The very public and recent data breach of an event application in the UK has brought the need to plan for potential data breaches. Whilst a Professional Conference Organiser (PCO), organisation or company can take all steps possible to minimise security risks, in the current technological environment there is still the growing possibility of breaches or misconduct.
Here’s what happened:
- CrowdComms decided to engage multiple vendors for their event technology needs
- An application procured by another vendor suffered a very public data security breach
- Private delegate profiles within the app were accessed and / or modified by an unintended individual
How do companies and organisations prevent security data breaches?
Every entity should ensure that they personally or their providers have comprehensive security measures in place to minimise the risk of a breach. When engaging with suppliers, ask for their security policies, whether they have a disaster response plan in place, how they manage payments and the portals they use and more. As a NFP or Association, it is your responsibility to ensure your members information is being protected either by your own services or a third-party supplier’s.
We suggest as a minimum:
- Up-to-date security software including malware and firewall protection
- Security risk assessment in place
- Security data breach response plan
- An annual review of the information being stored by the organisation – Are they necessary? In the case of a breach, what would they gain access to?
If you are unsure, open a dialogue and find out. Engage with professional IT suppliers if necessary to understand what is being done currently and what could be improved!
“But if someone chooses to hack us, they’re going to do it anyway.”
This is an almost “why bother” approach to security. We strongly believe that the less you do, the more of a target you make your organisation. The more walls someone has to climb to reach your information, the more likely you are to deter them from starting.
The process, at a minimum, should be about risk minimisation and harm reduction. If someone truly wishes to target your organisation, would you prefer to have the names and email addresses of all your members accessible, or their full payment details, addresses, phone numbers and more. It is important to only retain the data necessary for the functioning of your organisation and reducing the potential harm caused in the case of a comprehensive security data breach.
Let us know what you do to keep your association and its delegates safe at firstname.lastname@example.org
The TAS Team