How Safe Is Your Event Data?
20th March 2017
Crime associated with data protection is costing the economy over $400 billion dollars worldwide; it is only a matter of time before you are affected. With the new General Data Protection Regulation coming into force in 2018, now is the perfect time to start protecting your data.
It is no secret that for many industry professionals’ the large range of data that they deal with is the key to success for their events. Whilst advances in technology over the years has improved efficiency in this field, there are many risks attached including viruses, hacking and forms of fraud in order to gain information from a company. Your supplier list, customer database and financial reports are just some of the examples of data that could give your competitors an advantage if it were to be leaked, not to mention the new penalties attached with data breeches that could cost you up to €20 million. As an events manager you will have to face the reality that your data may not be safe and that it will only be a matter of time before your company and its reputation could be compromised. Do not worry it is not all doom and gloom, by the end of this blog you will have a checklist of actions to help protect your data which won’t leave you bankrupt but will give both you and your clients reassurance that proactive measures are being taken.
Week after week new reports are being released in the news stating businesses big and small, in a range of industries, are being affected by cyber security problems. Could you afford for your data to be stolen and leaked? Are you aware of the financial penalties for data breaches?
THE DATA PROTECTION ACT IS GETTING A REVAMP
Currently as an industry we are working using the Data Protection Act 1998 which sets out how data can be collected, processed and stored. January 2012 saw the European Commission plan to reform the act and the legislation is coming into effect in 2018. It is time to brush up on data protection as from 2018 breeches must be reported within 72 hours, data protection officers will be mandatory in large companies and this law will ultimately strengthen the rights that individuals have over their personal information. Many have questioned whether Brexit will make the UK exempt from this law… the answer is no, in fact if the UK wants to stay in the single market and trade easily it will have to adopt the regulations put in place.
BRUSH UP ON PROTECTING YOUR DATA – 5 SIMPLE STEPS
Spending thousands of pounds on the top industry anti-virus software and firewalls may seem like the most sensible method of protecting your data, however most hackers will have the ability to break through these methods with ease should your company information be of value to them. It is in fact common sense which will be the most effective and valuable resource to decrease your chances of having your company data stolen. Below are some examples which you should be implementing in your day to day operations:
Emails: Unprotected emails are like postcards; anyone can read them. Therefore, it is worth investing in end-to-end encryption as this will provide you with the ability to protect any data in your message from being intercepted, encryption will act like an envelope and ‘seal’ any data from being read by unwanted third parties.
Passwords: Never share your passwords with anyone, or store them anywhere other than in your own head. You should also use strong passwords containing letters, numbers and symbols which should be changed every 3 months.
Cloud Services: Avoid storing any vital documents/information on these services as it could potentially be accessed by anyone. If you do need to use these services to store data, ensure an encryption method is used.
File Storage: Ensure that any data stored on a USB stick is encrypted and password protected and also keep the device itself in a safe, locked location.
Wireless Services: Always keep the Bluetooth function turned off on all your devices when you are not using it, and beware of connecting to open Wi-Fi hotspots in public places as this could enable a hacker to gain access to your device and everything on it.
MOVING FORWARD
As an events manager are you doing enough to protect the data provided to you by stakeholders? Are you prepared for the new EU data protection law in 2018?
As an industry we need to act now…What will your first move be?
[LinkedIn Comment] from Jose Bort, CEO and Founder of EventsCase
Event data should truly be protected by any event organising entity or company — especially the attendees’ data. I run a company called EventsCase, an event management software, and I can’t emphasise more the importance of data security. Some events involve bigwigs in specific industries, and it would be to everyone’s disadvantage if personal and payment information are hacked. Thanks for sharing this article!
Do you find that your customers are concerned with protecting their data when paying for your software services? Or do they trust that you have it in hand completely?
This is really interesting. Companies within events management handles thousands of personal details a day and yet quite a few of these companies are small and privately owned. How can industry associations be used to inform their members of such things and to spread the word on best practice?
Thank you jlannon2014 for your comment and question regarding the most efficient way to spread awareness of data protection within the events industry. Industry associations can use many methods to spread messages to professionals within the sector both face to face and via methods such as social media/the internet.
LinkedIn has several Events Management Groups who share important articles/blog posts about issues in the industry and members are keen to share their stories and strategies when commenting. Twitter is another popular way of communicating within the industry with @eventprofs starting debates twice every week (and has over 22,800 followers).
On the other hand events such as International Confex are important for professionals to discuss issues face to face and have a live debate on best practice. Workshops are held to reassure people that using technology won’t automatically mean your data will be stolen and it encourages best practice to prevent those circumstances.
This is so insightful. If never even thought about a lot of this in detail before. I will definitely be taking note of all the advice in this post. Thank you for sharing.
