In 2022, the United States saw 1,774 data breaches. And while 1,774 might not sound jaw-dropping, those breaches impacted an estimated 422,143,312 people. Cybersecurity for event planners is a recurring theme on the podcast because cyber threats are never-ending and are only getting more complex.
In today’s episode of the Event Tech podcast, Will and Brandt tackle cybersecurity, driven by the recent and controversial data breach at LastPass and a listener question. Ellysa C. asked, what steps would you give to a new event planner to help protect against cybersecurity threats for virtual events? Tune in to learn six tips to protect your business and events against cybersecurity threats in 2023.
Protect Yourself with a Password Manager
Brandt starts today’s discussion by sharing the first tip of the day: “The number one thing you can do to protect yourself is to have a password manager.”
Will completely agrees. “Easily. So many people who don’t use one think it’s hard. They don’t realize you install it, it starts saving passwords and becomes easy. I don’t know what I’d do without the feature that says ‘generate a secure password,’ and then automatically save it.”
“The number one way people get hacked is through reusing passwords,” says Brandt. The New York Attorney General’s office found that users reuse passwords to cope with so many online accounts. But hackers know that a password on one site is likely to work on others, which makes reusing passwords a high-risk behavior. “So when people say, ‘My Instagram got hacked,’ it’s because you’ve reused that password on another site. What Will’s talking about is being able to auto-generate randomized passwords. And you can make them long because you don’t have to remember them.”
Brandt continues: “So as soon [a platform] gets hacked, they take that table, and they run it against all of the banks, all of the credit cards, Google, Microsoft, Apple, all of those things. Whoever got those LastPass accounts runs them against master dictionaries to see which accounts will open. Zoom, Cvent, and all of those big players got added to that list of sites they try once they get a list of passwords.”
Will Curran adds secure password sharing as another security feature password managers offer. “I’ll add a tip. Many new virtual event managers working with online tools might have only bought one seat that allows access. You might not have individual accounts for each person working on the event. A big issue with this is that you might even set a secure password but copy and paste it to share it. That’s just as dangerous because you don’t know what that person is doing with the password. One of my favorite features of password managers is the ability to share passwords without the other person having access to it.”
Brandt shares an example of how insecure and common password sharing is at events. “I can’t even count the number of times I’ve been at a registration table, looked down, and seen the username and password on a sticky note next to the laptop. You can use password managers to dole out access to the account, and as soon as the event’s done, you revoke access. The other thing is they usually offer one-click changes for passwords. You click ‘Change Password,’ and it’ll immediately initiate and autogenerate a new password.”
Set up Two-Factor Authentication
The next tip Will and Brandt share is to set up two-factor authentication on everything. As Brandt puts it, this is using “something you know” and “something you have” to add a layer of protection to your accounts.
At a minimum, Will recommend’s setting up text message two-factor authentication. “But that’s not the most secure way to do it,” he says. “Always enable two-factor authentication. Just go into the settings of Zoom, Cvent, or whatever you’re using and turn on two-factor authentication. There are things like Authy, a cloud-based storage of your two-factor authentication codes, and Dashlane. You’re always trading convenience for security, so keep that in mind. The more convenient something is, the less secure it tends to be.”
Brandt does not recommend saving your passwords on a browser. “All major browsers will offer to save your passwords for you. I don’t recommend that because they have everything if your Google account gets hacked. Why not just put it in a different app? Google makes an authenticator app. Microsoft makes an authenticator app.”
“The other thing I want to make sure we emphasize is text notification isn’t enough,” continues Brandt. “If you have the option of a one-time password app, use it. SMS isn’t the most secure thing. One of the advantages of having to redo all my passwords in a password manager is I’ve discovered how many sites have added two-factor authentication. It’s worth checking back in on your bank accounts, financial accounts major registration platforms, and Zoom accounts.”
“One amazing setting you can do, as a planner, is forcing your users to have two-factor authentication,” adds Will. “This is less common, but I’m noticing it in many big players. For example, HubSpot.”
