Data security is increasingly becoming top of mind and making headlines as it continues to impact businesses around the world. Just about every week, there is a fairly major cyber-security event that gets talked about in public – and there are many more that don’t get talked about. It is a major problem for any organisation that has valuable information to protect (which means most companies these days) – especially for those involved in the world of events.
We have talked a lot about the issue in the last couple of months, addressing things like the kind of data security questions you should be asking your event management solution provider and some of the considerations you need to take when dealing with delegate card payments. Most event planners will also be following their own organisation’s security policies when it comes to storing and sharing event data – from communication procedures to firewalls, encryption and anti-virus software.
However, while IT focuses on outside threats, there is also an element of risk lurking from within. Over 40% of data loss1 is the direct result of internal threats which come about from staff mishandling data – whether intentional or unintentional. In fact, our event data security study exposed a number of important vulnerability areas – like staff password hygiene, email communications and data storage – that event planners should be putting greater attention in order to prevent data from getting into the wrong hands.
Have a look at the following best practice guidelines that can greatly improve security around your event and delegate data:
Don’t Put Anything in Email That You Wouldn’t Put on a Postcard
Email communications is one area of vulnerability. Our study found that 65% of respondents emailed their event data (attendance reports, registration lists, invoice reports) to third parties or other departments within their organisation after downloading the information from the event management systems. Another 36% admitted to having emailed their API key – a form of authentication that allows third party systems like event apps to access data saved in your event management systems.
The truth is that it is difficult and cumbersome to encrypt data in emails from end to end – so you should always think about what you are sharing on email. Check before sending that you have the right recipients and encrypt data within if necessary. If you don’t need to email it, don’t. For example, when confirming registration details with your delegates, don’t include all their details within the body of the email but instead, include a personalised link that will lead them directly to their registration page on your event website. Equally, never email your event system API key(s) to ANYONE as this could expose your data to anyone who has access to this key. If you need to share it, do so over the phone.
Be Smart About Your Passwords
More than 500 million records of login names, passwords and other ID information went astray in the last 12 months, according to a report this week by security firm, Symantec2. It sounds pretty obvious but you would be surprised with the number of people that ignore the importance of passwords. Our survey found that over 80% of event planners don’t change their event management system passwords as often as they should (less than once a year). Another 33% claim to have shared their passwords with other people. This widely increases the risk of breach and makes it difficult to accurately identify who has access to the system at any given point in time.
Using strong passwords, NOT sharing them and changing them once every three months can greatly improve security around your event data. The problem is that the human brain can only remember so many passwords, not to mention we’re actually really bad at picking good ones. So, too often we just reuse passwords across multiple sites. This is an issue because so many of us use the same password for our work and personal accounts like Facebook, Google and online banking. Be creative: think of a special phrase and use the first letter of each word as your password. Substitute numbers for words or letters. For example, “I want to see the Eiffel Tower” could become 1W2CtEt.
Another solution is to use a password manager, a software tool for computers and mobile devices, which will pick random, long passwords for each site you visit, and synchronise them across your many devices. Two popular password managers are 1Password and LastPass. You can also use a Single Sign-On (SSO) system, which allows you to control access to your event management software using your authentication servers (e.g. Microsoft Active Directory) – so passwords are never submitted to your event system and access can be controlled centrally by your organisation. If someone from your team leaves their job, then their access to all systems can be cut off from one place.
Share Only What is Necessary
The study also revealed that an overwhelming 89% of event planners downloaded the data in their event management systems to external spreadsheets, with a further 81% sharing it with colleagues and other departments by printing or email. As well as following your organisation’s policies on how to securely share and dispose of data, you can also reduce security risks by integrating your event management system with some of your other back end systems like finance, CRM and marketing. The integration will allow for automatic updates on both systems whenever you need to make any changes, eliminating the need to download, print or email event data to other departments within your organisation.
For example, integration with your company’s finance system will allow you to automatically update delegate payment details into your finance system and vice versa without the need for printing and emailing reports and manually transferring them from one system to another. Event invoices, credit notes and received payments can be all be generated and sent from either system. This saves time and more importantly, vastly reduces the security risks associated with email communications and having printed documents lying around.
Know Your Personal Vs. ‘Sensitive’ Personal Delegate Data
Our study found that there was some confusion differentiating personal and ‘sensitive’ delegate data. Personal information can include things like names, addresses and phone numbers. However, sensitive data is any information relating to the delegate’s racial origin, political opinion, religious beliefs or mental and physical well-being. The survey found that 40% of event planners didn’t think race and religion was considered as sensitive and only 26% thought dietary requirements (which may indicate religious inclinations) as sensitive.
Why is this important? EU Data Protection regulations require extra security measures when dealing with ‘sensitive’ delegate data – as this information could be used in a discriminatory way and is likely to be of a private nature. Most registration forms will have a question asking delegates if they have any additional requirements. This may include things like dietary requirements or the need for wheelchair assistance. Storing this ‘sensitive’ data means you must comply with the Data Protection Act from the moment you obtain the data until the time when the data has been deleted, overwritten or securely destroyed (e.g. shredding, incineration or pulping).
Don’t Forget About ‘Offline’ Security
As a general rule, try not to store any of your event data in any physical form (print or external hard drives, USB drives etc.) as this greatly increases the chance of it getting into the wrong hands. If you are, invest in secure cabinets, fit locking doors and ensure you have the proper mechanisms in place to dispose of this data if you need to. At your events, don’t leave your registration lists, laptops and smart phones unattended and ensure that event data on your screens are not visible to unauthorised users. Be cautious when discussing details over the phone and avoid discussing sensitive information in public areas where you can be overheard.
Lastly, make sure your employees understand how important your event data is and all the measures they can take to protect it. Encourage security awareness among your staff, training them not to leave sensitive material lying around and to operate a clear desk policy – both at the office and at your events. The ultimate goal is for everyone, at every level, to believe that data security is critical, understand the policies and procedures for achieving a secure environment and ensuring these are followed every day.
Written by Steve Baxter, CTO of Eventsforce
1 Information Week: Insider Threats: 10 Ways to Protect Your Data
2 BBC News: Security snapshot reveals massive personal data loss