Is your health club ready for a cybersecurity breach? Cybersecurity’s “three R’s” are the foundation for every plan that addresses potentially disastrous outside threats.
These days no business can take cybersecurity for granted. Last year, we warned our clients about ransomware. One of them reached out immediately to their IT vendor — but within the week, they were hit by an attack before they could even implement their IT vendor’s recommendations.
Cybersecurity has to be a priority NOW.
The days of loading software off CDs onto PCs connected only to each other are long gone. Today’s IT environment relies on cloud-based SaaS platforms for member management, class enrollment, personal trainer and health coach scheduling, and customer service and billing.
These tools are typically accessed by staff and members or clients through both secure and non-secure WiFi connections from an array of physical devices — laptop and desktop computers, smartphones, tablets and sometimes wearable devices. In many cases, business-critical applications integrate with each other, as well as to notoriously less-secure social platforms — making it impossible to pinpoint where your vulnerabilities really end.
The result: many traditional security practices — like customer database backups — fall into disuse when capabilities transition to the cloud. Others falter when they face new challenges — like securing access to your entire network when it involves mobile devices, WiFI connections and extensive integration with external platforms.
It’s a complex world full of potential risks. Health and wellness leaders must ensure readiness, reaction and recovery in the event of an attack.
Readiness in the face of an attack requires a culture of prevention and protection that addresses the three links in the cybersecurity chain: tools, people, and processes.
1. Analyze the risks in your environment
Cybersecurity begins with a full understanding of the scope of the challenge. Most health clubs use a third-party IT company to manage most of their owned infrastructure. In addition, they often contract with SaaS providers for key member management, billing and payroll capabilities. And some still use locally-installed software.
Contact these vendors now and insist on a joint analysis effort to make sure you have a complete understanding of your IT infrastructure and risks like these:
- Where are your most important member and client software applications and data? In the cloud? On a local computer network at your business? A facility operated by your IT firm?
- What about mobile apps? Were they written by a trustworthy source? Are they constantly updated for new security threats? Do they access sensitive member information or financial data? How would you know?
- How secure are your billing tools? Consider mobile, desktop and cloud-based tools individually. If your bank accounts are accessed through misuse of these tools, who’s liable for losses?
- What about your social presence — would you lose hundreds of valuable testimonials if you received a Facebook notification tomorrow that certain data had been lost for some business pages due to a server malfunction?
- How secure is your website? Who hosts it? Your local developer? A reputable professional web hosting company? Do you even know?
- How sure are you that your staff knows to never open an attachment or click on a link? If they did — and a ransomware attack instantly locked your systems — could your business survive?
- Are you certain your bookkeeper would check with you first before initiating a bank transfer based on an email that convincingly appeared to come from you?
2. Make prevention & protection a priority
Cybersecurity compromises nearly always boil down to just a few root causes:
- Physical security of the facilities where computer software and hardware run and are accessed by end-users
- Vulnerabilities in the software itself
- Poorly-managed remote access capabilities
- Vulnerabilities to attacks that rely on social engineering — predictable user behavior and gullibility — like poor password selection
Partner now with your IT firm and software vendors to develop realistic protection strategies based on your initial risk analysis.
For any cloud-based apps, this includes understanding their in-house backup processes AND understanding how to download and store your own data so you’re not relying exclusively on their processes and procedures. Trust us, you would not sleep at night if you knew just how fragile (or even nonexistent) the security and backup processes are at many cloud-based software providers.
How, exactly, do the vendors back up critical data? What real-life experience have they had in fighting off attacks and keeping their platform up and running without affecting their customers? Demand to see their written security and backup policies and procedures including security audits.
Make sure your plan addresses all four categories of root causes (and if your IT vendor seems clueless, lacks urgency, or is unresponsive, find a new one, pronto). Meanwhile,
- Train your employees — over and over again — to be alert for social engineering attacks. This includes everything from phishing emails to phone calls and texts attempting to get staff to “confirm” secure information. Implement procedures requiring in-person or voice confirmation for any sensitive non-standard actions like fund transfers.
- Follow your IT firm’s recommendations to secure your corporate network, including company and customer WiFi access and appropriate firewall, anti-virus, anti-malware, and security software.
- Physically restrict areas within your facility that contain computers with access to critical software or data. It’s too easy for staff, customers or outsiders to steal passwords or other sensitive info.
- Insist that your IT firm keep software up to date. Your IT firm will likely be responsible for keeping certain software — like operating systems — up to date. Productivity software like Microsoft Office clients may require employee action to complete updates. Require your IT firm to certify to you monthly that all such systems reflect the latest security patches. Establish a zero-tolerance policy that requires application updates to be applied by employees as soon as the update is available. Remember to include Android and iOS system updates, too.
- Ensure that your staff, outside web or WordPress developers and IT firm use only reputable, trusted tools for member registration, customer service and billing, email, live chat and texting, and payroll.