Think About Your Integrations
Next, Will suggests people consider integrations as a weak spot in cybersecurity for event planners. “For example, if you have a registration system and an integration with Google Sheets to auto-export, make sure you know about them and consider turning them off when you don’t need them. Set a task for yourself when you’re closing out an event to delete the data and turn off the integrations.”
Brandt has a real-world example of this as well. “As Twitter has slowly imploded, they’ve clearly been firing a lot of their engineers. Things have been breaking left and right. One of the things that can easily break is integrations. As those things are not being maintained, they become less secure. I had probably 15 different apps connected to Twitter. I hit delete, delete, delete.”
Think of Security as a Feature
Next in today’s tips on cybersecurity for event planners: treat security like any other feature in online tools. Don’t hesitate to ask about it, seek more information when things aren’t clear, and look beyond the marketing hype.
“When it comes to vetting your initial tools, talk about security as a feature,” says Will. “Many times, if you’re working with low-budget tools, those are the ones that might be trying to save a buck or two and have some security issues. Just have this simple conversation with them. You’ll realize when they’re buttoned up about it. And if you’re really concerned about it, they’ll bring more people in to help make you at ease. So consider the tools you’re using.”
“And watch out for the marketing buzz, ‘military-grade encryption,’” adds Brandt. “For me, that’s a red flag. You have nothing better to say than ‘military-grade encryption?’”
Consider the Human Element
The 2022 Data Breach Investigations Report by Verizon found that 82% of studied breaches were tied to the human element, meaning people were a primary driver in security breaches. Will and Brandt focus on this human element next.
“A lot of times we think to ourselves, ‘I got a password manager, I have military-grade encryption,’ but many of these hacks happen because of user error,” says Will.
“The number one way people get hacked is by reusing passwords, right? “Social engineering is the number two way people get hacked,” says Brandt. According to Carnegie Mellon University, social engineering is a tactic that aims to manipulate or deceive people to gain access to a computer system or steal personal information. “So it’s not like brute force through the front door type of things anymore; it’s side-door attacks. They’re getting much more sophisticated.”
If you ask yourself how to address the human element, Will has some answers. “The only way you can fix this sort of stuff is through awareness training: the ability to know that these things are happening, how to identify them, and how to feel sketchy about anything that’s coming in.”
“There are a lot of organizations that offer security awareness training,” continues Will. “Google ‘best security awareness training.’ It isn’t that expensive. The one I really like is a service called Riot. It connects to your Google and Slack accounts, automatically knows when new employees are coming in, and you set it up so they’re onboarded with awareness training modules.”
Riot also lets you simulate phishing attacks, helping you to evaluate your team for weak spots. “You say what tools you’re using, and it sends out fake phishing attempts. Then Riot is notified whenever someone’s clicked it or even opens the email, and you can trigger training based on that. Riot’s free for 10 users. So sign up, put your 10 most vulnerable users in it, do a test, and then put them on the awareness training. Riot has been amazing for our organization, and we were already pretty secure.”
“Education. That’s what it’s all about. And that’s why we keep returning to this topic every year. It’s all about education,” concludes Brandt.
Stay Vigilant: It Takes a Village to Protect the Village
As Will wraps up this episode, he has one final tip for everyone, events industry or otherwise. “Stay on top of this stuff and be aware that, just like technology, it’s constantly changing. Stay on top of trends when it comes to security. Consider signing up for a tech blog. A lot of times, these blogs will cover things, like when LastPass got hacked.”
“The thing that frustrates me when I’m trying to educate my friends is that they’ll say things like, ‘Who cares who hacks me? I have nothing to hide.’ They don’t realize hackers could use that information to target your family. Wouldn’t it be devastating to find out someone completely drained your mom’s bank account? What happens if you take insecure actions that cause your company to get in trouble? The best thing you can do is, stay vigilant. Just like you stay tuned in to what’s going on around your neighborhood, stay tuned in to what’s going on in the neighborhood that is the internet.”
Let us know what you think. What tips on cybersecurity for event planners do you have? Send us your questions. We love to hear from you! And maybe your question will be featured on the next episode of the Event Tech podcast.
If you’re interested in learning more about cybersecurity in the events industry, check out some of our other posts and episodes from recent years: