By Ronnie Garrett
Meeting and event organizers have access to a ton of data. They have attendees’ names, titles, workplaces, addresses, phone numbers and even their credit card numbers.
But with data comes cyber insecurity. Any time you have data that might be attractive to cyber criminals you must take steps to protect it.
“Everyone in an organization needs to be aware of common attacks and security techniques because the weakest link is commonly exploited in today’s cyber crimes. They need to be concerned with the Payment Card Industry Data Security Standard (PCI DSS) and also the Wisconsin state law that protects data,” says Susan
Lincke, an associate professor in Computer Science at the University of Wisconsin Parkside and author of “Security Planning: An Applied Approach.”
When it comes to data, two primary concerns exist: Cyber crime and information warfare, and Lincke says it is critical that event organizers consider both.
The No. 1 cyber attack, representing 55 percent of all breaches, involves criminals searching for credit card numbers, which are generally sold in the United States for $10 apiece and in Europe for $50 apiece. The second type of attack involves an authorized search for intellectual property rights or IPR. Lincke says these attacks represent 21 percent of external breaches.
Ransomware is a new type of attack that originates via email. If users click on an email, the malware restricts access to data in the infected computer network and demands users pay ransom to malware operators to remove the restriction. “They basically hide your data from you,” says Lincke. “The problem is they don’t do it right away. They’ll wait a month before they do that and in the meantime, as you take up backups, they make sure your backups are screwed up as well. People basically pay $750 or more to criminals to get their data back and even then they may attack you again.”
One of the biggest issues is unauthorized access; that is someone being able to get in to your system and upload something that corrupts data, or malware that actually detects the data and sends it to another location,” states Adam Larson, company president of Zymo, a Web and app developer based in Green Bay.
Larson points out there are steps organizations can take to protect themselves. With the data used in websites and mobile apps, event organizers must make sure to separate the data found in those applications from the data stored on their Web servers. “You should only allow access to protected data from your Web server,” Larson says. “This adds a layer of protection to where your database is not just actively accessible through a general Internet query.”
This can be done in a number of ways. One way is through IP address blocking, which prevents connection between a server and a website and certain IP addresses. This measure effectively bans undesired connections from hosts using infected addresses to a website, mail server or other Internet server.
Larson also recommends building in restful end points. So when a query is made that says, “I need this information from the database, the Web server will have to go get it and send it back to you,” he says. “We generally wrap a lot of those queries with authorization tokens, so unless users have the key that we’ve generated for them in the software on the client side, the Web server just ignores their request. We try to prevent them from being able to actually gain access to the data at all.”
Unauthorized access is also prevented by storing data properly. All data should be encrypted and regularly backed up. It’s important to make sure your data is separate from the encryption key so that if “someone does access both of those, they’d have no way of actually viewing the data. It would just look like byte data to them,” Larson says.
All private data should reside behind a firewall, adds Lincke. “This allows you to recognize if there is anything going on behind the network zone,” she says. “You don’t want a firewall before your desktop terminals, which are likely infected, being able to attack your data directly. There should be a firewall in between because your people are unreliable.”
Data should be regularly backed up, so that should it become unreachable it can be quickly restored. Each backup should be checked to ensure the information is all there and accessible.
The best offense is a good defense, adds Larson, who recommends hiring an expert to think about computer security and design it into the system. Lincke agrees, “There must be a firewall between your employees’ terminals and your data and it should be a firewall put together by a professional.”
Both Larson and Lincke agree that employees pose the greatest risk to a company’s data. They will click on a phishing email and infect the entire database with malware or ransomware.
An educational process upon hire and at regular intervals afterward helps employees learn what they can do to protect the company’s computer network.
One such practice is developing good passwords. Lincke recommends taking a song lyric, such as “deck the halls with boughs of holly, fa, la, la, la, la, la, la, la, la, la” and creating a password using the first letters of each word, so DTHWBOHF9, with the 9 representing how many times ‘la’ repeats. Then add anti-virus, anti-spyware and a firewall to protect against those times when employees do the wrong thing.
Lincke suggests further minimizing risk by not allowing employees to access the Internet or certain sites on the Internet. Many doctor’s offices do not allow Internet access at all, according to Lincke. “That’s probably the most secure thing to do, but not everyone can do that,” she says.
Plans also must be in place for when employees leave. “There should be a process so that when an employee leaves, all of their credentials are gone,” says Larson.
If a breach does occur, there needs to be a fast response. The appropriate authorities must be notified about the types of data that were lost or at risk, especially if it’s protected data such as credit card information or Social Security numbers. “Visa, for example, may pose fines of up to $50,000 per breach incident if the organization wasn’t PCI DSS compliant, and up to $100,000 if Visa was not immediately informed of the breach,” Lincke says.
The response should be thought through in advance, adds Larson. Meeting organizers need to have a list of contacts to call, and start calling the names on that list as soon as a breach is discovered. They also need to know the steps to follow to get back online as soon as possible.
“Your recovery plan should include mirrors of your data in other places, as well as regular backup schedules,” Larson adds.