How to Keep Your Festival’s Data Secure

Darren Gallop is the CEO and co-founder of live event management software firm, Marcato, which specialises in the creation and development of web-based logistics management solutions for live events. Darren and his team serve over 300 world-class organisations, including festivals such as Coachella, Osheaga, CMA Fest, Iceland Airwaves, Eurosonic Noorderslag, and events like the X Games and Burning Man. Gallop has over 20 years of experience in music, tech & live events. He started his career in 1995 as a musician, subsidising his income as a freelance computer repair technician where he worked primarily with music, video and design firms. In 2005 Gallop opened a recording studio which later evolved into an EMI Canada affiliated label. In 2008 Gallop launched Marcato with the focus to digitise festival management; creating more efficient workflows for live events. Gallop dedicates a lot of time to personal and professional development, most recently having earned his certification as a CISSP (Certified Information Systems Security Professional).

Over the last decade the festival space has adopted a variety of new technologies. Both festivals and supplier partners process and store huge quantities of personal and confidential information about their patrons, partners, employees, investors, artists, volunteers and more. This information is also stored on a number of devices, including desktops, laptops, cell phones, USB sticks, cloud storage services, and third-party software-as-a-service platforms.

The sheer volume of data being captured has been steadily increasing, and so have the types of devices and services where this data is being stored. With the increasing prevalence and sophistication of cybercrime, it has become apparent that as our data processing and storage needs expand, so does the threat posed to the live events industry.

It’s worrisome that a significant percentage of festivals and events have invested little to no financial or human resources in developing or implementing cyber security programs within their organisations. As a cyber security professional and the CEO of a software company that has worked on over 700 events, I have witnessed first-hand this lack of information security in the festival space. The same goes for the many technology companies that organisers work with to make festivals happen.

Because cyber security is a rapidly shifting topic, every country, state, and province has varying laws and regulations regarding it. It’s incredibly important to know your how organisation might be impacted.

If your company breaks privacy rules or suffers a data breach and you’re unable to prove that the company has practiced a reasonable amount of due diligence, it could be subject to legal implications. In some cases, directors and officers may even be criminally liable!

To help with this we’d like to share some tips that will assist in keeping your data safeguarded:

1. Ensure your staff is aware of cyber security best practices and trained on your company’s security policies and procedures. That is, assuming you have cyber security policies and procedures defined for your organisation. If you don’t, this is the first place to start.

Once the policies are in place, it’s critical that they be followed. Letting them collect dust somewhere will not help your organisation become more secure and likely won’t be sufficient in court to prove you have exercised due care and due diligence. Have you ever trained your team in best practices? Do they know how to spot phishing attacks or other popular social engineering hacks?

A small investment of time and money can go a long way in improving one of your most extensive vulnerabilities: your people. Almost all information breaches involve an element of tricking someone; using social engineering tactics to divulge some piece(s) of information that are critical in the success of the orchestrated hack.

2. You must enforce a secure password policy. If your team is using the same password for several different services and it’s been compromised, a hacker can easily access the other accounts it’s been connected to. If individuals are using passwords like their phone number or their dog’s name, then the ability to guess or brute force these passwords is significantly higher.

3. Also, make sure devices are password protected, auto-lock is activated and devices are backed up and encrypted. It’s very simple to password protect all of your devices so that if they are lost or stolen your data is not easily accessible. Once again, with strong passwords and data encryption. Without encryption, it takes less than five minutes to break into any Mac or PC. And you don’t have to be a computer guru or experienced hacker to do this. Search ‘How to reset my admin password on my Mac’ – you’re given step-by-step procedures that anyone can follow, resulting in full access to all data on any computer.

You can also search ‘How to encrypt my Mac or PC’s hard drive’ and you will find easy instructions that will significantly improve the security of your portable computer and the data contained within.

Honestly, there is no excuse to remove this level of protection. Your device is full of private, personal, and confidential information.

4. Ensure that your third party vendors have satisfactory security programs in place and trained security professionals on staff. If they do not, ask if there is some sort of third party verification of their structure through compliance, audit, and penetration testing against their software systems and servers. There are many frameworks available that companies can follow to ensure they are complying with best practices and it is critical that they are compliant with at least one.

Make a list of every third party service you use, then list the types of data that is stored and / or processed by each vendor. Ask yourself ‘What are the repercussions on my organisation if this data was deleted, inaccessible, or leaked to the public?’ If any or all of these scenarios would have a detrimental impact on your business and reputation then you need to ensure that your third party data processors are following best practices to prevent these disasters.

5. Do you and your critical vendors have Business Continuity Plans (BCP) and / or Disaster Recovery Plans (DRP)? Does your staff know what to do if something goes wrong? A robust information security program implemented across your organisation and vendors will go a long way to prevent most incidents. But, like seat-belts and airbags, they cannot prevent all tragedies.

This is where Business Continuity and Disaster Recovery Planning, mentioned above, come into play. When, despite all of your safeguards and precautions, a critical system goes out of commission and key data disappears. Or confidential information is leaked. What happens next?

Most organisations panic and scurry about frantically without reason. This is far from an effective approach and the pressure can lead to poor decision making during the critical recovery response period. Dedicate a few hours and think ‘What would we do if…’ as it pertains to all of your biggest threats. This can be a game changing practice that almost always results in developing additional counter measures.

This blog is meant to provide a starting point for implementing information security within your festival or event. Due to the rapid progression of festival and event technology and the evolving needs within the space, this is an ongoing and continually developing subject.

Good luck!