Is your event safe from major event cybersecurity risks? Are you doing everything you can to secure your online data from attacks? As event profs, we hold so much data within our registrations, software, and events. We have people's addresses, credit card numbers, emails, phone numbers, even flight, and hotel information. If you aren’t protecting people's information you are making yourself and your clients an easy target for a cyber breach. If event cybersecurity is not on your radar yet we guarantee you by the end of this episode of Event Tech Podcast you will be running to your computer to implement the tips we are about to share! In today’s episode of Event Tech Podcast, Will Curran of Endless Events and Brandt Krueger are going to talk all about cybersecurity at events, why it will be the next big thing (and should be!) in event technology, and how you can take steps to improve your event cybersecurity. Will and Brandt will share their top three ways to protect your events information, how and what cyber attackers will look for, personal anecdotes, and more. You cannot miss this episode! Event Cybersecurity Matters Event cybersecurity should be on everybody's radar because the events industry is incredibly vulnerable to cyberattacks. "The amount of information that we handle is huge. We've got names of executives, titles, email addresses, phone numbers, personal cell phone numbers, travel itineraries, and hotel reservations. All of this information is a gold mine for hackers because all they need is a couple of legitimate pieces of information to be successful at phishing. Hackers are able to make an email look like a legitimate email coming from the registration. But actually, it's going to take you to a webpage that takes control of your computer," says Brandt. Every year, there seem to be more high-profile cyberattacks. " Most of these big hacks came in through the side door. It wasn't Target themselves who got hacked. It was an HVAC company that they contracted. Events are that side door. We'll be the soft target on the side that hackers use to get to our high profile clients," he adds. Don't Assume That Events Are Secure Brandt says that event planners often simply assume that there is some sort of event cybersecurity protocol put in place. "At events, I've seen the password written on a sticky note next to the laptop screen. Anybody could log into the registration platform." Convenience vs Security So, why do we leave passwords on sticky notes? Well, because it's convenient. But as Brandt points out, convenience and security are natural enemies when it comes to event cybersecurity. "If you have someone scanning a badge, that's better than nothing. If you have someone checking ID, that's even better, but it's less convenient for the attendees. While we're implementing all this event technology to make it easier to register, that also means we're opening that technology up to be used and abused." A Lack Of NDAs & Rental Laptops In his long career in the events industry, Brandt and Will have only been asked to sign an NDA twice. "I was often handed a hard drive with all this confidential information. It's standard to wipe the drives, but no one ever makes sure that we do this. I've often seen old PowerPoint presentations on rental laptops." Event Cybersecurity: Let's Talk Hotel Wi-Fi "Everyone knows WiFi needs to be secure. You wouldn't leave your home WiFi wide open for anyone to connect. Otherwise, information passing over the WiFi can be picked up at any moment from anyone at all," explains Will. Will Curran: We just talked about the presentations, and the data on these laptops, and physical devices, but also imagine the data flying across the airways at your event. Let's just talk about reg, and credit card data, things like that, for example, that can be easily sniffed off the internet, but then think about all your attendees who might be doing online banking, or let me log into my corporate email account. It's terrifying how open these hotel WiFi networks are. When was the last time you remember actually entering a password into the WiFi? Will Curran: I think this is where we always make sure we clarify. A lot of times when we say password a lot of people are used, okay, I connect to the WiFi, then a web browser pops up, and says enter the password, Aruba2019, well, no, we're talking about when you actually connect to the WiFi network it will not do anything at all unless you enter the password. On Macs it's in the top right when you go to connect to the network has a nice lock on it, on Windows, it will say secured right next to it. When is the last time you saw one of those at an event? Brandt Krueger: Other than that, it's been very few and far between, and for some reason we've gotten in this mindset that if you're in public it should be open, so when you go to Starbucks, or wherever you go and you're just supposed to be able to click on it and go, and I think that started because people didn't understand WiFi. Brandt Krueger: At this point, most people understand the difference between an open network and a closed network. A closed network you have to put in a password before it'll give you access to it, and an open network then yeah maybe you get some kinda splash page, thanks for coming to Starbucks, now you agree to the terms of service and click and go. Brandt Krueger: If you are seeing anything that is branded, or it says welcome or says anything other than enter the password then it is not a secured WiFi network. If it's asking you for a meeting code, or it's asking you for your room number, or anything like that, that is a not-encrypted WiFi network. Brandt Krueger: You mentioned things like banking, and things like that. Theoretically, that's all being encrypted in the web browser, so that's when you get the little lock in the upper left-hand corner and all that kinda stuff. Theoretically, if you're connecting to your bank over those connections it's kinda saying are you who I think you are, yes, okay great. Now, we're gonna encrypt between the two of us, and then all of that information wouldn't be sent in the clear. But looking for the lock is not enough. Just get that password. If you're talking to the venue just set that password, because even if you set that password to 12345, and even if you put that password on every single piece of paper in the hotel including the toilet paper in the bathroom, if you put that everywhere, that is still more secure than not having a password on your WiFi and asking for a meeting code, or something like that. Brandt Krueger: It automatically as soon as you put any password on your network itself that turns on encryption, and it just reduces the likelihood that someone's gonna be able to sniff the traffic, and get information. If I can stress any one thing that's probably my biggest thing. It drives me absolutely up the wall that we're not securing our WiFi at our events. Will Curran: Another bonus tip that I'll add to this as well is as we start to provide this also create different virtual networks for different types of people who need to connect. For example, you need to make sure that you have a separate virtual network for all of your registration, your credit card processing. Attendees should not connect to that same WiFi. Will Curran: Same with presenters. Presenters should be separate because they're gonna have a lot of confidential information. I highly recommend if you're gonna have any sort of executives from the team or something like, maybe they need to be on a separate WiFi, and exhibitors on a separate WiFi, and then attendees finally on a super simple, secure, separate WiFi that completely is completely secured, as Brandt said, have that WiFi password written on the toilet paper. Brandt Krueger: Also, then if you're able to if there is a problem start to narrow it down. On this event that I was just on from a setup standpoint, they did it properly. They had different networks for the attendees, the staff, for the iPads that were running the kiosk, they all had different networks, different logins for each one of those. We were actually able to isolate, hey, wow, the attendees one is actually running pretty well, but the staff one for whatever reason is getting hit, and so we were able to narrow things down for troubleshooting. Brandt Krueger: When you've got everybody on the same network, well, maybe somebody's watching Netflix, or maybe somebody's ... you're able to start reducing the number of things that you need to check when there is actually a problem. Brandt Krueger: What can we do to fix this? You've made me so sad. I just want to know. What can we do? Will Curran: To fix hotel WiFi? Brandt Krueger: What can we do to tell people to start making this better? We've scared the crap out of them hopefully at this point, so what can we do to start making it better. Will Curran: Well, I think first thing is just be aware of the issue. I think that far too often ignorance is bliss. You think to yourself, oh, I'll be fine, don't worry, until your social security number gets posted by Equifax everywhere in the world. Now, you become an expert in data security. I think that's one of the biggest things is like be willing to have the conversations about it, and ask the questions. Will Curran: For example, when it comes to hotel WiFi, if you're aware of the issue now you can also talk to it. For example, you're going to your hotel you can ask them the hard question. What are you doing to keep me secure when it comes to your WiFi? Brandt Krueger: I think that's a great step, and I then I think the other thing is changing our mindset a little. That it's not somebody else's responsibility. It's not gonna be the vendor's responsibility. It's not gonna be the AV person's responsibility. It's all of our responsibilities. We have to take whether you're a planner, you're a vendor, you're a venue, all of us involved in this thing we do called events we all need to take personal responsibility for security. password managers Will Curran: When it comes to password managers it just automatically fills everything in. It lets you know when things are not secure. It makes sure that you can have super duper secure passwords that you can't remember, instead you have one master password. You can Google why you should a password manager, and I think that will do a much better job explaining than us, but it's really crazy how people just use one single password to manage everything, and how easy it is as soon as that one password is compromised, boom, they can go from, oh, they hacked Joe Schmoe's let's say ... I'm just gonna use your Art of Frames website where you ordered that one frame for that piece of artwork, they got hacked, now they have that password, and then now what they do is they go and test all those sites. Will Curran: They test all the major banking websites, all these things like that, with that one password, and boom, if you have the same password across everything you're hosed. It's scary how little secure passwords are for it, and I think the video that you show at the beginning of the presentation, like, it's Jimmy Kimmel, but maybe if you want to get a chance to explain what that is, and then kinda give your two cents on password managers. Brandt Krueger: Like you say, it'll change your life. You go from having to remember every password for every site to never having to remember any of them. The things that password managers allow you to do is to set long, random passwords for every single site that you access. Like you said, if random website X gets hacked it's no big deal, because they're not gonna be able to use that same password on any of the rest of your stuff, because you've got a long, random, different password for every single site that you use. Brandt Krueger: And so, if you're using monkey123 as your password for your registration platform, and you also used monkey123 as your password for Gmail, or god forbid something else if they get that information like you said they're gonna