Hackers love events. Why aren’t more CISOs paying attention?

When CISOs think about risk, they usually think about cloud platforms, laptops, and data centers. But live events like conferences, trade shows, product launches, and shareholder meetings bring a different kind of cybersecurity exposure. These events gather people, devices, and sensitive information in one place, often for just a day or two. That makes them an appealing target.

Events also combine digital and physical systems. A vulnerability in one area can lead to a breach in the other. Yet many organizations still treat events as a logistics issue rather than a security issue.

Events are a risk magnet

Attackers look for weak points. Events often have several:

• Temporary networks: Many events rely on public Wi-Fi or bring-your-own access points. These aren’t always secure.
• High travel volume: Employees attend events with laptops and phones that may be less protected than usual. Some are using personal hotspots or USB chargers in public places.
• Public schedules: Speaker lists, session topics, and event hashtags can give attackers all the intel they need to create convincing phishing campaigns.
• New or untested tech: Events may use mobile check-in apps, NFC badges, QR codes, and kiosks. All of these can be compromised.

Many event security problems start with physical access. A vendor, attendee, or even someone pretending to be part of the AV crew might find their way into restricted areas or plug devices into open ports.

There’s also a rise in tech that blends physical presence with digital access, such as smart badges that double as NFC login keys or interactive displays that connect to backend systems. These setups might be common at events, but they’re rarely audited the way internal systems are.

Even something as simple as a promotional USB drive can pose a risk.

When planning a live cybersecurity event, risk management starts long before the first keynote kicks off. For Hrvoje Englman, CISO at Span, who was involved in securing the Span Cyber Security Arena conference, the approach is no different than running any other business operation.

“You begin by asking what needs to go right for attendees to have a great experience,” he said, “or you can approach it from the other side and ask what could go wrong.”

That dual perspective became crucial as his team explored ways to modernize the attendee experience, starting with the event program. One proposal on the table was to replace printed schedules with an AI-powered chatbot app that could provide real-time updates and personalized session recommendations.

“The idea was appealing because it could offer personalized session recommendations based on user input, and it would allow us to send real-time updates and adjust the schedule dynamically,” Englman explained.

But the trade-off was data. Implementing the chatbot would have required collecting and storing additional personal information from attendees, raising serious questions about security and regulatory compliance.

“In the end, we decided the risk was too high and returned to printed programs,” he said. Of course, that decision brought its own risks. A printed schedule can’t update itself, and live events come with moving parts. When speakers drop out or sessions change at the last minute, gaps can quickly appear.

Then there’s the matter of infrastructure. For an event built around hands-on learning and live demonstrations, a stable internet connection is essential. That reality became painfully clear when planning the Capture The Flag competition and Masterclass sessions.

“Based on our experience with other conferences, we knew that relying on hotel Wi-Fi and personal hotspots was not a reliable option,” Englman said. “To mitigate that risk, we set up our own redundant internet connection.”

The result was a smoother, more secure event that balanced innovation with operational caution. It is a lesson that applies as much to boardrooms as it does to conference centers.

Event security deserves a cyber mindset

Many of the biggest risks around live events do not come from inside the venue. They originate online, days before anyone arrives.

“The most overlooked risk that we see a lot is malicious domain infrastructure tied to event-related phishing, scams, and impersonation,” Abu Qureshi, Threat Research and Mitigation Lead at BforeAI, told Help Net Security. “Bad actors love high-attention events. They register lookalike domains offering fake ticket sales, fake live streams, fake promotions, and even malicious QR codes tied to the event branding.”

These fake sites and domains can slip past security teams, especially when multiple departments are involved in planning and marketing the event. In many cases, they are not even reported until attendees flag them.

Another problem area is vendor exposure. Events often bring in a range of third-party services, from media crews to registration platforms and badge printers.

“Another area that’s routinely missed is third-party vendor exposure,” Qureshi said. “Media teams, event tech platforms, and even badge printing services often have weak cyber hygiene. A compromise there can lead to attendee data leaks or even network access during the event.”

Bad actors also do not operate manually anymore. Qureshi pointed out that many threat campaigns are now automated and spin up infrastructure in advance of major events, often using AI-generated content or phishing kits to scale quickly.

“People underestimate how much threat actors automate around events,” he said. “We’ve tracked campaigns where malicious infrastructure gets stood up days before the event to harvest credentials, spread malware, or run crypto scams. If you’re not doing proactive monitoring of the external attack surface, anticipating the takedown and disruption, and early threat discovery, you’re flying with limited visibility.”

Planning ahead: What CISOs can do

“The CISO is now expected to take a holistic approach that blends physical and cyber security,” said Qureshi. “We’re dealing with convergence of both of these elements.”

That convergence shows up in all kinds of ways. On the technical side, CISOs are managing wireless threat detection, event-specific network segmentation, and rogue access point monitoring. But the risks don’t stop there.

“CISOs have to be thinking about things like live threat monitoring across Wi-Fi, securing the event network infrastructure, and identifying rogue access points,” Qureshi explained. “But they also have to anticipate things like credential phishing tied to event registration, malicious domains mimicking the event, or coordinated campaigns using the event as a lure, especially if the event has media attention or brand value.”

Events need to be treated like any other operational risk. That means getting security involved early, not the week before showtime. Here are a few steps CISOs recommend:

Review vendors: Registration tools, mobile apps, badge providers, and AV contractors should go through the same third-party risk checks as other vendors.

Segment the network: Create a separate network for internal staff. Don’t rely on public Wi-Fi, and if you must, use VPN and monitoring tools.

Apply zero trust ideas: Limit who can access what, even within your event team. Assume every device is potentially compromised.

Train staff: Before employees attend an event, give them a quick rundown of what to avoid, such as unknown USB drives, suspicious QR codes, and unverified Wi-Fi.

Watch for phishing: Attackers may send spoofed messages to attendees before, during, or after the event. Keep an eye out for this.

Some organizations also run their own mini-SOC for high-profile events. Even if that’s not feasible, having someone monitoring things in real time, like network behavior or suspicious logins, can make a difference.

Events with a strong brand or public profile often attract not just opportunists but motivated attackers looking to embarrass or exploit the organization. That has brought a new set of responsibilities to the CISO’s desk.

“In many cases, I’ve seen the expectation shift toward the CISO also advising on reputational risk and disinformation threats,” Qureshi said. “Especially when events are being targeted by hacktivists or financially motivated actors using lookalike infrastructure or fake promotions.”

This shift means that securing an event now includes monitoring for impersonation, handling takedown requests for spoofed sites, and working with communications or legal teams in real time if something goes wrong. For many CISOs, it is unfamiliar ground but increasingly unavoidable.