XFAIR’s IT Security Officer on Risks at Events and Preventive Measures
These days, the constant expansion of technological innovation is enabling increasingly complex solutions in many areas of life. However, it also gives hackers around the world the opportunity to target a wide range of datasets with sophisticated strategies. This is why IT security is particularly important for organisations whose core business involves processing (personal) data. As an IT service provider for events and trade fairs, XFAIR falls squarely into this category. In the following interview, our IT Security Officer, Mr Schröder, explains which measures are applied internally and externally to keep the risk of a data leak as low as possible.
Mr Schröder, as IT Security Officer at XFAIR GmbH you deal every day with potential risks to internal and external datasets and how these can be mitigated. Where do you see these risks as most acute?
A threat to information security is, of course, always present. Reducing risk to zero is not possible. However, an acute risk exists during live operation at the trade fairs and events themselves. There we have a large number of people and users with very different levels of knowledge regarding IT security, some of whom have received little to no training in the safe use of software. In addition, the on-site situation can sometimes be quite confusing due to the sheer number of people. This increases the risk of equipment being stolen. The risk of third parties viewing information while devices are being used is also continuously present. That’s why I would see a risk peak during the live event period.
In XFAIR’s day-to-day internal business, the risk is relatively constant due to the regular availability of datasets from the start of a project through to its end. So I wouldn’t see a peak where you could say it is particularly critical at the beginning or end of a project. The basic principle is: when processing data, risk is never zero. Zero does not exist in this context. You can only reduce it as far as possible.
What measures does XFAIR use to ensure these risks are kept as low as possible?
XFAIR recognised very early on that a range of policies, requirements and processes are needed to ensure an adequate level of IT security. This is about safeguarding the three principles that primarily come from the GDPR context — availability, integrity and confidentiality. Initially, the risk is data loss or a leak, meaning that personal data ends up somewhere outside the organisation. Of course, accidental deletions are also a possibility. That’s why there is a wide range of technical and organisational measures (TOMs): from basic back-up strategies and security and access concepts through to procuring services from external partners for security measures.
However, the biggest risk factor remains human error. The most important measure here: training, training, training. Raising awareness is taken very seriously. At some point, we also realised that a simple ISMS (information security management system) is not enough, as our customers require a higher standard and, above all, evidence. That’s why we decided to obtain ISO 27001 certification, which we implemented and achieved in 2022 to be able to demonstrate a certain level of information security. That doesn’t mean we didn’t already have this ambition before — but since certification, we have official proof.
The ISO certificate is initially valid for three years. You have the initial certification, followed by two surveillance audits where it is checked again whether everything works and whether everything we have claimed is actually being implemented. From the third year, there is the so-called recertification — essentially like an initial assessment again — where you have to demonstrate that you are up to date, have continued to develop, and are aligned with the latest state of the art.
So XFAIR is ISO-certified. What does this certification involve, and why is it so important for companies in the IT sector?
ISO is an internationally recognised standard that defines certain guidelines, requirements and procedures for products, processes and services. It therefore serves as a seal of quality and also makes the whole topic comparable. ISO 27001 provides evidence that we have implemented a certain level of information security. It defines exactly where policies must be in place, which processes must be documented and what they must include at a minimum. This means (potential) customers can easily see that XFAIR has achieved a certain level — a minimum level, if you will — in terms of information security. It creates a basis of trust even before a project begins. Given the importance of IT security, it is currently the case that without such certification you often have hardly any chance in tenders, simply because you lack proof that you can ensure an appropriate level of information security. That proof is what this ISO certificate provides.
XFAIR continuously works on improving internal and external security measures and regularly trains staff in everyday preventive actions as well as in handling security incidents. If you have questions about certification and how this expertise is applied in the trade fair and office environment, you can contact us at any time via our contact form. More information about our services in the hardware and software areas can be found in the topic-specific interviews in the XFAIR blog listed below.