start trying every single thing, and then once they've got access to your email you're pretty much cooked, because then they can start changing your passwords and using that email to receive those password change notifications, and things like that. Brandt Krueger: The biggest thing is once you start entering in your information in password managers it'll say, hey, whoa, just so you know you're using this on another site. Would you like me to change that for you, and keep track of it, and do something different? Absolutely, password managers 100% change your life as far as what you can do about it. Will Curran: Real quick. I was gonna say, the one thing that I think as far as ... obviously, it's really nice to be able to do that. You might be thinking to yourself I can do that on a spreadsheet, or whatever, well, the thing that I think that makes password managers really fantastic ... I know LastPass and Dashlane both do this, and a bunch of other sites are doing this now as well, it gives you the ability to also share passwords securely as well. I think in the events industry I can't tell you how many associations that I've been a part of where they say, hey, can you give me the Twitter password, hey, can you give me the MailChimp password, hey, can you give me the password to the bank account. Will Curran: For my local ILIA chapter I made the big switch, and I pushed everyone, I said, we're gonna use a password manager, we're gonna have super secure passwords, and I'm never gonna actually share the password with you. I'm gonna share it via the password manager, and what is cool about it is it allows you to share passwords so they can login without ever seeing the password, which for temp staff, for volunteers, for that, hey, can you send me the password to XYZ really quickly, makes your life so much easier. Will Curran: The best part is if you have employees this will change your life when it comes to it, because when they get done you don't have to worry about changing the passwords ever you just revoke access, and boom, you're all done. As a business owner, it changed my life as well. Brandt Krueger: Well, yeah, that's exactly it. The day after that event is done you can revoke access to all of those people, and they don't have access to the passwords anymore, or if you as a business owner you got to let someone go, or they move on to a different job or something like that, you want to be able to revoke those passwords as well. I discovered accidentally that about three years after I left my previous employer I still had the username and password for their FedEx account. Brandt Krueger: I went to go log in and it auto-filled the information because it was in my LastPass, and they hadn't changed it. It was one of those things where I was like, oh, wow, okay, good, look at that. You mentioned the Kimmel thing. That's just an example of the fact that we think we're so clever coming up with these passwords, but the fact of the matter is the human brain's just not capable of remembering a different password for every single site. I'm just curious. I'm gonna bring up the number of sites that I've got here in my LastPass. Brandt Krueger: I'm gonna bring up the number of sites that I've got here in my LastPass. Brandt Krueger: Well, okay, I've got these categorized. Let's see, there are 119 personal ones, 185 professional ones, 172 shared family ones, 63 shared financial ones, and 16 shared medical ones. Brandt Krueger: That's only in the course ... I think I just hit my 10 year anniversary of LastPass a little bit ago. Will Curran: And that I use my dad's Netflix as well. But yeah, it's crazy cool how it can help you stay on top of it. It just makes it so easy for you to manage your passwords. Brandt Krueger: All right. I know we've got a lot of other suggestions for folks. I want to leave off some of the higher end stuff, and continue with the easy peasies that we've got, so the last one that I think is good to hit for this show is two-factor authentication. Will Curran: Explain Brandt, what is two-factor authentication? Why does it matter? Brandt Krueger: At it's most basic level that's when your bank says, hey, we just didn't recognize this device, we want to send you a text, so then it sends you a code, and then you punch in the code. The idea being it's not only a password, but there is a second factor, and it's some other thing. Usually, the best way to do it is that it involves not only something you know, but also something you have like your phone. Brandt Krueger: In that example, you go to your bank and type in your password. It says, oh, we don't recognize this browser we would like to send you a code to your phone assuming that you have your phone, and so you're able to then get that code, and punch it in. The other ways of doing that is using an actual two-factor authentication app, which is the same kinda idea where when you first log in, and they say, hey, do you want to set up two-factor authentication, and you say yes, it pops up a little QR code, you know, one of those little black and white dotted codes, and that is essentially like setting up a secret code between your phone and that website that's unique to you. Brandt Krueger: It's not something that anybody else would be able to have, so as soon as you snap that code into your two-factor authentication app it starts generating these six-digit codes every minute, and so once every minute it's gonna generate a new code, so when you go to login to that website it says, okay, what's the code? You check your authentication app and punch in that particular six-digit code for that minute. And then, it's gone, so it's kinda a one time use kinda thing that is constantly revving these codes. Brandt Krueger: Those are the two most basic ways, but then beyond that they actually have these physical USB key type things where that is essentially the same thing, where that USB key is generating a code once a minute, so you plug that in at the time you're logging in, and you set up