10 Essential Online Security Strategies for Your Health Club

morguefile-IMG_1591-online-security.jpg

Your health club may have spent serious money on equipment — but you’re in serious trouble if your member database, passwords, or financial records are compromised. These time-tested methods protect your club’s data assets from malice, theft, or negligence.online security

To minimize exposure, spreading risk and paying attention to basic security housekeeping can take you a long way.

1. Take online access seriously

What are the odds that someone you’ve fired still has manager access to your Facebook page, your business Twitter account, the company that hosts your website, or access via a phone app to your member database? Pretty high, actually. In fact, we see this all the time with clients.

Here’s how to protect yourself:

  • Establish a protocol for turning off all systems access when employees quit or are terminated.
  • When employees go on vacation, family leave or disability, lock their accounts until they return. If they don’t return, follow the protocol for employees who quit or are terminated.
  • Force password changes at least monthly. Require passwords to be a mixture of upper- and lower-case letters and numbers plus special characters.
  • Never give out the “god” admin password to anyone.
  • If you’re the owner or general manager, don’t give your own email login and other access credentials to other employees, marketing contractors or outside IT firms. Give them their own logins so you can identify the source of any future issues.
  • Make a list of all the applications you use, and establish a calendar for reviewing existing access and deleting inactive accounts in case the above procedures weren’t followed at all times.

As we’ve worked with clients, we’ve discovered numerous accounts — all still active — that belonged to people no longer with the business (including very disgruntled employees who were definitely a threat to the business). Outside vendors still had access, even though clients no longer worked with them. There were test accounts with unknown owners. And on and on.

And in every instance, these accounts had sufficient access to do very serious damage.

2. Implement user-level security

People will do everything they’re allowed to do.  One of our clients granted their entire sales team the same level of account access, including visibility to other salespeople’s information. It seemed like a good idea at the time: transparency means simplicity. Sales targets, results, and basic customer contact info weren’t secrets, right? After all, they talked about this stuff every week in the sales call.

And then…a salesperson left, and took the entire customer list with him. User-level access  would have made this much harder to do. The sales rep still could have taken his own customers’ data — but he wouldn’t have been able to download everyone else’s.

Many cloud and locally-installed applications like Mailchimp and WordPress have multiple levels of access available. Give people only the access privileges they actually need. Don’t automatically give everyone all-powerful manager or administrator rights. This also allows you to keep billing details like credit card card information private.

Remember, you can always expand rights later if limited access causes a legitimate business problem.

3. Back everything up regularly

Every health club or fitness business, regardless of size, needs a systems disaster recovery plan.

If you’re a mom-and-pop shop and you keep everything on your tablet, you should still be backing up critical data regularly, ideally daily, and always to an off-site location via cloud-based backup. In fact, it’s arguably more important for you to do this than it is for a larger business, because your entire business may be on that tablet.

If you’re the head of marketing for a regional health club chain, and you work on critical projects on your laptop as you travel from club to club, what happens if that laptop gets stolen from your rental car trunk? We’ve seen it happen.

It’s equally important to TEST your recovery process. Be ready to recover your data to another physical location and a new server, desktop, laptop, tablet or smartphone; re-point your software to the backup, and continue normal operations. You’ll be glad you did.

NOTE: Services such as Mozy or Amazon S3 offer reasonably priced plans for data backup based on usage.

4. Trust, but CYA

A lot of good has come to fitness clubs and wellness businesses from cloud-based services. They don’t have to create an IT department, convert offices to server rooms, or hire programmers to connect local systems that won’t talk to each other. And you sleep better, knowing that your data is stored on redundant servers in secure data centers in different geographical regions.

However…your ability to get to your data is limited to the business continuity of the vendor who created your cloud-based application. “But wait,” you say — “I’ve heard of the guys, they advertise all over the place. I don’t need to worry about them…do I?”

Yes, you do. Every year, smaller application vendors shut their doors. They don’t always provide copies of data to their former customers, either, or plan a graceful transition. And even financially solid companies can have surprisingly flimsy internal operational procedures. Data may be irretrievably lost without warning, and systems can be down for days.

You should always have a plan B.

Periodically download your data or at least capture summary and detailed reports of member and account data and financial activity, so that if you had to reconstruct your business operations from scratch, you’d have half a chance of doing so.

