Data breaches can cost your club in a variety of ways - namely in revenue and member confidence. The costs of fines, credit card replacements, legal fees and audits can all add up pretty quickly.
The frequency of data breaches — the theft, loss or mistaken release of private information — is on the rise and is happening more and more. And it's not just a big business problem. Small and mid-sized businesses with fewer data security resources are particularly vulnerable.
Heard about the recent Equifax data breach? This data breach is among the worst ever because of the amount of people affected and the sensitive type of information exposed. The company estimates that as many as 143 million people in the United States were involved in this monumental hit. Credit card numbers for about 209,000 U.S. customers were compromised, in addition to "personal identifying information" on about 182,000 U.S. customers.
Here’s a list of the average costs your business could sustain in a data breach:
- Merchant processor compromise fine: $5,000 – $50,000
- Card brand compromise fees: $5,000 – $500,000
- Forensic investigation: $12,000 – $100,000
- Onsite QSA assessments following the breach: $20,000 – $100,000
- Free credit monitoring for affected individuals: $10 – 30/card
- Card re-issuance penalties: $3 – $10 per card
- Security updates: $15,000+
- Lawyer fees: $5,000+
- Breach notification costs: $1,000+
- Technology repairs: $2,000+
- Loss of member confidence: health clubs often lose 40% of members after a breach.
All in all, the total cost of a data breach could ultimately spell the financial end to your business.
As a result, it's important for even small & medium-sized health clubs to take steps to protect against a data breach.
Here are 3 easy steps:
#1: Train Your Staff
When it comes to PCI compliance and your health club, a trained staff is the golden foundation on which your compliance status rests upon. It's as simple a task as it is daunting.
Employee training is the first step to ensuring your club's security. Nobody spends more time in and around your system as much as your employees do. It is extremely important for them to get a good grasp of what their role is as it relates to your member's credit card data security.
When it comes to employees, the health club industry has a high rate of turnover. In order to ensure standardized security protocols throughout your club, you can establish a PCI Security Awareness training as part of your onboarding process.
Depending on the role of a particular employee, the trainings can range from foundational to intensive - based off of that employee's proximity to credit card data. You can learn more about roles and standardization by clicking here for a PCI Security Awareness best practices sheet.
Another option you can look into is an investment in software training via your club management software provider. You'll find that alot of times, there are processes or "ways of doing things" at your club that, while successfull, are not necessarily secure methods that allow you to get the most out of your software. An investment in software training can help you streamline the process of training your staff, while allowing you to maximize on your software investment.
No employee wants to be the source of a security breach. If you spend just 1 hour per year on security awareness for your employees you will begin to see improvement year over year. Annually, that’s just .0005% of their time.
Here's the bottom line: if you hope to become PCI compliant, a trained staff is the first and most important step towards achieving it.
#2: Restrict Unnecessary Access
Security always starts with control. And it’s hard to have control when many people at your organization have administrative privileges. When I say administrative privileges, I mean the highest level of permission granted to a computer, system, environment, network, or server user. In short, admins have more privileges than normal users.
Administrative privileges allow the user to (among other things)
- Turn on and off their anti-virus scanning
- Add new users
- Turn on/off event logging
- Download and install new programs
- Gain access to OS or system software
- Pretty much do anything they want…
So what’s the problem with allowing users more rights?
When an attacker enters a network, one of the first things he does is try to escalate his user privileges. Typically, attackers can more easily extract sensitive information from a system, and move through a network easier if they have administrative privileges.
See how this could have the potential to be destructive? Poorly managed administrative privileges make privilege escalation easier. Reducing privileges among staff helps prevent your system from being broken, and broken-into…intentionally or unintentionally.
If you reduce the number of people who have admin rights, you reduce your risk.
Good rules of thumb for assigning privileges
- Only trusted people at your club should have administrative privileges, such as IT administrators.
- Limit highly privileged accounts to only log on to secure systems. That way it reduces the chance of exposing credentials to higher risk computers. In other words, don’t use the same admin login credentials for critical servers and office workstations.
- When logged in as an administrator, don’t use your email account. Limit your access to the Internet to known trusted sites. This reduces the risk of accidental malware installation, phishing attacks, etc.
- The best way to give the right people the right permissions is through role-based access. In a nutshell, it means users are only allowed the bare minimum access that their job requires. That way they don’t have access to anything they don’t need.
#3: Keep Your Club Management Software Up to Date
Our third aspect of control we need to discuss is software patching. Software developers will never be perfect. They will regularly release updates to patch security holes. Security is the #1 reason to update your club management software.
Why? Once a hacker knows he can get through a security hole, he passes that knowledge on to the hacker community who then exploits it.
Where should you install updates?
- Operating systems
- Club management software
- Internet browsers
- POS terminals
- Other critical software
Be vigilant about consistently updating the your club management software. Keep in mind, some software and browsers can become so outdated, the creators stop supporting it (e.g. January 12, 2016, Microsoft stopped providing technical support and security updates for older versions of Internet Explorer, Jonas Fitness will soon stop providing technical support and security updates for V2, V3 & V4) In cases like these, the best option is to update to the latest browser.
Because hackers have an unlimited amount of time to find vulnerabilities, they can and do find and exploit vulnerabilities. That’s why it’s important to update your systems and applications to reduce the likelihood of exploitable vulnerabilities.
Don’t forget about other critical software installations like credit card payment applications. In order to maintain Payment Card Industry PA DSS compliance, your payment applications must be properly configured and have the latest updates and patches. This same principle relates to POS terminals as well (Find out more about PCI Compliance).
All of these systems and applications have notification lists and some have forums you can participate in to receive notifications on security updates. Talk to your club management software provider about how often they release updates and try to get on a notification list. You should never have to search for these updates; you should always be notified when they are available.
Published updates often contain essential security enhancements that will correct vulnerabilities in existing versions.
Make it so….
Now that you understand some of the best data security best practices that increase organizational security and can prevent future data breaches, go implement them! If any of these tips seem overwhelming, make a plan to implement or check that they are correctly implemented by the end of the year. If you simply don’t know how, contact your IT vendor, or speak with one of Tier 2 technical consultants.