Jordan Schwartz has never worked for the St. Louis Cardinals, but he now has something in common with the baseball team. A few decades before the FBI launched an investigation into the Cardinals breaking into the Houston Astros’ digital database, G-Men raided Schwartz’s homestead after learning that the current CEO of the event app company Pathable was a hacker operating bulletin boards where people traded codes.
Schwartz’s computer was confiscated and his parents probably weren’t thrilled learning about their son’s activities, but that punishment may be minor league compared to what St. Louis faces. Still, it was enough to set Schwartz straight.
“That reset me a little bit,” says the now older and wiser Schwartz, who is collaborating with Jim Spellos, owner of Meeting U. and noted keynote speaker, on a presentation that educates meeting planners and rights holders on cybersecurity measures.
While Schwartz saw the light at an early age, there are more people than ever out to steal identities, personal information and financial data.
Today’s hackers have evolved into the next-generation mafia, leaving no segment of society untouched. Prior to the baseball scandal, Target, Home Depot and Sony Pictures Entertainment suffered infamous data breaches while thousands of others slid under the public radar.
In the case of the two major retail outlets, millions of consumers’ credit card numbers were compromised. With Sony, the movie studio’s executives suffered severe embarrassment over private emails made public. The film at the center of the controversy, “The Interview,” was nearly shelved before receiving a limited theater release and scoring big online as a cause celebre for Internet activists and others eager to thumb their noses at North Korea, which was allegedly behind the attack.
In light of these highly publicized breaches, here’s the message Schwartz, Spellos and others experienced in the nascent cybersecurity field have for event planners: If it can happen to them, it can happen to you.
Out of Sight
That’s not how many rights holders and planners think—at least not yet.
“When I think about the kind of attack launched against Target, Home Depot and Sony, if someone wanted to launch that kind of attack against a meeting planner who’s trying to learn about security from a magazine, they are screwed.” —Jordan Schwartz, president and CEO of Pathable
“It’s out of sight, out of mind,” says event technology analyst Corbin Ball, CSP, CMP, DES, who predicts hackers and other cyber criminals will target events this year. “It’s a natural trend. With large conferences, you have a lot of people putting down credit card information. Event organizers really need to protect that data.”
The results of a data breach at a conference could be disastrous. The legal fees alone threaten to bankrupt affected small-to-midsized organizations and associations.
Roughly 40 percent of small compromised companies go out of business within six months, says John Sileo, president and CEO of The Sileo Group, which advises clients on online security issues and brings awareness to the subject via sileo.com.
Sileo also gives talks on cybersecurity, of which he is a bigger expert than he’d prefer to be. He has been victimized by identify theft twice, including by his business partner, whose unscrupulous actions cost Sileo his $2 million software company.
“I lost my job and reputation in the community until it came out it wasn’t me who had done it,” says Sileo. “People deserve to know how bad identity theft is when it does happen to you. It’s pretty darn common.”
In the early days of these attacks, the appropriate question was whether a company had been hacked or not. Then it became whether it had been targeted and didn’t know it. Now, Reg Harnish, chief security specialist at GreyCastle Security, an information security consulting firm, says it’s a matter of whether a business has been attacked only once or multiple times.
For the most part, Sileo says, hackers are aiming for credit card numbers and not expecting to land social security data, which he describes as “the key to castle.”
“It’s an epidemic,” says Harnish of cyber attacks. “We live in a continuous state of compromise.”
Spellos, who often speaks on best practices for using the Internet and social media, says one of his motivating factors in tackling cybersecurity is to address event owners without scaring them.
“Don’t be paranoid, but be aware,” says Spellos. “I think a lot of people aren’t aware of the basics.”
Hackers: Movie Heroes, Real Life Villains Before the Sony attack, hackers were portrayed as protagonists in movies like “The Matrix” (Neo and company were hackers before being brought into the real world), “Hackers” and the newly released “Blackhat.” But few see cyber criminals as heroes in real life. John Sileo says at least half of hackers are organized crime members taking advantage of technology to make big money. “It’s a lot easier than breaking into a bank,” notes Corbin Ball, CSP, CMP, DES.
One of the most important lessons is that risk management doesn’t start on a computer or in a server room. “Security is something you can’t just solve technically,” says Schwartz, a former program manager at Microsoft when the company learned the hard way it needed to patch unsecure holes in its Windows platform. “It takes vigilance and it takes education.”
The first step for rights holders planners is identifying what information they need to protect and how valuable that data would be to an outsider.
A technology-driven event like CES or security conference is a likelier target than a small-scaled association gathering, says Ball.
“If I’m discussing military secrets, I’d make sure my device is encrypted,” he says. “But in a general meeting, these are not trade secrets.”
As it turns out, even the U.S. military isn’t impenetrable. In January, its social media accounts were briefly taken over by the terrorist group ISIS, which posted threatening messages to American troops on Twitter.
Rule No. 1 for organizers, says Spellos, is not to reveal how you’re protecting information. That said, there are some obvious ways to safeguard against data breaches.
Registration tables should never go unmanned, and rights holders should work with a reputable event program like Cvent’s, says Sileo, who arrived early at a financial conference only to find three unattended registration computers that didn’t use screen savers and weren’t password protected.
