The Home Depot lost 56 million debit and credit card records to hackers in 2014. Target fell prey to cyber espionage in 2013, affecting 70 million customers. JP Morgan Chase was the victim of a 2014 cyberattack that compromised data for 76 million households and 7 million small businesses.
These data breaches top the list of the all-time most damaging—to both company reputations and the number of clients affected. The good news is that large companies are taking strong, proactive steps to stop cyber assaults.
The bad news? As big companies build stronger virtual walls, smaller companies can be more vulnerable to these types of breaches. For example, the technology company Symantec estimates 59 percent of all cybercrime is today directed at small to mid-sized businesses.
“One big danger for small office/home office (SOHO) businesses is ransomware,” says Bruce Snell, cybersecurity and privacy director at Intel Security. “Ransomware encrypts the victim’s system and requires a payment of anywhere from $200 to $5,000 to unlock the device. Over the past year, the amount of ransomware has increased by 140 percent, making it a very real threat for small business owners.”
With these stats on the table, Tim Francis, VP and Enterprise Cyber Lead at Travelers, feels that business size is irrelevant to cybercriminals. “All businesses should consider themselves at risk. It is no longer a question of if a breach will occur, but when.”
What’s the Big Deal?
Savvy cyber criminals are increasingly drawn to smaller companies because they know the odds—the smaller a company, the less cybersecurity it likely has in place. While Francis feels that small businesses are increasingly hip to cyber risks, he adds that Travelers’ second annual Business Risk Index found that “worry does not match action.” The report found that 29 percent of small businesses feel less prepared to face cyber threats than any other risk, and only 33 percent have a cyber or data breach plan in place.1
However, the repercussions of not taking action can be costly, according to small business IT solutions provider CMIT, with the average annual cost of a cyberattack on a small to mid-size business hovering around $188,242.2 That’s far more than the average data security investment, says Snell. “There are a lot of good, affordable options for small businesses to use to protect their systems—starting at $30 a year. And a data backup plan can be done locally for the cost of the equipment, or in the cloud for $5 a month.”
For massage therapists, keeping your clients’ sensitive information under virtual lock and key is essential, including knowing what security level you’re legally and ethically bound to provide clients, and how to securely collect, protect and dispose of client data.
Five Steps to Boost Safety
In its free, downloadable brochure titled Protecting Personal Information—A Guide for Business, the Federal Trade Commission offers five principles to help you keep data secure.3
1. Take Stock: Know what personal information you have in your files and on your computers
The definition of “personal information” varies from state to state, although it generally refers to contact information, financial information, social security numbers and any data that can identify an individual. As a massage therapist, you likely have a great deal of personal client information—especially if you accept credit cards or checks and record health information.
Be sure you know what information you have and where it is. Is it on paper, desktop computers, laptops, mobile devises, flash drives, disks or smartphones? Knowing the client data you have and where it’s stored is essential when building a data security program. In particular, you’ll get a clear picture about the technology you use that may need stronger protection measures. You may also realize that you unnecessarily have too much sensitive data in too many locations—which presents more opportunities for security breaches.
2. Scale down: Keep only what you need
If you accept credit cards, the FTC strongly recommends not keeping clients’ account numbers, expiration dates and security codes on file. Collect the information as needed. This way, if your computer is hacked, there’s no client financial information available, and you’re not putting valuable clients at risk for identity theft.
The FTC also recommends checking the default settings on your software that reads clients’ credit card numbers and processes the transaction. Some software automatically saves information and you need to change the default settings to avoid inadvertently storing information you don’t need to keep.
3. Lock it: Protect the infomation you keep
Digital data should be encrypted when in transit or in storage. Encryption means that electronic plain text is converted into what’s called ciphertext, and to read an encrypted file, you must have access to a secret key or password that enables you to decrypt it.
To find the right encryption software for your business, contact a provider of IT services that specializes in small businesses.
In addition to encryption software, special care should also be taken with passwords for your mobile devices and online accounts, including email. Here’s how the FTC recommends you create a strong password.4
- Create a password longer than eight characters.
- If a longer password is not an option, choose one word and misspell it.
- Select a mix of upper and lower case letters, numbers and special characters, such as !, @, #, $, %.
- Avoid a word or date that everyone knows is important to you—such as your pet’s name or your birth date. Both are easy guesses.