Thank you for your comment Charlotte. As students data protection is not something necessarily taught in the degree syllabus. Perhaps it should be integrated more as mishandling data will soon cost companies thousands of pounds if leaked due to the new law changes.
This was an interesting topic to read about as it does not seem to be one many think about that thoroughly when leaving digital footprints online. It seems obvious that businesses should do their best to protect the data which they hold whether that belongs to customers or their own staff. However, how responsible are they if hackers (who have multiple ways to infiltrate systems) are about to access that data? And is it ever the right thing to do? For example, when the affair website Ashley Madison was hacked. Could it also be possible that with the UK’s self-removal from the EU that the renewal of the Data Protection Act will still be used in the UK or if UK government officials will create their own revamp and changes?
Thank you for your interesting comment and query about our blog.
With the new Data Protection law coming into place in 2018 it will be the owner/company to make sure their data is safe as they will be the ones incurring the fine should records be mishandled and released.
Many have questioned whether Brexit will make the UK exempt from this law, however the answer is no, in fact if the UK wants to stay in the single market and trade easily it will have to adopt the regulations put in place. This law will be relevant for all companies whether they are in the events management industry or not. Those that hold client or sensitive data, both digitally and physically, including full databases of contact names, addresses, emails and personal information for business use will need to comply with the new legislation.
This article was very interesting to read and thank you for sharing all your tips. The issue was never something I thought about when working in the industry and its sad to think hackers will always be one step ahead. The check lists are very helpful and I will definitely use them as my ‘go to’ when I go back into the industry. Thanks!
Thank you Ellie for your comment.
We have found that data protection is an issue not everyone is aware of, and it’s something easily fixed just by common sense! Please do take a check list when you go back in to the industry and share with other event managers to spread awareness of the issue!
This blog was fascinating, I’m not an event manager as such but I attended a lot of corporate events and never second guess where my delegate information is going or kept. Is there protection against what information they could pass along to other organisations?
Hi Stuart, thank you for reading our blog and your comment regarding delegate lists.
Interesting you should ask because under the Data Protection Act, delegates need to be given the opportunity to opt in/out of a list of delegates, if the information is to be issued to a third party. If participants are not given the chance to opt in/out event organisers cannot assume that it’s OK to disseminate your information!
Also, did you know some delegates don’t realise information such as religious dietary requirements (e.g halal) can also be published to the rest of the event when some people prefer privacy?
So do be careful at events, check where you’re placing your name and private information.
This is a great read as not many event managers will be aware that data protection is an issue within the events industry. I came across this issue when doing my own research on how event managers are using social media due to the advancements of technology. The number of event managers using social media as a promotional tool is increasing and therefore they are more vulnerable to hackers. I feel that the prevention strategies you suggest are not widely known and if they were event managers may not be a victim of cyber-crime. What is the European Commission doing to make data protection better known within the industry? Are they providing event managers with the prevention strategies they can put into place?
Thank you for your interesting comment and query regarding how the issue is being tackled within the industry. The Information Commissioners Office is responsible for providing further information on this topic to companies to make sure they are compliant.
Workshops and seminars are becoming increasingly more popular in conjunction with the Information Commissioners Office to tackle this issue as the new law is coming into effect in 2018.
Attendees on these courses will be better able to understand and apply the necessary rules and regulations to ensure their organisation remains compliant.
Whether Events Managers choose to go on these courses is obviously their choice however it is advised as fines of up to 4% of yearly turnover will be issued if companies have data breeches following the new law in 2018.
Further details on such events can be found here: https://www.eventbrite.co.uk/…/eu-gdpr-general-data…
Thank you for answering my questions.
It is great to see that The Information Commissioners Office are helping event managers to prepare for this issue if they are faced with it.
Thank you for the link, I will have a look to further my knowledge of this issue.
Amelia
This is an interesting subject. With all the information out there being held on numerous devices across an endless network, protecting the content seems almost impossible. Undertaking the suggested 5 simple steps is a great place to start but is there a specific data protection insurance available as a back up for any potential breach?
Hello Kath, thanks for taking the time to read our blog. You are correct it does seem daunting with endless network connections to keep your content safe.
Data Protection Insurance, also known as Cyber Liability Insurance, is designed to protect businesses that hold, process or collect personal data should the data be distorted, stolen or lost. The cause can be accidental or malicious and can involve you own data or third party data.
Many businesses purchase data protection insurance to cover them should they be penalised for a data protection breach under legislation such as the Data Protection Act or by regulators such as the Financial Services Authority or Payment Card Industry. Regarding this, it can be costly, an increasing number of businesses see beyond this and understand the vulnerability that modern businesses face through their reliance upon data.