When he raised the issues, the event owner acknowledged they heard such scenarios were security concerns and said they needed to do a better job.
“Knowing and doing are two totally separate things,” says Sileo. “Where it’s falling short is implementation.”
Another basic step: rights holders should keep a close eye on their computers and gadgets, especially if they contain information about attendees.
“If a planner loses an iPhone with all those records, that’s a real liability issue,” says Sam Richter, a social media guru who speaks regularly at industry events.
Sileo suggests purging attendees’ credit card information and social security numbers as soon as an event is over, a strategy supported by Harnish. However, both agree this is where the human factor gets in the way. Adds Harnish: “As human beings, we keep things around just in case, and it doesn’t always make sense.”
“We’re information pack-rats,” says Sileo.
The concern over online privacy comes at a time when the world is almost fully connected by technology. To draw attendees, planners have little choice but to create conference apps and negotiate for free Wi-Fi in meeting spaces even though hotels, in particular, are notoriously easy for hackers to break into.
“Paranoia can make us make bad decisions and do the wrong things, but it’s also important that folks be aware of cyber threats out there. If you’re careless, you’re going to end up a statistic.” —Reg Harnish, chief security specialist, GreyCastle Security
Just as consumers demand a quick and easy process to purchase goods at retail stores like Target, attendees have grown accustomed to user-friendly software and apps.
“Think of three equal sections of a pie chart,” Harnish says. “One is convenience, one is freedom and one is security, and you can only pick two. Most people are more likely to choose convenience and freedom over security.”
Opportunities for invasion will continue to increase as attendees become dependent on smartphones not only for email and social media, but for transactions as well. Apple Pay is among the first generation of technology trying to eliminate credit cards with a system touted as being more secure than traditional payment options. Rival apps will be rolled out in the near future and each is likely to market itself as the most secure option, says Spellos. The conflicting claims may leave lingering questions.
“You always wonder if they are saying they’re more secure because they want you to use their system or because they know something you don’t,” says Spellos.
What is known is Apple products have been less susceptible to attack than its counterparts. In part, this is because Windows devices had until recently been much more popular and more widely used across the globe, Spellos says.
When it comes to mobile technology, Apple performs a cursory test on apps before they are available in the App Store. While not a line-by-line evaluation, it’s more than what’s done at Google, where there isn’t a review process for Android apps, says Schwartz.
“Android, by virtue of being an open system, is easier to hack” than Apple, says Spellos. But that is not an endorsement of Apple from Spellos, who owns a Samsung Galaxy and takes steps to safeguard his information knowing the operating system is vulnerable. “While it’s more difficult, is it impossible to get in there?” he asks of Apple devices, “Nope.”
Schwartz says users should read permissions carefully before allowing an app to have access to contacts and social media platforms. The more permissions you sign away, the more you open yourself to attacks, he says.
Despite the risks, rights holders and planners—who are continually challenged to prove the value of their events and find ways to make them more profitable—have already taken steps to use technology for attendees to pay on-site for access to elements of an event or to offer discounts and special privileges like the deals on Groupon and LivingSocial (a tool used by American Express Meetings & Events).
Schwartz says based on the way online commerce is headed, events will inevitably follow suit with pay-as-you-go programs. He says the key for planners is partnering with trustworthy vendors who are PCI-compliant, meaning they have met a complex global standard of online security.
Most well-known companies such as PayPal already meet this requirement, adds Schwartz.
On the Defensive
The aforementioned experts agree that if a cyber criminal mastermind sets his or her mind to it, they will break into a person’s or organization’s data.
To underscore this point and get his audience’s attention, Richter likes to pull up a screen shot of first lady Michelle Obama’s financial records during his speaking engagements. (Yes, she has paid her student loans.)
He admits he does it mostly for laughs, but it raises the issue about how much information is available online, which Richter says is a reflection of the American public’s apparent disinterest in protecting privacy.
Sileo says because there has not been public pressure to beef up security, the United States has fallen far behind countries like Germany. The lack of a federal law requiring chip and PIN technology in credit cards is an example of where the U.S. lags, says Sileo, though retailers and credit card companies are working to make that the national standard this year. President Obama stressed the importance of strengthen the country’s cybersecurity efforts during his State of the Union address this year and held a summit on the subject at Stanford University.
Adding to the challenge is the attackers—teenage hackers like Schwartz have been replaced by, among others, organized crime members seeking to make millions of dollars—who typically have the advantage because they are the aggressors.
“It’s the reason football games don’t end up in a 0-0 tie,” says Hornish. “Offense is a lot easier than defense.”
Just ask Sony, which ended up with a financial windfall (a studio record $31 million generated online) from “The Interview,” a comedy about the assassination of North Korean leader Kim Jong-un, but was humiliated by the inside information that went public.
The incident puts a new spin on an old lesson that rights holders, planners and attendees can both learn from, says Spellos.
“I remember when email came out, everyone was told not to put anything in an email you didn’t want to see on the front page of The New York Times,” says Spellos. “Now that conversation needs to be had about our phones, social media and devices.”