Cyber security can be scary stuff because you can’t see the threat. It’s enough to frighten anyone, but the words ‘cyber attack’ needn’t cause complete panic if your event is properly planned with all the necessary precautions in place.
What you do to limit your risk of a cyber attack should be part of your whole security plan and overall event plan. So what you read here, can be incorporated into those.
Of course, when we think of cyber attacks at events, we usually think of big football games or concerts, rather than smaller, local events, so the measures you put in place should be proportionate to the level of risk to your event. It’s not about scare mongering, but actioning some simple points that can reduce stress for you and increase safety for everyone.
What type of threat could your event face?
1. Commodity attacks – all sizes and types of events are vulnerable to these sorts of attacks. Hackers use readily available tools, such as phishing emails. In fact, most attacks use similar techniques and there are ways to keep on top of the latest trends so you know how to prevent them. Take a look here.
2. Targeted attacks – an attack that intends to steal something specific
3. Insider threats – for example, from contractors or stakeholders You should also look at your industry and suppliers to see if similar events have been targeted.
If you feel there is no particular reason your event would be targeted then you just need to make sure the basic type of threats, such as phishing emails, are prevented as far as possible. As low as the risk may seem, you should always prepare as much as you are able to.
Thinking about the risk
There are a few things to consider:
1. What technology your event will be using and how to protect it (virus scanners, passwords etc.). This includes thinking about where presentations might be stored and how they’re shared.
2. Who is responsible for the tech? Is it yourselves, the venue, an external IT supplier?
3. Who is responsible for the general security of the event?
4. Are there any high profile VIP’s or delegates?
5. Is the event discussing something controversial, political or that could be of interest to outside organisations?
Next do a cyber security risk assessment, just as you would for physical security and health & safety. It will enable you to take reasonable steps to help prevent or control any issues that might arise from those risks – and, again, make sure your approach is proportionate to the level of risk.
Deciding what needs protecting
The best way to prioritise what you protect is by working out what would have the biggest impact if things went wrong.
– Do you have technology that the event relies on to function? For instance, do you need WiFi, VR headsets, attendee tracking systems, payment facilities, multiple screens running off cloud
– Are you processing personal data? For instance what would happen if your guest registration details were lost or stolen, or you couldn’t access them?
– Are you protecting your guests? Is the WiFi connection protected with at least a password and not just an open connection?
How vulnerable is the tech you use?
In other words, what weaknesses are there on your laptops, networks and software which could be threatened? Most cyber attacks can be prevented by putting basic controls in place, for instance websites you are using on site should be encrypted with a Secure Sockets Layer (SSL) – shown by the green padlock at the top of your web pages.
Ask your suppliers if they hold any existing security certifications (e.g. Cyber Essentials, Cyber Essentials Plus, ISO 27001). This would suggest they are fully up-to-date with cyber threats and you will be able to talk to them about what they plan to implement for your event. This might include secure configuration, as mentioned above, firewalls, malware protection and controlling who has access.
This is also relevant for internal systems and how you integrate with third party systems – the planning for an event often takes months, sometimes years, and in that time you’ve the potential to have used multiple systems which all need the same consideration when it comes to security.
Here are some points you should think about before your event:
● Incorporate cyber security into your staff training
● Have an incident response plan
● Have a communication plan in place so everyone knows how to report an incident
● Make sure trained staff and suppliers will always be contactable during the build-up, event and break-down
● Make temporary staff, for instance, contractors onsite during build-up, aware of the cyber security measures you have in place
● Have a plan B if an attack happens. Make sure there is somewhere else for staff to go and work, and get back online to minimise disruption.