- Never allow employees to download and open or install any digital file (ex: new apps, video and audio files, PowerPoint presentations) to company devices without prior research and approval. What looks like a harmless workout logger may in fact BE a workout logger… AND a keylogger that captures confidential username and password data or other sensitive info.
- Establish a zero-tolerance policy for username and password sharing between employees. Configure your applications to force strong passwords.
- ALWAYS use secure passwords, at least ones that contain a combination of letters, numbers, and special characters. Avoid simply tacking on easy-to-guess numbers such as the month and date of your birth, your children’s ages, etc. No password is perfect, but you can improve “bobjones01” by changing it to “b0bj0n3501” simply by substituting numbers. Of course, the easier it is for you to remember, the easier it is for someone to guess, so you might want to look at some simple and easy-to-use manual techniques such as the Playfair and Double-Playfair ciphers that you can use to encrypt more easily crackable passwords. You don’t even need a computer to do it. Think of it as your own private secret decoder ring for your club!
3. Review your business interruption insurance coverage
Responding to a breach is usually expensive. You’re typically going to have to bring in outside experts to clean up the mess in a hurry, and it won’t be cheap. Many business interruption policies exclude cybersecurity breaches or require special riders. Talk to your broker and make an informed decision about whether your current coverage is adequate.
Inevitably, somebody at your club will click on a malware link, download an attachment with a viral load, use an app full of security holes, falls for a highly believable email asking for a bank password — or, or, or. The possibilities seem almost endless.
Work with your vendors to develop a plan in advance for the likeliest threats, so you’ll be ready to react to the attack with well-considered actions in three key areas.
1. Assess and restore affected applications, data and systems.
Contact your IT firm right away so they can examine your affected systems to determine if and how the breach can be repaired and any malware, viruses, keyloggers, worms, ransomware or other threats can be safely removed. If it’s a threat that’s new to them, they’ll need time to research the threat and determine the safest method of removal. If SaaS platforms are affected, contact those service providers as outlined in the plan you developed together.
You’ll also want your IT firm to assess any risks to other connected applications and systems in addition to the initial or primary target of the attack. Your response plan should include steps to protect those connected systems from contagious intrusion as quickly as possible.
Don’t delete anything until your IT company confirms that your backups are ready to go.
2. Contact your members.
You’ll need to notify customers if the breach will directly or indirectly affect them — so make sure your response plan includes member communications about the breach.
This is a great example of why advance planning is so crucial. Think about it:
If your member management system is compromised, how will you be able to contact members? Rather than waiting until forced to answer that question, perhaps you could ensure that you download and store a local copy of your customer database monthly — then, even if your member database is compromised, at least you still know who your members are and you can contact them. Howw will you make sure that download actually happens, so you have the data when you really need it? Probably by assigning it to a specific staff member and adding a tickler to your calendar to confirm that they’ve actually done it every month. And perhaps by doing a dry run of your communications plan twice/year.
But none of that will happen with a plan, assigned responsibilities, and follow-up.
3. Contact your legal counsel and insurance company.
Depending on the scope of the breach, your financial and legal exposure can be substantial and even threaten the existence of your business.
After containing the initial breach, how will you continue to do business until all of your systems are back online? How will you keep your cash flow… flowing?
When a prospective new member walks into the middle of this mess, you do not want to be the person who says “I’m sorry, we can’t sign up new members because of a computer problem.”
Businesses ran for years without computers in the past — you can certainly do it for a few hours, days, or weeks.
Plan now for how you’ll keep the most important processes in your business up and running, even without the online systems you normally count on.
OK, so you can’t process credit cards or add people to your online member database. If you’ve done a good job of advance planning, however, you can go to Plan B: run their payments online directly through a Stripe account you set up in advance specifically for this contingency. Write down their key details on a clipboard.
Your VOIP phone system has been attacked? Use the VOIP provider’s online interface to forward calls to a manager’s cell phone.
You can’t scan membership cards? No worries. Just have people sign in manually, or simply wave them on in unless you have a specific reason to worry about a deluge of freeloaders.
Your payroll system is compromised? Develop a contingency plan so you can still pay your staff.
Your website’s down? Overcommunicate on Facebook instead.
Your Facebook business page has been compromised? Reclaim it using Facebook’s hacked account procedure — and in the meantime, over-communicate on your website.
Meanwhile, remember that printed communication — flyers, handouts, posters — still exist as a rapid-response option. Not everything has to happen online!
Will any of your “Plan B” alternatives be perfect? Probably not.
But they’re all better than nothing, because they all help accomplish the most important objective: keeping your cash flow intact, and your customers coming.
The bottom line
Preparing for a cybersecurity breach is a lot like preparing for a tornado. You can’t predict when or if it’ll hit you — but it’s catastrophic if it does, which makes readiness and a plan to react and recover even more important.
Securing the things you value is important. Knowing what you’ll do while you’re still sorting out the damage is more important. And having a plan for getting back to normal in the aftermath is critically important.
The good news: while the threats are all external, the most important steps your club can take start right in your office.