Imagine having to announce to your attendees that you’ve experienced a security breach and that their private information has been made public. It’s vital to keep your information safe—for both your meeting attendees and your organization. But it can be overwhelming tracing the path your data takes, evaluating your event app vendor and meeting your IT department’s strict guidelines.
How can you be confident about your mobile event app security? Asking the right questions and ensuring appropriate third-party testing is a great place to start. The following is a primer aimed at removing the mystery and making it easier to discuss event app security with your vendor.
Eight areas to consider with questions to ask to be sure your app data is safe
1. Vendor Processes—All the technical security in the world won’t matter if your vendor doesn’t have security controls in place for its employees and processes.
Q1: Are employee background checks performed?
Q2: Do employees undergo regular security training?
Q3: Are there disaster drills conducted and plans in place in the off chance of a security breach?
Q4: Do you have third-party verification of your processes and safeguards? (The successful completion of the Service Organization Control Reports® Type 2 compliance examination is an arduous exercise for your vendor, but the most comprehensive. Just ask your vendor for their SOC 2 report.)
Related Content: Event Tech Security: What We Learned and Why SOC2 Matters [blog post]
2. Content Management Website—You will upload your information to the vendor’s content management system (CMS), which is itself a web application that has potential security flaws.
Q1: Is your content management website regularly tested by a third-party security company for vulnerabilities so that my information is safe from hackers? Can I see the report?
3. Server Security—Once your information is stored on the vendor’s server, it is open to a variety of network and infrastructure attacks.
Q1: Is your server and network infrastructure tested for penetration vulnerabilities by a third-party security company? (In other words, can someone break into your server and access my information?) Can I see the report?
4. Data Transport with End-to-End Encryption—Your data moves around more than you think. Is it transported securely?
Q1: Can you verify that the data is encrypted end-to-end—on your server, during the transit over the Internet to the app and on the user devices as well? (This can be verified on the SOC 2 report.)
Q2: Are the connection points with the content management website and the mobile app secured by using https or Secure Sockets Layer (SSL)?
Q3: Is the data encrypted on all devices using secure encryption?
5. App on Apple and Google Stores—When your app is on an app store, anyone in the world can download it. Is it secure? Your app has two primary components: the vendor’s code base and your meeting data. Only the vendor’s code should be available on the app store. Your event, attendee and presentation data should be downloaded later, once the app is in use. Otherwise, any hacker can download the app from the store, work to access any data contained within the initial package and potentially get to your information.
Q1: Does a third-party security expert regularly evaluate the app’s code base to be sure it is solid and secure?
Q2: Is my meeting information shipped separately from the app’s code base and not included with the initial package on the app stores?
6. App on the End-User Devices—The app should contain only the code base when a meeting participant downloads the app. When the participant logs into the app, the server will confirm their login and their rights to view specific information. The server will then send only that person's encrypted relevant data back to the app. That way, there is no data anywhere on the device that the user does not have rights to access.
Q1: Is the data pulled into the app based on the access rights of the person opening the app?
Q2: Are presentations and attachments encrypted, stored on the server and accessible only through expiring URLs so they cannot be shared outside the app?
7. Accessing the App—After being assured that the data being sent down to your app is secure, you’ll want to be certain you have plenty of login options. For example, one event may have very sensitive information being shared and you want the app to require a tightly secured upfront password authentication for that event. Another may require a more loose approach with a single code for all participants to use to access that event’s information. Your events are likely different from each other, so your vendor should offer different login options for each event within the same app.
Q1: What login options do you offer?
Q2: Can I choose different types of logins for each unique event in my app?
8. Attendee Privacy—Finally, it’s important to be respectful of attendee information. You should have control over which attendee information is displayed and which isn’t. Your participants should also have control over their profiles.
Q1: Can I hide specific participants from the app’s display list?
Q2: Can my attendees proactively display or hide their own profile information?
Q3: Are attendees able to choose whether or not to allow messages from other attendees?
Q4: Are you certified under the EU-US Privacy Shield program? (This is a framework designed by the US Department of Commerce and the European Commission to provide companies with structure for adhering to data protection requirements when transferring personal data from the European Union to the US in support of transatlantic business. For more info, see https://www.privacyshield.gov/Program-Overview.)
Related Content: 5 Vital Security Questions to Ask Your Event App Vendor [checklist]
Your event app vendor (and indeed all event technology providers) should be focused on security and willing to supply you with reports verifying their compliance and safeguard systems. Talk to your vendor. Ask questions. Ask us questions. We'd be happy to talk it through with you. Be sure your most important information is top-to-bottom secure.