerns. What these threats have in common is the potential to cause lasting damage to the image and brand of both the event owner and their participants.
What are the key challenges facing buyers and planners?
It is about having a clear policy and systems to manage delegate data, once captured, because the data can be available to many people. Having gathered the data, what will you do with it? Will it be transmitted securely? Will the delegate list be printed out? If so, who will see it?
Beyond the financial risk is the public relations hit and the cost involved in restoring lost credibility. In the US, any company that suffers a reported breach of credit card information must offer the victims a credit monitoring service, which can cost up to £4bn depending on the level and frequency of breach. If you are a bank, you don’t have a future if people don’t trust you with their money. The same applies to data breaches.
Buyers and planners need to engage event agencies that have the time and resources to fully understand the issues and which have developed a framework for identifying, minimising and eliminating risks. Most agencies will make that claim but, with no real compliance code against which to benchmark them, the buyer or planner has no way to tell which ones actually practise what they preach. Buyers should ask tendering agencies to explain their systems, personnel and expertise, as well as listing standards they have achieved, such as ISO accreditation, internal compliance frameworks and so on.
Buyers also need to be aware of the possible penalties. Since April 2010, the UK’s Information Commissioners Office has had the power to impose a £500,000 fine for a breach of the Data Protection Act. Keeping up to date with changes in legislation and regulatory requirements can be hard, so a good agency can be a big help.
What is best practice in information security for meetings and delegates?
The risk is all around security breaches after the data has been gathered, especially post-event.
Information should be held in a secure database with standard passwords disabled. You need to establish who has access to the data. If transmitted, data should be encrypted. If accessed on-line, this should be via an SSL (Secure Sockets Layer – a protocol developed for transmitting private documents via the web) using user names and passwords distributed independently of each other.
Post event, the registration company should hand over all data gathered and then purge the personally identifiable information from their systems. Once that data is handed back to the owning organisation it then has to be managed within a Customer Relationship Management (CRM) system, tagged appropriately and distributed. CRM systems also need processes to ensure that no unauthorised person can view them.
I would like to see a single standard for data management. In practice, this would be very difficult because there are so many countries, jurisdictions and laws. While it is possible to define some standards, there are too many barriers to global adoption. Realistically, only the credit card industry could bring this about.
Any best practice framework needs constant review and development to remain effective against the prevailing threats. The framework should include the security of the following key areas:
- Physical assets
- Electronic assets/data
- Personnel (background checks)
- Sub-contractors/third party providers
Information is only as secure as the weakest link in the chain; it is therefore of paramount importance that a thorough review is made of the risks around data management. The agency must demonstrate that there is strength in all these key areas. To be brilliant in one aspect is completely undermined by a weakness in any other.
What role should agencies play?
Those agencies that spend a lot of time trying to make sure buyers are more aware of the risks, privacy laws and best practice have a clear advantage. They should be pointing out to the client that they can do things differently and potentially avoid malpractice fines that can run into millions.
The best ones add real value providing mitigation of financial and reputational risk through robust planning. The ability to manage not only the physical security but also the intellectual security of an event is an increasingly important part of our proposition. What role should IT, HR and other departments play?
Although IT has to ensure that the data set is defined and the controls are in place, and HR is a stakeholder in data security, the lead on privacy in events should come from the group charged with putting them on. Microsoft has two privacy groups that work with other functions to ensure privacy policies are robust. The critical stage in this is post-event.
It cannot be left to IT, HR or any other departments. An effective security committee is essential and should include senior managers and directors.
What is the future for fighting data crime likely to hold?
Cyber crime is now a huge risk to corporates, and one that many people do not understand. Those in the public sector have to become more savvy about what should be done, especially as the successive generations adopt a more electronic way of life. Unfortunately, the people committing cyber crimes are also going to become smarter. People need to be more conscious of what personal and company data they are handing over, and what they should not be disclosing.
The credit card industry will drive the technology to enable cards to be more secure than they are now, but while there is temptation, there will always be greed.
The relationship between data crime and information security is like an arms race. Rapid and effective response to emerging threats will be essential. Consequently, organisations that demand the highest levels of information security will spearhead the fight against data crime.
The harsh reality is that cyber criminals have their greatest success with the weakest targets, so the future of information security is about ensuring you are not the easiest target.