- Never use a password that’s the same as your user name.
- Play it safe and change your passwords every six to 12 months.
4. Pitch it: Properly dispose of what you no longer need
Principle 1, Take Stock, is essential for principle 4. It’s important to know what sensitive data you’re storing—because then it’s much easier to know what can be trashed. Paper records should be shredded.
As for digital data, including emails, if you have encryption software, you can simply delete the data. Unencrypted sensitive data can be destroyed with a digital file shredder program, which permanently deletes files beyond recovery.
5. Plan ahead: Create a plan to respond to security incidents
Should you suffer a data breach, you need a plan in place to quickly alert your clients, bank, credit card processor and any other persons or institutions you feel need to know. You also want to immediately revisit your state’s laws concerning data breaches.
Controlling the Uncontrollable
Not every security breach traces back to breakins via malicious software programs. According to the Privacy Rights Clearinghouse, a nonprofit dedicated to protecting the privacy of American consumers, there are several innocent ways that sensitive information can land in the wrong hands.
Unintended disclosure of health information
Let’s say a client sends you an email expressing how massage therapy helped relieve her symptoms of multiple sclerosis (MS). With no intended malice, you—or someone helping with your business’s website and social media presence—posts the client’s name and her kind words as a testimonial. If this client had wanted to keep her MS private, your testimonial resulted in a security breach.
To avoid such potential problems, enact a zero tolerance plan that no client information will be posted, tweeted, emailed or shared in any way before first alerting the client and obtaining written permission to share the information.
Innocent clicks and downloads
We all get them. Those phishy emails that are fakes—sent by criminals under the cloak of a trusted client or friend’s email address. These phishing expeditions typically include links or attachments, and because you recognize the address, it’s an innocent enough mistake to click or download. Once done, the phisher gains control of your computer and can target your identity, steal your passwords and access client data.
To protect yourself from these potentially damaging mistakes, the Federal Bureau of Investigation Internet Crime Complaint Center (IC3) recommends never responding to, opening attachments in or clicking links in an unsolicited email or an email from a client or friend that seems odd.
Even if you think the email is genuine, IC3 still recommends playing it safe. Type the URL into your Web browser’s address bar and log into the website yourself. If it is a genuine website, you’ll be able to safely find the information or download a file.
Lost or stolen computer and mobile devices
Laptops, smartphones, flash drives, tablets and even desktop computers go missing every day. If you do lose a computer or mobile device, the problem will likely be significantly less traumatic if you implement three rules.
- Follow Principle 1 in the FTC’s guide to keep data secure. If you know where your sensitive data is stored, then you know which devices need security—making the next two steps simple.
- Never store sensitive data on any device that is not or cannot be protected.
- Only store sensitive data on a device with encryption software and a strong password.
While many steps to protect sensitive data on your computers and mobile devices are free, the payback is invaluable.
“Attacking a large organization with a full security team is time consuming and difficult. Cybercriminals much prefer going after SOHO businesses with little or no security in place because these attacks can be automated and require little effort on the cybercriminal’s part,” Snell says. So with proper security software in place, your business will be far less attractive to cybercriminals— but quite attractive to clients.
Risk Management Resources for Your Massage Practice
A Massage Therapist's Guide to Malpractice | 2 CE Credits
Avoiding Legal Pitfalls in Your Massage Practice
Free Intake Forms & SOAP Note Documentation
1. Travelers. “2015 Travelers Business Risk Index.” travelers.com/iw-documents/resources/ business-risk-index/2015-report.pdf (accessed February 12, 2016)
2. CMIT Solutions. “High-Profile Data Breaches Reaffirm Need For Small Business Security.” cmitsolutions.com/weekly-tips-blog/high-profile-data-breaches-reaffirmneed-for-small-business-security/ (accessed February 12, 2016)
3. Federal Trade Association. “Protecting Personal Information—A Guide for Business.” ftc.gov/system/files/documents/plain-language/bus69-protecting-personalinformation-guide-business_0.pdf (accessed February 12, 2016)
4. U.S. Small Business Association. “SBA Underscores President’s Cybersecurity Plan; Provides Resources for Small Business Owners.” sba.gov/blogs/sba-underscorespresidents-cybersecurity-plan-provides-resources-small-business-owners (accessed February 12, 2016)