In today's computing environment, with so much access moving “out of store,” it's more important than ever to take measures to protect your data. Anyone who uses the Internet knows that new threats emerge constantly in the form of viruses and spyware. Less frequent, but more damaging, is the possibility that your rental data can end up in the wrong hands. This could happen through e-commerce leaks, disgruntled employees or illegal access.
When a data breach makes national headlines — like the massive hacking at a card processing center recently — it can seem like a problem solely for large companies. Many small business owners dismiss security concerns, or simply table them because they don't know what measures to take. This is risky for any business, but especially for rental businesses, where data is the measure of your investment and the best opportunity you have for profitability.
Many rental businesses don't have the money or labor to invest in ironclad data security. That doesn't mean you should ignore it entirely. Increased public concern about identity theft is just one indication of how seriously security needs to be taken. Some states, such as Massachusetts, are legislating the definition of personal information and the steps required to protect it. If your data is relatively secure to begin with, compliance will be easier to achieve.
These eight measures can go a long way toward protecting your data now and in the future:
- Web-based risks
Today's rental computing environment extends far beyond the physical facilities. Salespeople are accessing rental data from jobsites, customers are checking out inventory using mobile apps — in short, there's no such thing as a strong perimeter defense. You must protect your gateways.
The proliferation of iPads, smartphones and other mobile devices has increased the number of gateways exponentially for some rental businesses. If a mobile app offers limited functionality it may inherently provide some security. As apps become more sophisticated, however, their access to data can outpace the security measures put in place, creating more risk.
Even something as apparently straightforward as having a website requires vigilance. One common scenario is for a company to have its own web server installed by a consultant who departs after everything is working. No one watchdogs the server for breaches after the initial install. Or, if your website is hosted by someone else, you may assume that security is being handled “out there somehow.” Both situations leave you open to risk.
As a rental operator, it's your responsibility to safeguard the data on your server. When setting up an e-commerce or website environment, first be sure to understand the security implications. Ask questions of your host or your third-party provider. Become familiar with the way your data is accessed over the Internet, and learn what to look for in a breach. Consider whether you want to expose only certain types of data to the web.
Most important, remember that web security is never “one and done.” Plan for regular security reviews to be sure that your environment stays secure.
- Card processing data
The PCI Data Security Standard has been in the news a lot over the past year — it provides the framework for payment card data security. The PCI standards are wide ranging in scope but focused on a single goal: It is imperative that cardholder data be protected.
The safest and most secure way to handle card payments in your rental business is to eliminate exposure of the data. Exposure can come both from internal and external sources. There's nothing you can do to protect customer data once it's in another company's system. But internally, it will mitigate your risk and your responsibility if you utilize a payment process where the information flows from the point of transaction to a third-party processor, and is not stored on any computer in your business. That should be the first question you ask.
- Backups and media storage
A tape backup system is a lot like an insurance policy. It's the most essential security precaution you can take as a system owner. Tape backups are still widely used, but they're fast becoming a legacy method — and one that requires work. They need to be configured correctly, verified, and looked over frequently for errors in the logs.
The use of Internet-based backup storage has become a popular and easy means of creating backups and keeping the data secured offsite — commonly known as “in the cloud.” This method eliminates exposure within your rental business, while the data remains immediately available if needed. The verification process is usually handled by regular emails from the provider notifying you of any errors. Best practices for Internet-based backups call for the data to be encrypted and password-protected to prevent unauthorized access.
- Virus protection
The largest security risk for any computer system is viruses. Virus writers are becoming more expert at exploiting security holes. Businesses that use DSL (digital subscriber line) connections can be particularly vulnerable if the DSL router is left in the default setup. This causes Port 80 to be “listening” all the time and leaves it open to viruses that have been written to target Port 80, which is the default port that routers are set at so that a system can “listen” to the Internet.
Virus protection software with automatic updates is generally a good investment, as are firewalls, discussed in the next section. You should also prohibit employees from visiting risky websites on company computers and educate them about the dangers of opening suspicious emails. Ultimately, business discipline can be the most effective barrier to viruses.
Firewalls are becoming commonplace with small businesses, but they're still a mystery to many people. Many firewalls are configured incorrectly by leaving a large number of ports open to servers, or having servers open to the Internet when they don't need to be. The good news is that a firewall can be very effective against attacks if configured correctly.
If a new server is brought online in your rental business, or you open an additional location, it's important to review and address security. A common risk occurs when a headquarters location allows Internet access to a server based at a branch, leaving a “hole” open in the firewall into the internal network of the rental business. If a web server is needed, it should be sited at the corporate office to restrict access to the internal network and minimize intrusions that can cause damage to devices.
- e-Transmission of documents and signatures
In the rental business, contracts, confirmations and other documents are often transmitted electronically, but printed, signed and faxed back to the store. To avoid having to scrutinize returned documents, be sure to protect them before transmission.
To protect the integrity of documents, “lock” them against modification before transmitting. Most people are aware that you can specify a Word document as read-only by going to the Security options under the “Save As” command. There's a misconception that PDFs are automatically protected from editing, but unless you lock the file under the Security settings in File Properties, certain versions of Acrobat can edit PDFs.
Newer technology allows for the emailing of contracts and other documents for digital signature. The signed documents are then returned to the rental business for electronic storage. Digital signatures are becoming popular as a convenience, but they do add a layer of risk. It is imperative that your document storage is secure to avoid misuse.
- Improperly monitored user privileges and passwords
One area that is often overlooked, but easy to control, is access to data by employees. Be sure to understand your rental system's security capabilities. Make the effort to utilize them fully. A system with a well-developed security structure will let you secure critical areas of the system from global access, and establish hierarchical levels of access based on your staffing structure.
You should also maintain strict password control procedures, the most basic being to change passwords periodically and prohibit the sharing of passwords. Immediately stop password privileges for any employee who leaves the company, no matter how amicable the circumstances. And if an employee with high-level access departs, conduct an across-the-board security review as a matter of policy.
- Under-trained employees
Having policies in place to deal with data security is the simplest thing you can do to help keep your infrastructure secure. Don't rely on word of mouth; put written policies and best practices in place, so employees know what is expected of them. Hold employees accountable for security breaches. Make sure that any changes to your infrastructure, passwords and policies require management approval. A little oversight will go a long way in minimizing risk.
Appropriate safeguards have long been recognized as an important part of data processing. In the data-intense rental business, the rationale for security becomes even more compelling. These simple steps can help protect your assets, your customers, your employees and your livelihood.
J.J. Shea is chief operating officer of Springfield, Mass.-based Solutions by Computer, which has been serving the rental industry with rental business management technologies since 1982. www.solutionsbycomputer.com