Electronic data is an inextricable part of doing business today and that data is valuable, both to your customers and your company. The downside is that while technology is moving at a break-neck pace, often security is becoming an afterthought. Here's why you need to renew your commitment to your business data security and how you can go about doing it.
The biggest threats
"Two of the largest threats to security in terms of scope are the extent to which mission-critical data is exposed via the Internet, and data compliance with respect to the credit card processing industry," explains J.J. Shea, chief operating officer, Solutions by Computer. "Unfortunately, data security measures in general have not evolved quickly enough in response to changes in the way data is used today. Security must keep pace with change or it will be inadequate - that has become obvious to everyone with the rising incidence of identity theft. In the rental business, where the information stored in rental programs is the lifeblood of the business, threats increase as this information is deployed in new environments."
In the case of credit card processing, Shea explains, compliance requirements have only recently come to the forefront as a major issue, although the Internet has been a problem to a lesser degree for some time. "That’s because when businesses were processing credit cards over dial-up modems, the data wasn’t as exposed as it is now. The increase in the use of Transmission Control Protocol/Internet Protocol (TCP/IP Internet) networks has created new environments in which data is more easily exposed to security threats."
Of course, the threats to your business' security aren't always related to technology. The human element plays a role as well. "In an equipment rental business, the threats come as much from employees as from the security you can implement on and around your hardware, databases and software," says Patrice Boivin, vice president of operations at Orion Software Inc. "You need to make sure that employees have access to enough information to do their job efficiently without accessing sensitive information. So, server and database access becomes critical."
Michael Saint, president of Corporate Services, agrees. "Often, sufficient restrictions are not imposed on certain users to prevent them from manipulating data," he says. "It's not always malicious; sometimes it's simply a result of ignorance. They just didn't know."
Van Nguyen, director of IT infrastructure at Wynne Systems Inc., says a lack of security measures is one of the biggest threats to business data security for equipment rental businesses, and this problem has actually gotten worse recently. "For small mom and pop rental shops, their main focus is to rent equipment and this is where they will spend most of their time and money. Very little money and effort will be directed toward the upkeep of their security infrastructure," he says. "For larger rental companies, spending on security infrastructures was reduced due to the current economic climate."
Protecting your data
Not long ago, many business owners believed the biggest threats to their data came primarily from within the organization in the form of disgruntled employees or poor operational habits. These things can be counteracted effectively by using the traditional method of assigning security levels to individual employees, limiting access to data and creating a trail of data use and misuse.
"Today, business owners must think in new ways about data threats," says Shea. "Threats can come from any direction. The Internet has effectively created new working environments in which communication with suppliers, customers and business partners can expose data to new security threats as a matter of course without meaning to. Even employee communications create external threats if your staff has the ability to log in and work from home or hotels. User IDs and passwords are business assets that can be vulnerable on the Internet."
To combat this problem, most systems have employed a number of methods of protecting data. For example, using a firewall to separate workstations from the public internet is a common solution. "Even the most basic consumer routers available nowadays provide a firewall," notes Nguyen.
Other tools that increase security include anti-virus/anti-malware software, and disabling the use of removable storage. "More and more, companies are experiencing data leaks due to employees copying data to removable storage like USB, CDROMs, etc.," Nguyen adds. "For more advanced forms of data protection, you can look at data encryption."
According to Bob Shaffer, president of Point-of-Rental Systems, most software providers encrypt stored credit card numbers so that if data is stolen, their customers' credit card information is secure, but other data on the hard disks are usually not encrypted.
"There are methods of encrypting data," Saint notes. "Traffic moves a little slower and there's overhead involved, but they're effective in removing 99% of threats represented by intercepted data."
Traditionally, most software is operated from a central point, but with the advent of the client-server network architecture came the need for complex network security. "We recommend a central server accessed through remote connection technologies to rebuild the secured environment we used to have," says Boivin, noting that cloud technology – basically, where data is store on the Internet and not on a single computer - is taking business in this direction.
"That’s why we are offering a SaaS [Software as a Service] solution," he says. "Not all rental businesses are ready for the cloud but the trend is clearly heading in this direction."
SaaS – security help or hindrance?
The popularity of SaaS and wireless has made the protection of business data more difficult and at the same time more essential, says Shea at SBC. "For example, secure logins are important, with protected user names and passwords. Even though Internet transmissions create a raft of challenges for programmers, ultimately that’s a good thing. Software delivery over the web has served to spotlight security pitfalls that would need solving sooner or later, and sooner is always better when it comes to data integrity."