the two-factor authentication, it connects with the USB key, it says, okay, this is what we're talking about. That's you, great, okay, now I know that's you when you're punching in that code. Will Curran: Yeah, I definitely have one that I totally recommend. Google actually released their own version of it. Just search two-factor authentication key Google, but when Google announced this product that they were selling they also made a huge announcement which is that they require all their employees to use physical USB keys plugged in, and since they've required that, they have had zero breaches in any accounts across ... I mean, how many employees does Google have, a bazillion. Will Curran: Absolutely. It's impossible to replicate because you have to have that physical key. Unfortunately, not every site is utilizing that yet. Even more, unfortunately, is a lot of them are allowing you to do the two-factor authentication app, which is nice, but I'm just so disappointed. For example, we have an industry-specific tool we use for scheduling our teams, and it texts you a two-factor authentication code. If you want to get nerdy with it technically you can hack a text really easily, spoof the cell phone, get the text, boom, good to go, whereas these apps technically they're only on your one phone except for like my weird set up that I definitely want to talk to you about. Will Curran: When it comes to this definitely push to use the app as the highly recommended thing. If you can go physical key as well. It makes it so worse comes to worse if let's say one of your super secure passwords in your password manager gets leaked, or somehow your account still gets hacked because of vulnerability you're still having that protection, because all of a sudden you're gonna get a notification saying someone tried to log in your account, and either failed to do two-factor authentication, or you get that really weird message where all of a sudden it'll say, hey, someone tries to access your account, here's that code, and you go, I didn't try to access that just now, and you go, oh gosh I should go lock up my account right away. Brandt Krueger: Exactly. In kinda order of what we've talked about today the easiest thing, check your venues, and say, okay, let's get a password on the WiFi. The next thing is definitely, definitely, definitely use password managers. There's no excuse not to at this point. And then, the third is whenever available do two-factor authentication. Will Curran: Definitely. Brandt Krueger: Use one of these apps. Be careful, because once you set it up if you lose that information it can get really ... bad things can happen. It's a check against making sure that it's you. Will Curran: Can I talk, like, give that personal story about that, because this is where it kinda evolved recently. I just want to share this anecdotal story, is that okay? Brandt Krueger: Yeah, go for it. Will Curran: It's like, no, Will, shut- Brandt Krueger: I'm just trying to keep an eyeball on the time. I don't want to go too long with it. Will Curran: You guys, this is gonna be a special episode. It's gonna be a little longer because we love it so much. Brandt and I love two-factor authentication. For the longest time, I've always used Google's default two-factor authentication app that does the code recycling like he was talking about. I love that app because it's super simple, easy to use. Will Curran: The thing about though is the way to set it up is you have to scan the QR code. The idea is it's not like a password manager where you enter your one master password, and boom, you get access to all your codes. It's all local on your phone, so the idea is your phone is the only one in existence that has these two-factor authentication codes. Will Curran: A long time ago I got a new phone, and I was smart that I ordered the phone, got it, and I kept the other one, didn't wipe it, and re-setup all the two-factor authentications on the new one, because first, you have to log in to the accounts to get the new two-factor authentication out, so you still need those old codes, so I was smart about that. Will Curran: Like, oh hey, instead of using my two-factor authentication app you send it to my email or sending me a text. I'm like, no, I don't want you to be able to do that. Turn that off. I made that mistake, and now I've been recycling phones so much that I got kinda perturbed with having to keep it locally on one phone, and also there's a couple apps that require me to two-factor authenticate every single time I login versus, hey, remember me. Will Curran: It's so frustrating when I just needed to check something really quickly on the accounting software, or whatever it may be, or check a payroll number. My bonus app that I've been sharing with everyone, which I have to admit, and we talked about this very briefly, this is not as secure as technically only having it only on one device, but I'm utilizing an app called Offy, which is kinda like a password manager meets two-factor authentication codes. Will Curran: The idea is that you can only log into it on certain devices, so I have it on my phone, and my computer, and my desktop. The reason why I like it is then I can copy the codes really easily on my desktop, computer, and my laptop when I need to re-go into the codes a million times versus where's my phone, oh, my phone's charging in the other room, let me go get my phone to get the two-factor authentication code. Brandt Krueger: We are a target, and the Marriott hack shows that that people are actively starting to look at hospitality, and events, as a target. We need to start taking responsibility for it. We need to start, yes, inconveniencing ourselves a little from here and there, and taking responsibility for the security not only of ourselves but of our clients. Resources \tSecurity Now Podcast \tSteve Gibson \tDashlane \tLastPass \tIs Your Event Vulnerable to Cyber Attacks?: The Good, the Bad, and the Really, Really Scary \tJimmy Kimmel, What is Your Password?