Paratus: “The issue we keep coming back to is that we are a human interface with technology”

We are facing today the biggest spiraling cost crisis in a generation, and as a result, convention centres will have to rethink their spending volume and protect themselves from external threats. Cyberspace plays a major role in this matter and the digitalisation of services has only increased the risks of cyber-attacks. They can be aimed at causing political chaos in a campaign or leaking confidential information; in either case there is a constant stream of risk happening throughout the lifecycle of the event – from registering attendees to sharing data.

At the last AIPC conference in Budapest we met Robert McClure, managing director of the cybersecurity company Paratus, who recently started an interesting security project with AIPC. Find out below:

1) What risks does cyber crime pose to our entire event ecosystem?

The two big priorities are IoT and data security. During the pandemic, many people had to work from home relying on digital communication. However, where we really started to see a zenith point was in IoT as it would allow you to manage the space without human convention − opening air lines or ducts, controlling temperature, locking doors or windows. Things like these should start to make their way into the industry. These IoT censors will serve both as a service for their customers and to save internal costs. Regarding data, not all Convention Centres (CCs) take the same stance on the issue, but all regularly handle a large amount of it. Normally, when an attendee registers for the event, the organisation collects more than fifteen pieces of personally identifiable information (PII). This is the stuff that hackers love, as it gives them the ability to replicate personal information online. For example, on the dark web, a Facebook account full of PIIs is more valued than a PayPal account full of cash. There is a risk in managing this data that, if not done properly, can carry a high risk for delegates and organisers alike.

2) Please tell us about what you are doing together with AIPC to safeguard CCs in this regard.

For establishments the size of CCs, there are several risks that are often not known. In terms of footfall, they have roughly the same usage as an airport. However, we are now entering a realm where CCs are increasingly immersing themselves in digital. Whether this is due to a ground event using the venue as a digital twin, or by scattering a wider audience for reasons of a particular outbreak, flight issues, etc. What we decided with AIPC was to hold a wake-up call for all these threats to each of its members. We called this the AIPC cyber act − an inbox where AIPC affiliates could submit completely anonymous information around a recent attack that could compromise those centres’ events. Unlike many companies, CCs can map their working processes because they are physically connected to one location. The key point of this action was to design a data sheet that would compare attacks with the same characteristics by analysing the same attack patterns in two different CCs. Like if some hacker interferes with the AC system by putting an unbearable cost on site. This could begin to provide some answers to the puzzle, as it could lead to surveying cyber details that no consultant, industry, or government currently holds. Certainly, this cyber conversation will stand firm as many of these attacks will continue to go unnoticed.

"I will go further by saying that data will be a key construct in designing business strategies for CCs in the coming years."

3) What options would you recommend to counteract these types of threats and prevent their spread?

They can go back to their own security review ports; review their investment in cyber resilience; a more emphatic training for staff; enforce terms and conditions on cybersecurity; prevent the use of personal devices causing harm to the event. These are small things we can do in a very straightforward way. That’s where this cyber act came from: an entirely free system to understand the collective risk of all AIPC members. Once we have a broader understanding of this data, we will be able to determine whether or not a geographical area had a higher incidence in that period. For example, if a CC in Frankfurt was the target of an attack we can begin to trace a series of patterns from one event to another. Another important issue is the presence of several different teams when setting up an event. Usually the event organiser brings in a third party staff, often ending up with hundreds of people in that space. So, if an attack occurs at an event where does the responsibility lie − with the centre or the organiser? At the AIPC conference, we warned of the need for a cyber liability form, emphasising cyber awareness for employers and calling for cyber insurance for attendees. This would be able to shift liability from the space holder to the event organiser.

4) Do you think that, in the near future, venue managers will change the structure of their facilities in line with these new cybersecurity strategies?

Absolutely. Often, cyber-attacks happen at the very moment when events are taking place. One of the major issues raised at the last AIPC congress was that cybersecurity is still something that is little discussed. People don’t associate cyberspace with physical access in a venue, but they also find it too complicated and solvable enough with a simple Android system. To move to a next stage, we need to determine the current cyber capability within their centres in order to create relevant policy. We will have to take some centres that are leading this work, keep them at that level and use them as a showcase for smaller entities. Creating a basis for an AIPC cyber level or an industry standard, where we can build up those policies and procedures. We need to have a better understanding of the cyber world we live in, just as we understand climate change and sustainability. The internet is reinventing itself at a frantic pace with 5G and the IoT, and the expansion of internet-connected devices is projected to be over 5 billion a year. We can already check out the success and monetisation that companies, institutions, entities created when they took their first steps with technology. I believe this is where AIPC is bringing a real breakthrough − in integrating technology with services and safeguarding them.

"(...) on the dark web, a Facebook account full of PIIs is more valued than a PayPal account full of cash."

5) What strategies do hackers often use to breach security systems?

By the way, what does exactly “breach” means in this context? It’s a combination of many things. When overhauling a car, you need to check tire pressure, engine oil, electrical system, etc. − it’s a bit the same thing with cybersecurity. Keep your staff aware of these dangers and learn about the latest cybersecurity threats. Also, make sure your system updates with backups in place. If you have a ransomware attack, you can use the latest backup without catastrophic losses. Just to give you an idea, a breach could be an email from someone wanting to organise a party at your CC with a link that contains the event’s specifications. If you’re on the sales team, the first thing you’re likely to do is to click, right? Well, that event proposal can trigger a breach by opening a malicious system – spear phishing. In another metaphor, if an organised group of people starts clicking on a URL at the same time, it could bring that domain down, leading to a distributed denial-of- service (DDoS) attack − it could block the website of a political rally, for example. These are the most basic, but of course there are more advanced ones that can be operated via smartphones or social networks. The issue we keep coming back to is that we are a human interface with technology. So what is expected of a human interface if there is no investment in it?

6) We often say in our industry that content is king: however, can we claim now that data is the true “cyber king”?

I think data has been the “king of this jungle” for a long time. GDPR, for example, is a striking case where data is considered both an asset and a liability. Data is already playing a massive element in our lives, even if it is relatively discrete at the moment. The main interaction that data will play will primarily be in two areas: social media and shopping. In this way, a supermarket may provide you with a customer card and depending on the products you buy regularly, you will get discounts according to your shopping history. Cumulatively, the new generation of data will expose the consumer to even more detailed information. On the other hand, Facebook already directs you to pages and videos according to your browsing pattern, and even if you don’t follow a certain page, the system can take you to it to monetise ads. Now, the earliest forms of data were obviously binary in nature − yes or no − but the complexity of what we are seeing, leads us to believe that computers could now rely on emotions. For these computers to work, you need to deposit huge amounts of data so that they can forge response equations. For a CC, data can lead to better use of space: to understand consumer trends and meet customer loyalty. That’s why, more than ever, everyone is looking for data to create a competitive advantage. This could help prepare a shuttle bus to the hotel where an association is staying, for example. I will go further by saying that data will be a key construct in designing business strategies for CCs in the coming years.