The vulnerability can come from external risks such as hackers so our blog suggests the idea of not having vulnerable passwords on your technology giving hackers the green light in the first place.
Hello,
Thanks for the blog, the 5 tips are great!
I have a question on two factor authentication. You mentioned a second password is required to increase your security on your smartphone but can you do the same on a computer?
Hello Josh, thank you for your feedback.
Two Factor Authentication (2FA/TFA) or Multi Factor Authentication (MFA) is a security method which involves at least a second level of authentication as well as the user’s name and password before the user is allowed access to the computer/service; it is not just for smartphones.
For example, some forms of 2FA include a username, a password and a hard or soft token. A token can be a code that changes frequently and matches with its corresponding code in a database but only before that code changes or expires.
There are other forms of 2FA/MFA which authenticates users on top of just using their username and password, such as certificates.
Both methods mentioned above can be used with computers and laptops.
Hopefully the following links will provide you with more information:
– https://support.apple.com/en-gb/HT204915
– https://www.securenvoy.com/two-factor-authentication/what-is-2fa.shtm
Hello,
Everything seems to be “in the cloud” nowadays but your blog mentions not to store data on there if you can help it. I thought Cloud Services were designed to give you extra storage space without having to buy servers or space in a data centre.
Are you suggesting these services are not secure?
Hi Josh, like you said, Cloud Services are designed to give you extra storage space or to provide services that you can run without the need of servers and data centres. The issue with this is you do not have full control of your security or how the staff handle your data for you.
Companies who provide Cloud services can be certified and recognised by security agencies and can be contracted to uphold a specific level of security to their customers but your data is still handled externally from your company.
On the other hand, Cloud Services can be an efficient and cost-effective way to store your data and externally run other services for your company without the need to buy and maintain hardware.
Do the pros outweigh the cons? That is a question yourself or your company need to consider.
What an interesting read, thank you for sharing. I was not aware just how many companies were affected by data protection breeches and the consequences sound terrible! I will definitely be taking steps to protect myself and my business before the new law is set in 2018.
Thank you Sarah for your comment. Data protection is not industry specific and can affect everyone on a world wide scale. Just yesterday 11 charities were fined for mishandling data which totalled £138,000! More information can be found here: https://www.civilsociety.co.uk/news/ico-fines-11-charities-for-breaches-of-data-protection.html
With hackers becoming more and more sophisticated, how well are the events data protected even with following your advice on data protection?
If you are unsure with what could be a threat in terms of data within an organisation it is best practice to undertake a comprehensive cybersecurity risk assessment which would enable you to: (a) identify cybersecurity risks to the company’s systems, assets, data, and capabilities; (b) implement steps to protect the enterprise and ensure continued operations; (c) develop the ability to detect a cybersecurity incident; and (d) implement appropriate steps to respond to a cyber event.
Companies that understand their security risks and have implemented appropriate policies and procedures are best suited to survive and thrive in today’s digital world. We should not be scared of using technology in the events industry just aware of the potential threats so using your common sense is the best start hence why we have kept the first 5 steps in our blog simple but will be highly effective.
Interesting read!
We as event managers certainly didn’t realise the extent to which data protection was an issue. Within the industry I have first hand experienced customer data being handled inappropriately, often collated onto a word document and saved onto the desktop, available for anyone within the organisation to access.
On the flipside, I have been a part of a data hack whereby we had hundreds of customers emails and addresses stolen, which I can assure you was a complete nightmare to try and reassure customers to continue to dine with us.
We will be sure to have a look at the checklist for future reference and definitely take on board some of your content!
Thank you for your comment. It is important that procedures are put into place (especially before the new law comes into action in May 2018). News articles are released every day that concern data protection breeches but there are many that are not released for public knowledge!
Surely it would be best for the company to go through their own security procedures first and foremost before creating a panic amongst their customers when the issue may be able to be resolved. It’s very much like any issue with a customer, you see what solutions there are and if you can solve it without having to panic them then that it the best option. By telling them after ‘this happened, but we solved it’, wouldn’t that provide the customer with the feeling that the company are working hard and have control over the issue?
Obviously, not all companies can solve the issues and we’ve seen that. But should more panics amongst the public be created when the issue may be solved within a short period of time?
Interesting Blog.
Working with an events company that handled customers data frequently including card details on pieces of paper and in some cases getting lost! I will definitely pass the checklist on.
Thank you for your comments Beth. Human errors do happen and make up a large percentage of issues related to data protection breeches. The best practice is to create procedures that are relevant to the company that are simple to understand by all employees (hence why we included our five simple steps).
A very good blog about data protection and also giving helpful tips!
Thank you for your comment. Remember to share best practice with your colleagues and connections in all industries as this is relevant to all sectors around the world.