Boivin says, "The SaaS offering is increasing the security for data at a low cost. For rental businesses to be compliant with high security regulations such as SAS 70 (Sarbanes-Oxley Act), they would need to do mass investment in equipment and experts that would not be affordable for most of them."
Nguyen adds, "Any SaaS provider that wants to succeed and survive has to put tight security measures in place to safeguard customer data. In many cases, this means that the SaaS providers are making greater investments into their security infrastructures."
But SaaS can be a potential avenue for hacking, according to Shaffer, and if the login URL is easy to find and has a weak username/password combo the threat is greater. "Having a WiFi hotspot in the rental store can certainly open a new avenue for hackers," he adds. "The difficulty of properly establishing a truly secure remote access protocol can motivate rental operators to use less secure remote connections, leaving another avenue for hackers."
What can your business do?
"One thing a rental business can do to protect its data is to ensure systems are protected with a firewall between the server and Internet," advises Shea. "A VPN should also be used to secure the connection between the server and user. If private information travels the Internet, it should be encrypted as rigorously as possible."
He continues, "In terms of relying on security measures developed by a rental software vendor, prioritization is very important. Ask the vendor to explain all of the security functionality offered, both internal and external, as well as compliance with credit card processing standards and e-commerce standards. If no new security developments have been produced in the last couple of years, it can be a sign that the vendor is unable or unwilling to keep up with the evolution of threats."
Boivin suggests that rental businesses need to invest in software that manages user rights in multiple dimensions to control employees' access to sensitive data. "It must offer both security and flexibility," he says. "[Rental businesses] also need physical access and Internet policies and procedures in place. The SaaS offering allows them to take advantage of high security of data at a low price."
Nguyen points out that some effort also needs to be put into effectively managing your staff. "It doesn’t matter what security measures are in place by the SaaS providers; there must be a good foundation at the rental company. One of the biggest areas of data theft occurs from within the organization. Have a process or plan in place to make sure any employee who is terminated does not have access to data once they are let go."
Some additional practical suggestions for protecting your business data include physically protecting your server by locking it in a room instead of having it under the front counter or a desk, Shaffer suggests.
Also, "Use disk level encryption on laptops and any removable devices such as flash drives. This will ensure that even if stolen, data on these devices cannot be used," says Shaffer. "Destroy old backup tapes, DVDs, CDs, etc. and use an Internet service to automatically make backups."
Saint advises that individual businesses should refrain from storing customers' credit card numbers in their own system. "We offer a credit card processing service through [a third party] which sends us an encrypted account ID instead of the actual credit card number. This way, we don't have customers' credit card numbers in our system."
Lastly, Shaffer suggests using strong passwords, i.e. 10 to 20 characters that are not common words and contain symbol characters such as @, ? and $.
As more and more rental businesses build mobile websites and apps to enhance their availability to customers, businesses need to be aware of the potential effects this can have on the security of their business and those of their customers.
"The number one thing to remember is to take security seriously from day one of the development process," says Shea. "This may seem obvious, but it’s not happening right now with a lot of mobile development - in part because security hasn’t been a priority in the rush to launch this functionality. As a result, mobile apps and sites are becoming vulnerable targets for cyber criminals."
He continues, "It’s not much different from what happened with personal computers early in their market explosion. There was a period where hackers had a field day until software security caught up. Why repeat that cycle? And with mobile technology, there is the added risk of alienating customers if your app or website exposes them. The novelty of being able to connect to you 24/7 from a smart phone will wear thin very quickly for a customer whose private information is compromised."
Nguyen agrees, adding, "As the industry moves toward Web 2.0 sites, we find that companies are rushing to add new, cool features and often leave security as an afterthought. Businesses need to remember the importance of securing their data to protect their customers and their own reputations."
Boivin points out that rental businesses should take care to ensure that data don't reside on the personal device. "In case data get lost, the content should be deleted with a quick and simple procedure. The access to customer information, in particular, should be highly secured as it could damage the business' reputation and lead to loss of customers if accessed by unauthorized persons. Businesses should regularly audit access to websites to ensure compliance to security policies."
In the end, good-old common sense can go a long way toward helping businesses secure their business data. As Shaffer says, "If there is not a clear case for making information available to the web, then keep it off the Internet."