Many of you have read the scandalous stories we saw in the headlines last year regarding major security breaches at companies like Talk Talk and the Ashley Madison dating site. Cyber hackers raised their game with millions of people having had their private data stolen and national governments scrambling to combat the growing threat of cyber attacks. Now imagine your organization’s systems got hacked and exposed the personal details of the hundreds (or thousands) of delegates attending your events each year. Doesn’t really bear thinking about, does it?
Events deal with highly sensitive customer information, including names, emails, telephone numbers, employment information, disabilities and other confidential details. The wealth of information we collect from our delegates is a gold mine for hackers. Safeguarding this data is critical and more and more organizations are starting to see the importance of this issue. Our new data security survey found that 80% of event planners marked data security as a top priority for 2016. Surprisingly, however, only 40% of them felt they had the adequate security policies in place across their organizations. In fact, according to MPI members at last month’s MPI European Meetings & Events Conference, event planners were said to be lacking awareness on the topic of cyber security despite the global terrorism threat1.
So how do we address this issue?
Most event planners these days deal with some form of event registration technology that helps them manage all their event and delegate data. The software captures, manages and stores a lot of the sensitive data we mentioned earlier – so it makes sense to start there. Have a look at the data security policies of your event tech provider. Are you confident they have the right processes in place to safeguard your data? Are they doing everything they can to minimise the risk of breach?
Here are the top 8 data security questions you should be asking your event tech provider today:
How is my event data protected?
Maximum protection of your event data should probably be your event technology provider’s top priority. You want to ensure that your event data is fully secure and protected by a comprehensive recovery system. The first step in achieving this is the use of strong industry-standard encryption, like HTTPS and AES, which helps protect your data from prying eyes and can provide you with assurance that it hasn’t been modified in any way. Find out how your data is encrypted both at rest (when stored in servers) and in transit (when accessing data from your event management system over an Internet network).
What data security and safeguarding policies do you have in place?
Find out where your database is stored, how it is stored and how often they back it up – the more often, the better so that no changes can be lost from your database if restoration is required. In the case of a breach to their own servers, find out what response plans they have in place to protect your data. Find out what security policies they have in place within their organization – how do they protect their own data and how do they meet regulatory and legislative requirements? Who has access to client data, how do they handle authorization and what happens when someone leaves? How do they share client information (email/phone) and where they do they store this information?
How can I ensure secure access to my event management system?
All major event management systems manage access via username and password authentication. However, you can also manage access using an external authentication service, which can restrict access for certain individuals to particular functions (e.g. abstract reviews) or particular events. Find out if your event tech provider can integrate your event management solution with a Single Sign-On (SSO) system. This will allow you to sign in using your company’s existing corporate authentication infrastructure – so passwords are never submitted to your event system and access can be controlled centrally by your organisation. If someone from your team leaves their job, then their access to all systems can be cut off from one place.
SSO improves security by giving you the choice to restrict event websites and registration to internal personnel or selected individuals or groups, effectively making them private. Only people chosen to view the event website or register for the event will be able to do so and invitations cannot be shared – useful if you have an internal awards event going on involving confidential company information.
Where is my event data stored?
As mentioned above, this is something that should be outlined in the security policy of your event technology provider. It is worth noting, however, that if your event management software provider is storing your data in US-based datacenters and you deal with delegates from the EU, then you need to ensure that they comply with the newly announced Privacy Shield agreement. This replaces the old Safe Harbor agreement, which allowed US companies to legally transfer European citizens’ data to America, provided the location it was being sent to had the security and privacy conditions that met EU standards. If you are using a web-based system, find out the physical location of their cloud servers and whether or not they adhere to EU Data Protection regulations. Find out who has access to these servers and what kind of security procedures they have in place.
Do you own my data?
This is an important question as some event management technology companies have a legal right to use your data for their own marketing purposes, which means it’s highly likely that they store this data somewhere other than your company’s database on their client servers. This increases the chance of breach so again, you need to find out what data protection policies they have within their own organization, how they manage access to this data, what do they use it for and how long they keep it.
Are you PCI-DSS compliant?
Our survey revealed that almost 50% of event planners who took payment from their delegates didn’t know if they were PCI-DSS compliant and a further 73% were unaware of the fines for non-compliance (ranging anywhere from $5,000 to $100,000). If your events are set up to accept payments from delegates via credit or debit cards, then your organization is obligated to achieving and maintaining compliance with the PCI Data Security Standard (more info here).
One way of simplifying compliance is to outsource the process to one of the many PCI-DSS-certified payment gateways that meet the required standards, such as Stripe, PayPal, Sage Pay and Worldpay, among others. However, make sure you understand from your event tech provider how these payment gateways interface with your event management/registration system. If your event website integrates with these gateways via an API, then you are still liable for PCI compliance since your servers capture and transmit the credit/debit card data first. Equally, if your event management system uses its own payment gateway or processes payments on your behalf, make sure that their systems have the correct level of compliance and that they are not permanently storing your delegate payment card data on their servers.
What security precautions do I need to take if my event management system is integrated with other third party systems (CRM, event apps, finance packages)?
Your event management software provider may have issued you with an API key for any integrations you may have between your event system and other third party systems such as your event app. Often used instead of usernames and passwords, the key allows your event app and other third party applications access to your event data, and vice-versa. Remember that anyone who has access to this key has access to your data – so you need to make sure it doesn’t get into the wrong hands. You can minimise the risk of breach by asking your event tech provider to issue different API keys for different functions – for example, use one key to connect your system to the delegate section of your event app and another to connect it to the exhibitor section of your event app. Also, if you’re integrating with more than one system, ask for separate API keys for each integration (event app, CRM etc). This way, if one of your API keys gets lost or exposed, you can revoke the key (which disables the integration) and set up a new one. If you have one API key for all your integrations, then a data breach would lead to far more serious consequences for you and your organization.
How long do you keep my data for?
In our survey, 54% of event planners said they use their event management systems as a permanent storage space for all their event data. If you’re happy with your event tech provider’s data security policies, then keeping your data in the system after your event is complete is a good idea – especially if you don’t have adequate procedures to safeguard this data within your own organization. Find out how long they keep this data on their servers, whether it is moved to other locations or servers and whether or not they delete it after a defined period of time.
There is no such thing as 100% security when it comes to safeguarding your data. However, following best practices and taking the precautions outlined above can help you understand the risks involved and minimise the chances of a data breach.
Written by Steve Baxter, CTO of Eventsforce