Data breaches at large companies like Target and Anthem make headlines, but they are far from the only victims of client information theft. Small businesses like your nail salon also house sensitive information ranging from email addresses to credit card data and are likewise a focus for thieves. “Bad guys know that small businesses do not have the time or resources to secure their computers, so they consider a small business an easy target. As such, cyber criminals use automated tools to scan and hack into thousands of small businesses around the world,” says Lance Spitzner, research and community director of SANS Securing The Human, which publishes a free monthly security awareness newsletter available at www.securingthehuman.org/ouch. Protect your salon by taking basic steps to safeguard your client data, including following the best practices that are explained here.
Hire Trustworthy Employees
Insiders have become the most-cited culprits of cybercrime — but in many cases, they unwittingly compromise data through loss of mobile devices or targeted phishing schemes. Responses to The Global State of Information Security Survey 2015, released by PwC in conjunction with CIO and CSO magazines, reveal that incidents caused by current employees increased 10% compared to its previous survey. In other words, it’s crucial to hire trustworthy people and to limit which employees have access to client data.
Michael Kaiser, executive director of the National Cyber Security Alliance, says, “Owners should start with a simple question: Who has to have access and why? There should be a work-related need to being able to access data and those who do have access should be alerted to their need to be careful and respect the security and privacy of the data.”
Attorney Stuart T. O’Neal, III, chief privacy officer of law firm Burns White LLC, which recently launched a cyber-security group, offers advice on hiring. “We would recommend being very diligent with employee interviews and conducting criminal background checks on employees as a standard protocol. I would suspect that, as a matter of trust, giving an employee that type of access is something that needs to be earned,” O’Neal says. “As for security-related policies, ongoing education about this topic is paramount.”
Protect Your Physical Space
You have to store paper records somewhere, and where and how you store them can make a large difference in how safe those records are from prying eyes. Rob Reynolds, COO of nationwide locksmith group Pop-A-Lock and a Pop-A-Lock franchisee, recommends putting them in a fireproof cabinet that is anchored to the floor. “The very first thing a thief is going to look for is a safe or something that looks like a safe, and if it’s portable, then he will just take it and have unlimited time to work on opening it,” he says. A bolted fireproof storage unit doesn’t have to be an eyesore in an otherwise zen-like salon, Reynolds says. He recommends hiring a designer to build surrounding custom cabinetry or counters so the safe blends in.
Regarding how to access secured areas such as the safe, Reynolds recommends a “restricted key.” Note this is different from a key that says “do not duplicate.” A “do not duplicate” stamp offers virtually no protection, as many unobservant locksmiths will copy these anyway. By contrast, a restricted key physically prevents itself from being copied, usually because the key blanks are not readily available. Reynolds also says to keep all keys hidden from observers, such as by storing them in your purse. Though this should not be a concern with restricted keys, some keys can actually be copied via smart phone apps that only need a photo of the key — meaning keys can be duplicated without ever leaving your possession. Also, consider storing sensitive data behind two sets of locks (for example, in a locked cabinet behind a locked door).
Another place where physical security is paramount is at point-of-sale. If you’re using a smart phone credit card reader that works in conjunction with a tablet computer, do not leave the tablet sitting on the counter where anyone can swiftly yank it out. “Simple distance helps. Don’t put it immediately on the front counter,” Reynolds says. “You can also secure those to the counter, through bolts, epoxies, or most conveniently, a Lazy Susan that you can swivel back and forth.”
Security cameras, at minimum at the point-of-sale system and at the record storage location, are also a wise investment, Reynolds says. “Twenty years ago, if a salon was considering installing a CCTV system, it could be thousands of dollars and an invasive installation that involved getting permission from the building owner. Thanks to wireless IP cameras, those days are over. The modern IP system can be a few hundred dollars.” He recommends doing your due diligence on the cameras before purchase and on having them professionally installed.
Another area of business security in which the price has dropped to affordable levels is in remote buzzers that unlock doors. There are access control systems that combine convenience and security that are much more affordable than in the past and could be a solution if you work late hours at the salon and don’t want to leave the front door unlocked.
Your salon computer likely holds a treasure trove of information for potential thieves, so you need to take care to secure it. Spitzner says, “Make sure only you, as the salon owner, have control of the admin account. Then create standard user accounts that do not have privileged access and let employees only use non-privileged accounts. These non-privileged accounts cannot install new software.”
Spitzner also says you must ensure your operating system and applications are up-to-date and that you always run the latest versions. If you’re running a system that’s no longer supported, you need to update it right away. Spitzner adds, “If you have auto-update features, make sure those are enabled. After that the second most important thing is anti-virus (AV). However, people must understand that AV cannot catch all malware, only the malware we know about. So people must be aware of other attacks, such as phishing. Finally, strong passwords are key. If an application supports two-step verification, they should definitely use it.” Part of having strong passwords is to immediately change all default passwords to hard-to-guess unique passwords.”
Safeguard Credit Cards
Accepting credit cards can be a competitive advantage that sets you apart from other nail salons, but you must ensure no unauthorized persons get access to this data. “The handling of credit card data is highly regulated under a standard called PCI-DSS,” says Spitzner. “The best solution is to outsource all of the credit card handling to a company that specializes in it. You never want to store credit card information, or if you do you’ll want to bring in a security expert to ensure you are meeting all the requirements. Another source of good information would be to ask the people who are supplying the credit card processing equipment and services.”
You may be wondering if online credit card transactions are riskier than those done in person. Our experts say no. Online booking and payment can actually be more secure than in-person options, assuming of course, that the online site is set up correctly. Spitzner again recommends outsourcing this service to someone who specializes in it.
O’Neal observes, “The information being provided in person is usually input into a computer anyway. The best way to guard against the data breach is having the secure software in place and internal policies and procedures that govern privacy.”
In Case of a Breach
Unfortunately, as was the case for Anthem, Target, and many other businesses, security breaches can happen no matter how large or how small the company. If you suspect a breach, then you need professional help to minimize the damage, our experts say. You will likely need legal help, IT help, police help, and to inform the affected clients.
You should also be aware that it’s not always obvious that data has been compromised, but there are certain red flags you should be alert to. “I would keep an eye out for customers who are coming back to the salon and saying that their credit card was improperly charged following a transaction. I would also be on the lookout for irregular charges on the salon’s own account and would recommend vigilance as it pertains to monitoring bank and credit card statements,” O’Neal says. According to Spitzner, other possible indicators of a security breach are alerts from your AV software or if you notice that your computer is hosting software or accounts you didn’t install.
Implementing solid safeguards for your salon will make it much less likely that you’ll be a victim of physical or cyber theft, making these steps a vital part of protecting your clients and your salon’s future.
What to Ask Software Vendors
If you’re considering adding software, such as for online scheduling, ask the manufacturer these questions first:
> How do you implement security?
> Does the software support encryption?
> How often is it updated?
> Are updates automatically included?
> Does it support two-step verification?
> Have you ever had your system compromised?
> Are there any default passwords I should be aware of?