Peter Hess, Chief Security Officer, 10Pearls, provided a list five key security takeaways that may help IT professionals in the fitness industry sleep more soundly – or not!
1) Prioritize: Protecting the Most-Critical Information is Key
Club owners should determine what their most critical information is, and focus their protections on that.
Not all information needs to be treated equally, especially when it comes to securing it from risks. Certain information (credit card numbers, social security numbers) have compliance requirements. Other information may be costly to the organization if it is lost or released to the public. Knowing which information is most critical helps set the path forward for security.
2) Think Holistically: Protection needs to not only prevent breaches, but ensure adequate backups and disaster recovery
Part of securing information includes making sure it is safe from intentional or accidental destruction. Computers fail, cloud services go bankrupt, and attacks such as the “CryptoLocker” ransomware have been estimated to cost businesses upward of $30M so far. Make sure you are taking good backups and testing your restoration process regularly.
3) Balance Security and Cents: Be mindful when balancing the costs of compliance vs. the risks of non-compliance.
While the fines associated with regulations such as PCI and HIPAA certainly sound scary, the total costs of implementation sometimes are even scarier. Keep the end in mind when planning your compliance program; it may not make sense to try to try to take a “big bang” approach. Implementing security measures that reduce or defer risks versus completely eliminating them may be a practical approach.
4) Don’t Miss the Basics: There are certain things that every business, no matter how large or how small, should do.
Every organization needs to address six items, regardless of size, industry, or budget. Firewalls (protecting networks), patching and updates (reacting to software bugs), and anti-malware (reducing risk of malware infection/spread) are fairly commonly implemented and understood. Additionally, systems should default to using unprivileged accounts (only using additional rights when necessary) to help keep good people from accidentally doing bad things. Lastly, prepare for the inevitable by having good backups (including testing restoration), and having an incident response plan.
5) Cure the Source vs Symptoms: Embed security in the system architecture of software applications during the design and architecture phase.
Information security is much more effective when performed as a preventative measure as opposed to reacting to a threat. Being prepared for threat scenarios at the design phase means that more intelligent architectural decisions can be made in order to limit bad impacts. Products and solutions should be built with an “assume breach” mindset – which allow them to be resilient in the face of attack.