If you decide to roll the dice and go with a smaller vendor, consider including a requirement that they escrow their software code. This means that if they do go out of business, you’re entitled to received a copy of the software you licensed from them.

5. Pay attention to vendor business direction

If your club’s public image revolves around your Facebook presence, you’re betting your whole business that Facebook won’t suddenly change the way it handles ads, posts, friend lists, and business page management.

If you’re entrusting your online content to a third-party SEO optimizing outfit, you’re trusting that they’re only engaging in white-hat SEO, that they’re committed to rooting out click fraud on your behalf, and that Google won’t change their keyword search algorithms.

If you’re using popular email list management software, you’re betting they’ll be here tomorrow, still tightly allied with major ISPs, continually adding valuable features, and staying off spam blacklists by forcing customers to observe their list acquisition quality standards.

Third-party vendors are a great way to access new capabilities without hiring new people or creating new departments. Understand, though — all you’ve done is trade managing people for managing vendors. Relying on outside vendors is often the right answer, but it exposes your health club to new kinds of risk.

Using several vendors instead of just one helps avoid the risks that come with putting all your eggs in one basket. Paying attention to your vendors’ business performance and direction also helps you anticipate unwelcome change.

6. Separate business and private data

Chances are good that when you hire someone, they’re using their own laptop, tablet or phone for business-related calls, emails, texts, voice mails, etc.

Personal trainers, health coaches, group fitness instructors, and massage therapists come and go. If you let them maintain their client list exclusively on their phone, then it’s not YOUR list any more…and when they leave, so will your client list. Something as innocent as an employee’s unexpected illness or family emergency can turn into a major problem under these circumstances. You don’t know who needs rescheduling, how to reach them, which prospective new clients are expecting call backs…and so forth.

Services like Switch.co let employees bring their own devices — while allowing employers access to information if an employee quits, gets sick or otherwise isn’t available to provide access and information.

7. Don’t just spread responsibility — share it

Too much responsibility in one position is a recipe for disaster. My local Lifetime Fitness did not bill me for three straight months, or issue me a permanent membership card, because they laid off their billing person and literally no one else knew how to operate the new-member functions in their computer system. Hard to believe, I know.

Your CFO may quit tomorrow, leaving your accounts in a mess. Your reliable web consultant may decide your club isn’t as big or important as that new client they got last month. Your membership director may suddenly decide to move to Colorado with her fiance.

When this happens, you’re going to wish that that your senior accounting manager had access to most of the same accounts and files. You’ll feel the cold wind of I-really-need-to-change-our-web-content-but-can’t, because you don’t have anyone internal who knows anything about it. You may find that you can’t even log into your own business Facebook account to shut off those ads that are being sent to everyone in California instead of just southern Orange County (not kidding).

Desk books and procedure manuals, cross-training on mission-critical functions — these are just a few of the ways that you can protect your health club.

8. Conduct an online security audit

If you don’t have the time or resources to look into all those overly simple passwords, active accounts for inactive employees, back doors, and non-secure financial data, then find someone trustworthy, with impeccable credentials, who has both the time and knowledge to identify and address risks to your business.

Any consultant you hire should be mindful of the value of data loss / compromise, and financial risks of any security breaches they find, the level of security desired by your business, and the operational consequences of tightening security.

It’s perfectly OK if you decide that you don’t need the online equivalent of laser tripwires and palmprint, iris, and voice recognition. Then again, if you’ve got tens of millions of dollars riding on your list of accounts, maybe you need that 128-bit data encryption package for your financials.

9. Review your business interruption insurance

Business continuity coverage is a must-have. For example, we had a series of very damaging tornadoes here in Texas. Business continuity coverage paid for the costs of cutting over to backup computer systems.

Many clubs overlook one of the greatest advantages of business interruption insurance, however — the review of your operations, policies and practices that occurs prior to policy issuance. It’s an excellent opportunity to get expert insight into the gotchas that exist in your health club, and advice on how to manage those risks.

10. Pay attention to evolving cyber-threats

It’s not just viruses any more. Malware, ransomware, cloud and nearfield hacks, denial of service attacks, texting hacks, and malicious social software are just a few of the very real dangers your club may face. You need to stay on top of these risks, because even smaller businesses are vulnerable. For more detail, read our previous WebSavvy article “New Cyber Threats Endanger Your Fitness or Wellness Business.”