SportsEvents is edited for those who plan tournaments or other sports events.
Issue link: http://sportsevents.epubxp.com/i/769203
www.sportseventsmagazine.com December 2016 13 we have an internal process that says if you access the online bank account you have to use multi-factor authentication or you have to use a token? Do we have a process that says before a payment is sent by anyone in the company, even the president, that someone else has to check that it is a good payment? "Do we have a process to see every system is patched? Because 90 percent or more of cyber exploits happen from things that are known, meaning that Microsoft patches, Firefox patches, Adobe Flash, Adobe Reader, QuickTime — all these applications people use every day on their computers, if they don't have patching turned on, if they don't have a process or program to make sure they are patched, they can go to a website that's infect- ed, they get infected themselves, that allows a criminal to steal money or infect things, or steal a mailing list." Just as businesses vary in size, so do crim- inals. "There are lots of valuable things," Johnson said. "Business just don't think they are a target. And again, they are not a target of Iran, they are targets of criminals of all levels and there are a lot of criminals on the lower tier who make money. "For example, a criminal can make money by infecting a computer. It's a pay-per-infec- tion kind of thing. Someone in the criminal underground will pay someone else to dis- tribute malware that as soon as I get infected it phones home to the payer, the person who is going to pay me as a low-level criminal, and if I can infect 10,000 machines, I can make $1,000. There's money to be made in the criminal underground that makes just about everything a person does online have value. Your company might not make a lot of money in net profit but you might have thousands of dollars flowing through your company." Reviewing your structure is key. A list where to find checklists for security is below. But assuming you have security is dangerous. REVIEW AGREEMENTS "If you pay a larger company, an IBM or someone to outsource your security, you should look at that agreement," Johnson said. "The more formal company, like IBM, will have language in their contract that will explicitly state how much security focus that company is accountable for and it probably won't be very much. "Unless you've specifically said we want you to patch our computers, we want you to secure our website, and we want you to test our system periodically and test our users periodically, these are all the things more mature organizations will do if asked. But if you are on the smaller end of that spectrum, then you just need to have a good conver- sation with who is providing your system to find out how much training they've received or how confident are they at having a security program. Everybody can't hire a security manager, of course, but if you at least assign accountability to someone in the organiza- tion, that person can be sure that all the check boxes are checked." The popular use of mobile apps for events is an area that needs to be reviewed for each company. "The biggest risks with mobile apps is they get into your device and take control of every- thing," Johnson said. "If you are looking for an app, you should be asking, is this app secure? Is it asking too much permission? If it is just an app for a schedule, why does it need access to the camera and the microphone and the email account and contacts list? Those are the things you should ask the app provider. How is your app secure? What does it do exactly? "Because if you distribute an app and some- one says, wait a minute, this is a security risk and starts to make a lot of noise about it, think about the reputation liability of that decision. If purchasers don't start holding app develop- ers accountable, it will take a long time before they start to do the right thing. Because if people still buy the app even though it isn't secure, and they still pay for it, there is no incentive for the developer to spend money and make it secure." RISK CHECKLISTS Cyber security needs to be part of every event checklist of risks. "You make sure the food provider doesn't serve spoiled food," Johnson said. "That is part of your due diligence. Same for cyber service. Is this safe for my users? You ask the same of app providers. "It's a fine line because you don't want to be so scared you don't engage. Because there is a lot of benefit and good from these technology changes and programs. But you don't want to be the first one out there blindly breaking through the forest without even worrying what's on the other side of the trees. You need to be aware and protect yourself the best you can. It is just another thing you have to account for to make sure your business is successful." Johnson encourages businesses to think about cyber risks the way they would view any risk. "In the early days of those other risks, you might not have been very knowledgeable but you reached out to professionals and others to help you and now those risks are old hat," Johnson said. "I'm sure you have medical professionals on site, you have arranged and have capacity at the local health facility, you have insurance, you have all these things to manage the risk you know could happen but might not. Cyber is the same way. You have to make those same investments to make sure you have all those risks covered." When compiling information for registra- tion, privacy issues must be reviewed. "Think about privacy and how important it is especially to families," Johnson said. "I don't want my private information out there. But if my kid's stuff is out there, I get extra con- cerned. There is an added level of awareness and heightened level of concern. You have to take more preventive measures and steps. If as part of registration, you have names, address- es, ages, genders, maybe photos — those are all potential targets from a privacy perspective for people who want to do yucky things. "Stealing a kid's identity is especially lucrative, if you can get a kid's Social Security number you can open accounts. You won't even know it until your kid goes to buy a car. Only collect the information you absolutely need because you don't want to be held accountable for information you didn't need. If you think you need it, make sure you really need it, especially if it is sensitive." n ONE- on- ONE t CHECKLIST LINKS: • staysafeonline.org/business-safe-online/ • transition.fcc.gov/cyber/cyberplanner.pdf • stcguide.com/explore/small-business/ • ftc.gov/tips-advice/business-center/guidance/start-security-guide-business