Data Security In Virtual Events: Lessons From 3.78M Events by Remo CEO Hoyin Cheung by Roberto Popolizio

Roberto Popolizio

Published on: June 27, 2024

Welcome to another interview by Safety Detectives, where executives from the best companies in the world analyze the current state of cybersecurity and online privacy in their industry, and share their security tips from decades of direct experience.

Our guest today is Remo CEO, Hoyin Cheung.

Remo is a virtual events platform born from the need to create spaces where people can engage authentically and build lasting relationships. As of 2024, they have helped more than 66,000 event hosts from 105+ countries host over 3.78 million Virtual events that rival the experience of in-person ones.

We looked at what cyber threats are most common and dangerous for virtual events, and how Remo responded to the ones that targeted their events and people. We then looked at the security stack and habits of a high-level entrepreneur like Hoyin, and the #1 tip from his experience dealing with cyber attacks.

What are the most common or overlooked cyber threats that you see in your industry? Why is your industry particularly susceptible to these threats?

In the virtual events industry, one of the most common yet often overlooked cyber threats is data breaches through phishing attacks. Our industry is particularly susceptible because virtual events involve a high volume of participant data exchanges—from registration details to interactive sessions. This extensive data interaction provides numerous entry points for cybercriminals, making our industry a lucrative target.

In 2020, Forbes highlighted a 1,000% increase in cyberattacks on virtual and hybrid events within the first few months of the pandemic. Although this problem has likely improved with advancements in virtual event quality, it remains a critical concern that event professionals must address.

☣️ Common signs of a phishing attack during virtual events:

• Impersonation of trusted entities: Phishing emails may appear to be from the virtual event organizers, sponsors, or other legitimate entities, using similar branding and domain names to appear credible.*
• Urgent or threatening language: The emails may create a sense of urgency, such as claiming there is an issue with your registration or payment that requires immediate action.
• Requests for personal or financial information: you may be asked to click a link or download a file to “update” your event registration details, login credentials, or payment information. DO NOT DO IT.
• Suspicious links and attachments: Links in the message may lead to fake websites designed to steal your information. Attachments could contain malware.
• Poor grammar and spelling errors: AI-generated phishing content may have improved, but many emails still exhibit telltale signs of being fraudulent
• Targeting through social media: Scammers may try to capitalize on the increased online activity around the event to distribute malicious content.

* The most creative phishing attacks I have seen were the ones where someone impersonated me and emailed people to transfer funds.

Can you share any real-world examples of when such risks materialized? What damage did they cause?

A real-world example that sticks out occurred a couple of years back with a competing platform. They experienced a sophisticated phishing attack where attackers impersonated event organizers.

The attackers sent fraudulent emails to participants, directing them to a fake event login page designed to harvest credentials. The breach exposed sensitive participant information and disrupted the event, causing significant reputational damage and financial losses due to refunds and increased security measures.

The lesson here is that the human element remains the weakest link in cybersecurity. It underscores the need for constant vigilance, regular training on cybersecurity best practices, and the implementation of robust, multi-layered security protocols to safeguard against these evolving threats.

Have you or your organization experienced any cyber threats or incidents? If so, can you describe what happened and what lessons you have learned from these episodes?

Yes, our platform, like many in the tech industry, has faced its share of cyber threats.

In one instance, we encountered a DDoS (Distributed Denial of Service) attack aimed at disrupting our services during a major event. Although the attack was mitigated without significant downtime, it was a wake-up call. It reinforced our commitment to ongoing security training and the implementation of advanced monitoring tools to detect and prevent such incidents proactively.

The key lessons learned were the importance of having robust, scalable defensive mechanisms in place and ensuring our team is equipped to respond swiftly to any threats.

Besides that, while we’ve been fortunate enough not to have suffered a major breach ourselves, the frequent reports of breaches in our industry have led us to revamp how we store and handle information. We’ve moved towards more encrypted storage solutions, enhanced our data access policies, and increased our investments in cybersecurity technologies.

Has any particular legislation related to data privacy, data retention or the like, affected you in recent years, and how?

Recent data privacy laws, such as the GDPR in Europe and similar regulations in other regions, have significantly impacted how we manage data. Compliance has required us to overhaul our data handling practices, ensuring transparency with our users about how their data is collected, used, and stored. It’s also pushed us to implement stricter consent mechanisms and improve our data security measures.

While these changes were challenging, they have ultimately enhanced trust with our users and strengthened our reputation for data protection.

Can you please share the top things everyone needs to know to properly store and protect their customers’, personal, and/or company’s data?

With the rising threat of AI impersonation, we all need multiple channels to confirm the identity of individuals. Surely tools have improved in general, but a new set of solutions to defend against AI is needed.

What cybersecurity practices and habits do you apply in your daily work and life?

• Strong Passwords and Authentication: I use complex passwords combined with multi-factor authentication for all critical accounts.
• Regular Updates: Keeping software and devices updated is crucial; I ensure all patches and security updates are applied promptly.
• Secure Connections: I use VPNs when accessing public Wi-Fi and ensure secure connections for all data transmissions.
• Phishing Awareness: I maintain a high level of vigilance against phishing attempts, regularly training and reminding myself to scrutinize emails and messages carefully.

And here are the steps we are taking to improve data protection for our company and customers.

• Enhancing Security Infrastructure: We are continuously upgrading our security infrastructure with the latest technologies to safeguard against new threats.
• Rigorous Testing and Monitoring: Implementing more rigorous penetration testing and continuous monitoring of our network and systems.
• Data Privacy Framework: Developing a comprehensive data privacy framework that adheres to global standards, ensuring our customers’ data is handled with the utmost care and compliance.
• Stakeholder Engagement: We engage regularly with security experts and our customers to gather feedback and insights, which help us refine our security and data protection practices.