Cybersecurity issues continue to multiply, and our customers are increasingly turning to us for help with these matters: security documents to fill out, intrusion tests, etc.
When asked whether a particular site or event is at risk, the answer will unfortunately always be yes. With our monitoring tools, we see almost daily intrusion attempts across all the domains we manage. These cyber threats are not necessarily targeted at us or the events we host, and are generally carried out by opportunistic bots looking for known vulnerabilities in any system.
It is therefore important to remain vigilant at all times and take a proactive approach to ensure maximum protection for ourselves and our customers' data. With this in mind, we have been conducting intrusion tests on our systems for several years and have taken the initiative to obtainISO 27001 certificationin 2023. This has enabled us to gain maturity and strengthen all our internal procedures, the choice of our partners, and risk management.
Many successful attacks are not carried out solely by discovering vulnerabilities, but rather through social engineering: phishing, obtaining information from an internal source, etc. One of the weak links in the system is the human factor, so it is important to raise awareness among all employees about the risks (as well as best practices in terms of privacy and GDPR compliance).
It is also important to limit risks related to passwords on event platforms:
• Do not reuse passwords
• Do not use weak passwords
• Do not write passwords on sticky notes...
=> Make widespread use of password managers and encourage the use of SSO* so that passwords are no longer needed everywhere. We encourage all our clients (event agencies or advertisers' communications departments) to use their SSO to log in to the back office (or to event websites for internal events).
* Single Sign-on (SSO) is a session and user authentication service that allows a user to use a set of credentials (e.g., username and password) to access multiple applications. SSO can be used by businesses, small organizations, and individuals to mitigate the management of various usernames and passwords.
Developers and designers must also be made aware of the most common risks, including the OWASP Top 10 :
We always seek to work with secure partners and proven libraries (for example, to block SQL injections).
This also involves monitoring vulnerabilities in dependencies: if a vulnerability is discovered in a dependency that was previously free of vulnerabilities, it should be updated.
This is one of the key points that ISO 27001 has enabled us to work on: taking the time to clearly list all risks (to the security or availability of our services), implementing countermeasures, and testing them.
A backup (for data) or a plan B (in case of crisis) is only valuable if it has been tested and you are confident that it works. If you have to restore a backup only to realize that it has been empty for months, it's too late.
No matter how carefully you plan, zero defects are rare, bugs can exist, and it is advisable to actively search for them.
The pentests we carry out are always highly informative, whether in terms of successes (where the pentesters were unable to achieve anything) or areas for improvement.
If you have never had a penetration test carried out, I urge you to do so quickly: perhaps your system is already very secure (and I hope it is), but you may also be in for some surprises...
And the methodology used corresponds to the types of attacks you are likely to suffer, so anything that can be discovered is worth patching.
With AppCraft's CRM platform, bring all your tools together in one place and create a seamless event experience for your attendees, guests, and exhibitors. You can seamlessly manage registrations, attendees, and content management.
