The ins and outs of managing and protecting member data from cybersecurity threats.
Accenture, a professional services company that specializes in information technology services and consulting, conducts an annual survey among 4,744 global respondents around the current state of cybersecurity resilience. In 2021, this survey reported cyber-attacks are on the rise with an average 270 attacks per company over the year — a 31% increase over 2020.
Additionally, the survey stated third-party risk continues to dominate. Successful breaches to organizations have increased from 44% to 61% — causing concern in every industry.
As a health club operator, your members are trusting you to protect their valuable information and data from falling into the wrong hands. With cybersecurity threats on the rise, it’s vital to take precautionary steps to ensure you don’t fall under attack.
Al Noshirvani, the owner of World Gym of Maryland and Virginia which operates three facilities, knows the importance of this. As such, his clubs have processes to help prevent them from potential harm.
“We rely on a series of best practices to ensure we are as protected as we can be,” said Noshirvani. “This includes a policy on password changes every few months, audit-enable access to systems and paperwork that may contain sensitive information, and security training which is incorporated into our employee onboarding process.”
Noshirvani added as protecting member data is becoming more and more important, you should ensure member data is only accessed by systems that provide you with an audit trail. This allows you to know who did what, when and where.
Ryan Lapcevic, the vice president of data engineering for ROR Partners, said awareness of your business’ attack surface is the first step toward developing a strong security posture. Social engineering and known vulnerabilities in outdated software are the most common yet easily mitigated threat vectors for small- and mid-sized businesses.
According to Lapcevic, there are three key steps gyms and health clubs can take to help protect themselves from cybersecurity threats:
- “Invest in training for your employees to recognize common social engineering techniques. Many cybersecurity incidents begin with malware spread via phishing, often from emails impersonating known contacts.”
- “Ensure the software your business uses is kept updated. It’s not a question of if but when a security vulnerability is discovered in the software you use. Running the latest version of your software reduces your business’ exposure to malware.”
- “Develop an incident response plan. Given the complexity of modern software systems, the threat of a cybersecurity incident can be mitigated but not eliminated entirely. Clubs can protect themselves by having a plan in advance of a security incident.”
Failing to properly prepare or protect your business from a cybersecurity attack could not only hurt your business, but it could also damage your reputation. This is why it’s important to fully utilize your club’s software and other technology tools available.
“There is no doubt that not only can a data breach be a PR nightmare, but it can literally put you out of business,” explained Noshirvani. “The best tip I can give is you should look at your software and payment contracts in detail. Club operators often skim through the most important clauses that address breach resolution, indemnity and warranty clauses. You are not buying a Netflix membership when you purchase these products. They are literally the lifeblood of your business. Ask yourself, ‘Would you buy a house without reading the fine print?’”
There are a wide range of technology tools and processes available to help facilities combat cybersecurity risks. Lapcevic said a great place to start is to develop a password policy requiring strong, randomly generated credentials that are unique to each account. He added password managers, such as 1Password and LastPass, can reduce the burden of creating and securing account credentials.
However, password protection is one small drop in the bucket. Lapcevic also recommended:
- “Implementing and enforcing clear identity and access management policies. Use an identity provider, such as Okta or Active Directory, to define and enforce access control policies. Wherever supported, deploy single sign-on authentication with multi-factor authentication.”
- “Prohibit the sharing of credentials and accounts between employees. This policy ensures permissions and activity can be associated with a single individual.”
- “Secure your network, servers and workstations. Deploy a firewall to reduce the risk of network intrusion and install antivirus software on your servers and workstations. Use a device management platform, such as Microsoft Intune or Atera, to ensure your endpoints are running up-to-date software.”
While there are a plethora of tools and technology to help protect your business, it’s important you don’t get too bogged down. At the end of the day, the most crucial part is doing what you can to protect your members’ data and take precautionary steps to ensure you don’t fall under attack.
“The best tool to use is common sense,” said Noshirvani. “Reinforce basic policies about not sharing passwords, using Post-it Notes to write down sensitive information or providing access to areas in the club where you may be storing sensitive information in hard copy.”
