SportsEvents is edited for those who plan tournaments or other sports events.
Issue link: http://sportsevents.epubxp.com/i/769203
December 2016 12 www.sportseventsmagazine.com people don't know where to start and they don't know how significant the problem is," Johnson said. "They don't realize that if they've got mailing lists and online registra- tion and apps they are purchasing from larg- er providers, all these things are targets or what I call 'attack surfaces' or opportunities for bad things to happen. The more complex your opportunities are, the more bad things that can happen." Johnson said the biggest danger any business or organization faces is denial: the concept that they are not targets. "While you probably aren't on the radar for Russia or a nation state as, for example, an upper Midwest Volleyball Association, you are certainly valuable in terms of your mail- ing list for spear-phishing or possibly profiles of people for extortion — although we are probably getting a little extreme there. "Another problem for these small busi- nesses is they have a website. Everyone has to have a website. If they are relying on volunteer services or lower cost services to build their website and secure it, security is probably not a priority. And so it can be used to infect all their visitors. It can be used to infect registration visitors and advertiser visitors, causing a lot of reputation risks if it comes back that someone got infected on your website. That could be very damaging to your company as well." With a plethora of technology advances available for companies of all sizes, it's easy to overlook the security concerns. "The more complex your business — the more things you do with your organization — that is generally a good thing. But I would assume if you are delivering a lot of services, if you are growing and successful, that's a positive thing overall, but those things increase your cyber risk. "Remember that investing in an app for your event is expensive but it has a lot of div- idends in terms of engagement and return business benefits. But did you remember that that you have to make sure that app is secure? Did you pay money to a professional to make sure it is secure? The investment has to be more than just the capability of the app, it must be secure." DO RESEARCH Johnson said the ease and availability of technology make it attractive but the buyer must beware. "A lot of small companies don't get that far to check on security because they are only thinking that they want to compete with the big companies. They want to have the same features and functions that the big compa- nies have. So they just buy the app and put it out there. But they just don't understand the logistics of just doing that in a secure fashion. "They skate along. Most don't get impact- ed. But if they are unlucky enough to get infected, someone could take over their web- site, start infecting their visitors, steal their mailing lists, get into their bank accounts, get spear-phishing emails coming into their organization and requesting a payment for a venue." Cyber criminals take advantage of typical business practices that can appear ordinary. "You know, you get an email requesting $50,000 payment to the civic center in Omaha to make a down payment for this event and you pay it and find out it wasn't the account of the civic center, that it was a fraudster's account and they just stole $50,000 — that can be enough to break a company," Johnson said. "The company might be accustomed to making payments, so this fraud can work into that process. So normal business activity can fall into this criminal activity. That com- placency is how the fraud attacks work." GET STARTED So, where does a company begin to review its cyber security? "For larger national organizations that have a lot of employees and workers, com- plexity is a lot of opportunity for bad things to happen," Johnson said. "The more mature, the larger you get the more you should be focusing on security. Even at that large size, it might be hard to hire IT security internally. But what resources you do have, you must make sure your resources are funded for security expertise. "A help desk person or really smart IT person is invaluable to make sure your business keeps running. But they might not be focused on security or have the training expertise and experience to know that they can't put that website out like that because it is vulnerable. They don't necessarily know the technical pieces to make sure things are secure." No matter what the size of your business or organization, cyber security needs to be part of the discussion on technology. "On the smaller end of that spectrum, you clearly won't have a full-time IT person with security training and resources," Johnson said. "So you are relying on a contractor or outside provider of some sort, but again, you have to fund at least a little bit toward security if you expect to have security. "I work with a lot of small companies and they have a contractor they trust and does a good job, and that person is probably very conscientious and wants to help them deliver good service and be secure. But if they aren't focused on security or don't have the training, they are only as good as what they've heard or seen online and their experiences will be limited. People need to get into the mindset that you have to fund security, at least a little bit. It can't just be that we hope and pray that we don't get impacted." KEY QUESTIONS The discussion needs to evaluate everything concerning technology. Some questions are obvious, some not. "You have to ask, how are we securing our website?" Johnson said. "Who is responsible for that? Do we have tests? Has anyone dou- ble-checked that test? Did we have someone who knows what they are looking for check it? How about our internal practices? Do ONE- on- ONE t "90% or more of cyber exploits happen from things that are known, meaning that Microsoft patches, Firefox patches, Adobe Flash, Adobe Reader, QuickTime — all these appli- cations people use every day on their computers" ''