This new guidance is building upon existing NCSC Cyber security advice for Major Events, (read first) this covers the fundamentals of; governance, risk assessment, incident management, testing and exercising.
This new guidance focuses on; cyber risk analysis, the selection of suppliers and the assurance process. This new advice is intended to cover both the physical and virtual aspects of high-profile conferences. Often they can be targeted by potential attackers and incidents can have a much bigger reputational impact on the event organisers.
Whilst most conferences are often held in public and their content is only occasionally of a sensitive nature. As a result, these events sometimes receive less attention from a cyber security point of view, than they should.
By overlooking the cyber risks, if a high profile event were to become compromised, the resulting disruption and reputational damage could become very serious.
How do you understand the cyber risks which your event faces?
The topics covered by a conference and the profile of the attendees will influence the level of threat that your event faces. This in turn will determine the kind of protection that's needed. So, an important first step should be to consider the circumstances of your specific conference and potential threat actors.
What are the key risk considerations for a virtual or in-person event?
Disruption by uninvited or misbehaving guests
Denial of service attacks
Insider threat
Compromised supplier or administrator account
Defacement of websites/portals
Sensitive data
On-site risks
How do you manage the risks you've found?
It's important to gain confidence that the security of your solution is appropriate for the risks you have identified. Your assessment of this should involve evidence provided by those delivering the service and/or evidence gathered independently.
NCSC Cloud security principles can be used as a guide.
Seek Independent assurance.
Suppliers should be able to demonstrate that they are protecting exposed interfaces using an architecture with strength-in-depth and, for example, are using Web Application Firewalls to protect against common web-based vulnerabilities.
Independent pen tests and audits should be carried out where possible.
For very high-profile events, it may be possible to arrange for NCSC Active Cyber Defence services to be provided before and during the conference, which could be useful in highlighting vulnerabilities or detecting threat activity against a supplier.
What risks could I face in a physical venue?
Where there is a physical venue for the conference, there are other aspects to consider. These include the provision of internet access for delegates and other visitors, as well as the protection of any smart or network-based functionality in the venue itself. A cyber attack against any of these could be disruptive and potentially cause a significant impact.
Internet access is likely to be required for delegates and the press attending conference venues. Network monitoring and active management is recommended, to detect and counter any malicious activity or problems caused by misconfigured guest devices.
The venue should be assessed to determine whether there are any on-site networked systems for building management, such as heating, ventilation, air-conditioning, lighting, fire or security alarms.
The security and resilience of third-party services may also need to be considered by event organisers. For example, those relating to guest transport or security staff.
Review the 'Cyber security for high profile conferences' guidance on the NCSC website.
