It seems like you hear it in the news every week – a server is hacked and customer data is compromised. Companies don’t always realize that data has been stolen immediately, if at all. As a consumer, you worry that you will be one of the unlucky persons receiving notifications that an unauthorized individual has your confidential information – your banking information, your credit card number, or worse yet, your social security number. It is impossible to put a specific cost of identity theft and fraud to the financial services industry – but we all pay these costs in the increased bank and merchant fees charged.
With the birth of the Internet, the information age really began. People have access to information almost instantaneously with one click of a mouse. As the demand for Internet access has increased, prices have dropped, and there are more and more users taking advantage of the wonderful world of the Web. An often unknown residual to this access is that your “wired” PC is now vulnerable to attacks by people elsewhere on the Internet.
You learned about firewalls to protect your PCs last month, what about your data? The health club industry has been using computers for years to store member information for various purposes. Whether the data is used to track member usage, schedule programs or bill the member for services rendered – there is valuable and confidential information stored at the front desk of most health club facilities. You want to do everything possible to protect your members’ data from unauthorized access. You don’t want to be the one placing calls or mailing letters to your members because there has been a security breach and their private data has been stolen.
What are some simple steps you can take to insure your database is protected? Make sure that the software used to store your valuable data requires a unique log-in name and password for access purposes. Don’t use a simple password that others may guess – avoid using the name of your spouse, your child or your pet. Further complicate your password by using a combination of numbers and upper- and lower-case letters.
What about your users? Don’t let staff members share log-in names and passwords for the database. If someone leaves your employment, voluntarily or otherwise, disable their user account immediately. Don’t give every staff member full rights to your entire database. Make sure the software package you use allows you to limit staff access to those pieces of information necessary to perform their job responsibilities, and nothing more.
What about protecting the data itself? You want to check with your software provider to make sure that they use a minimum of 128-bit encryption to protect account numbers. Using encryption, you alter the contents of a file so it is unreadable without the unlock code or “key.” If an unauthorized individual manages to get your confidential files, the encryption will render the information useless.
What about the extract file created for billing purposes? Health clubs were ahead of the curve when it came to billing their members electronically for membership dues on a recurring basis. Most software packages have a built-in extract of a correctly formatted file to be sent to a bank or credit card company for processing. The major area of concern for you is these files are often text files easily readable by many off-the-shelf word processing or spreadsheet software packages. You need to verify with your software provider that this extract file is encrypted.
The extract file is created and ready to go, now what? When transmitting your file(s), do not use email as a sending mechanism. Email is inherently one of the most insecure methods of transmission over the Internet. Verify that you are using a secure website for transmission purposes. A secure website is identified by a padlock displayed in the bottom right corner of the screen.
How will the bank read your encrypted file? The bank would only be able to read your file if you gave them your encryption key. The difficulty arises at this point – there are numerous methods used for encryption purposes. It is nearly impossible for a bank to track and maintain the encryption keys for various software packages. It is often easiest for you and your bank if you use a software provider that handles the billing processing for you. The software provider should have the encryption built in, a method for secure transmission and the ability to decrypt their own files.
Data protection is probably not on the top of your list when trying to profitably run your facility. Unfortunately, there is an unsavory group of computer users who, for fun or profit motives, try to get into your system, grab valuable data and possibly exploit your members’ information. You want to take as many steps as possible to thwart their efforts and protect your database. Your software provider and processor should be your partners in this effort. Your members trust you to protect them – don’t take this responsibility lightly.
MJ Laliberte is the General Manager of Twin Oaks Software. She can be contacted at 860.829.6000, or by email at mjlaliberte@tosd.com, or visit www.tosd.com.
