It seems like every week we hear and read about companies experiencing devastating breaches in data security. The latest victim, Yahoo, should make everyone concerned about any third-party technology being utilized for business, personal use and, especially, meetings and events. Corporate clients should be made aware of what data is collected and how it is stored, used or shared. It has been estimated that only 3 percent of total users read privacy policies. Worse yet, many who see a privacy-policy hyperlink assume that means their data is kept private. If you are guilty of not reading the fine print of your technology partner’s policy with regard to privacy, you really need to review the verbiage (yes, I know it is boring and full of legalese), or at least get your IT and legal departments to review it and call out areas of concern.
Travel managers, champions of strategic meetings management programs, event/conference planners and managers should make it their job to examine and identify potential areas of risk with regard to data protection and security. Currently, most technology requests for proposal contain few or very basic questions. And even these are likely not regularly reviewed or updated by corporate IT departments for data-security worthiness. It is just a matter of time before we hear and read about a serious breach in data security for a meeting or event.
Unfortunately, a precedence of sorts already has been set by a few notable conferences where mobile-app data was compromised. While it was contained at the mobile-app level, the whole situation could have been worse if the very sophisticated hackers who tap systems for a living had really focused on corporate client vulnerability via meetings and events. Hackers are always searching for, and exploiting, the weakest security links to gain access to corporate servers. Unfortunately, the most vulnerable are the remote activities that generally take place via a laptop, mobile phone, app or tablet, especially those not using a VPN to protect remote workers, attendees and business travelers.
Shockingly, many meeting and event leaders seem to feel that data security and protection are not directly part of their job or priorities. The fact remains, however, that whether or not it is or isn’t explicitly outlined in your job description, if a serious data breach happens on your watch and at one of your events, there will be fingers pointed at you for not taking data security more seriously, especially if the breach came from any technology suppliers you contracted.
Technology gathers a lot of valuable information; consider how much information is collected for event registration, travel arrangements, payment data for guarantees and deposits, etc. Whether you are aware or not, some of your own technology partners can also use your sourcing information for internal and external marketing purposes unless you prohibit that via a strongly worded terms-and-conditions clause in your contracts.
Here are some tips you can follow in vetting your own potential vulnerability with regards to data protection:
1. Validate your own corporate IT data security standards, then find a champion in corporate IT who can help you with RFP-question development, standards for logistics-management security, and periodic technology platform audits for security, encryption and server-system upgrades and updates.
2. Review and include these data-protection standards annually if not twice a year to ensure your meetings and events don’t inadvertently provide a new easy entry point for hackers to exploit.
3. Always access your event and meeting information via a corporate VPN.
4. Review WiFi and security for all venues you are sourcing and using for your events and meetings.
5. Review and update any current RFP questions about technology platforms and security protocols. These should especially focus on what steps and actions will they take the moment a data breach is discovered. Make sure you include a reasonable action-response time and put that in writing.
6. Do a data-security audit, especially if you haven’t done this before or haven’t done one since you first implemented your technology partner. You should do data-security audits annually, especially given all of the active foreign and domestic hacker activities.
7. Read the fine print, and don’t assume someone else has done that.
Most buyers don’t read the fine print and generally assume that their standard forms provide enough coverage and protection for their companies. Typically, you see clauses like:
1. Can you agree to the terms and conditions in the Supplier Privacy Addendum attached?
2. Please complete the Provider section of the attached NCR SaaS Security and Privacy Questionnaire and return along with your proposal.
Unfortunately, a large majority of buyers don’t even review and read the addenda and questionnaires with regularity. Are these questions and addenda still relevant? Do your IT security and legal departments need to make any changes or updates to these documents? The danger in this area comes from being on autopilot and assuming this responsibility is not yours.
Data breaches happen at all levels, and even the smallest cases can result in serious challenges and issues for victims. I’ve personally been a victim of data-security compromises both internally and externally. Unfortunately, the actions one must take to try to safeguard personal information is not only painfully inconvenient, it can seriously compromise one’s own personal estate and credit ratings.
In today’s world, individuals and companies cannot take anything for granted. We can and should pay attention and try to mitigate any illegal attempts to compromise and exploit our company, individual and attendee traveler data. Don’t procrastinate taking action in such a vital area – address it with your immediate attention and vigilance now.
Kevin Iwamoto is senior consultant at GoldSpring Consulting. You can follow him on Twitter@KevinIwamoto. His book, Your Personal Brand: Your Power Tool to Build Career Integrity, is available from Amazon (including a Kindle version), as well as from CreateSpace.