Is Your Data Secure?
Finding Your Way Through the Maze of Cybersecurity
by Jennifer Jones
When it comes to data security, most self-storage owners believe that with basic firewall protection, their data and their tenants' data are secure. Some use third-party systems that have security protections in place when transmitting data. However, most owners believe that they will not be targeted by a cybersecurity attack. But that isn’t just self-storage owners; small-to-medium-sized businesses share the belief that they’re too small for cybercriminals to target them.
According to a study by Ponemon Institute and Keeper Security, “Fifty-eight percent of respondents believe ransomware is a serious financial threat and are concerned that negligent employees put their company at risk, but only half (50 percent) say prevention of such attacks is a priority. Many are not confident that their current anti-virus software will protect their company from ransomware.” The businesses in the study employ between 100 and 1,000 people. Most of the companies that participated in the study experienced a cyberattack or data breach with severe financial consequences losing an average of 9,350 individual records as a result of data breach.
TYPES OF ATTACKS
According to the study, cybercriminals varied their methods between 2016 and 2017. “Phishing/social engineering has replaced web-based attacks (48 percent and 43 percent of respondents, respectively) as the most frequent type of attack. Compromised/stolen devices and denial of services attacks increased from last year’s study (30 percent and 26 percent, respectively).”
Ransomware is one of the most common I’ve heard about hitting the self-storage industry. There are two types of ransomware attacks:
- Encrypting ransomware, which incorporates advanced encryption algorithms. It’s designed to block system files and demand payment to provide the victim with the key that can decrypt the blocked content.
- Locker ransomware locks the victim out of the operating system, making it impossible to access the desktop, applications or files. The files are not encrypted in this case, but the attackers still ask for a ransom to unlock the infected computer.
Ransomware can be unleashed in a variety of ways: phishing/social engineering, insecure or spoofed website, social media, malvertisements and more.
Cybercriminals typically encrypt your data and hold it ransom, leaving the self-storage owner to ask themselves, “Do I pay or not?”
Among the participants in the study, of those that didn’t have full backups, about 60 percent paid, with the aver- age ransom being $2,157. If they didn’t pay, it was because they had a full backup or didn’t trust that the criminals would release the data.
WHERE ARE YOU VULNERABLE?
According to the study, “data breaches due to negligent employees or con- tractors (54 percent of respondents) increased significantly from 48 percent in 2016. This is followed by third-party mistakes (43 percent of respondents) and errors in system or operating processes (34 percent of respondents). However, almost one-third of respondents say their companies could not determine what caused the incident.”
The main points of vulnerabilities are mobile/Internet of Things (IoT) devices, laptops, smart phones, cloud systems, Intranet server, Web server, desktops, tablets, portable storage devices and routers.
IoT vulnerabilities include in-office wireless-based printers and other devices. Use of cell phones and tablets to access business-critical applications and IT infrastructure are also vulnerabilities.
EASY SECURITY FIXES
Company information isn’t just vulnerable to cybercriminals; it’s also vulnerable to employees and anyone else walking into your facility. There are several things you can do that cost little to no money.
- Have and enforce a password policy. It’s the easiest and most affordable security measure there is.
- Ensure that everyone logs out of the computer and locks up any filing cabinets before walking away from the desk.
- If you have multiple employees, ensure that they all have their own passwords.
- Install a firewall.
- Install anti-malware.
- Back up everything to an external device or to the cloud.
USING A THIRD-PARTY
If you use a third-party solution to take online payments, most have some sort of encryption protection before the sensitive tenant information is sent through the system.
Easy Storage Solutions co-founder Jimmy Sorenson says, “Credit card numbers and social security numbers (if collected by the facility) are encrypted before the data hits our servers.” The Storage Unit software servers have their own security and host through Amazon’s AWS, which is a cloud- based solution.
“Our software also allows for different people to have different access levels so a regional manager can have different access than a store manager.
“We also carry access control products and keypad entry, which integrates with our software. People get excited to be able to offer pay options where a tenant can swipe their credit card at the gate. However, we’ve never done that because people can install skimming devices and it’s another vulnerability, which would create a breach.”
BEST SECURITY PRACTICES
- Don’t write down credit card or social security numbers and store locally in filing cabinets or on a computer. (Against PCI regulations.)
- If a lease asks for a credit card, don't include the card numbers on a lease.
- Don’t store credit card numbers in random places (including in an email), even in your database, if the field isn’t encrypted.
- Don’t use repeating numbers for gate entry codes (ex: 1111).
- Don’t browse questionable web- sites. Some facilities provide tablets for employees to use for browsing.
- Back up your data to something that is offsite at night. Backing up to a USB and leaving it in the computer isn’t a secure backup, or backing up to a hard drive and leaving it in the facility risks it being burned in the case of a fire, or stolen during a break-in. The most secure backup is with a third-party service such as Carbonite or Backblaze which back up your whole computer.
- Educate employees about not opening questionable emails, clicking on links when they don’t know who an email is from, surfing unknown or questionable sites, or downloading things from unknown origins.
- Install spamware.
- Install a firewall.
- Minimize the amount of personally identifiable information (PII) that is collected from customers to reduce the impact to customers in the event of a data breach (which reduces liability).
- Use a web-based software to minimize the amount of customer information that is stored locally on a PC.
- Work towards a paper-free office environment where all paper files are scanned and stored on a secure server.
- Existing paper files should be kept in locking cabinets.
- Conduct regular user audits of your systems to ensure that all user access levels are correct and that ex-employees have been removed in a timely manner.
- Questions you should ask your third-party provider:
- Are you PCI compliant?
- Do you encrypt data?
- Do you use tokenization?
- Do you offer SSL certification (if the vendor provides your website)?
While some software is sold as Software as a Service (SaaS), some third- party software is installed on your computer. QuikStor Security & Software offers a one-time purchase PC version. “The whole database is password protected, so a criminal would have to hack into the database to capture the tenant information like address, date of birth, etc., but the credit card fields are encrypted,” says April Lee, business development consultant for QuikStor. “The encryption means that a tech agent who can get in and help trouble- shoot information on your database wouldn’t be able to see the encrypted information in those fields. We also don’t store credit card information. We use a tokenized system, which means that once the software sends the card number to the credit card processor, the credit card company responds with a token that is specific to that facility and uses that instead.”
While each company will have their own security measures in place, QuikStor has a hybrid of both onsite and cloud-based servers. Even though their physical servers are in an offsite server location, only two people at QuikStor have access to enter where their servers are stored. “Everything is backed up offsite,” says Lee. “We have one server for cloud and one for offsite backup.” The duplication strategies that many technology companies have is so they are able to retrieve data if it’s compromised or if something crashes. Multiple backups and being able to fully restore from a backup is critical for business continuity.
Lee says that during her time with QuikStor as a tech, she talked to customers who had their software on their own computers. However, they didn’t have a backup and didn’t always subscribe to a backup service and then lost the data.
“We do have a feature on our software that logs people out during overnight processing,” says Lee. “So if someone breaks in during the night, they won’t be able to walk over to the computer and easily have access to the data. Except with the basic version of our software, you’re able to create individual passwords so every employee has their own log in. We also have audit reports to monitor and pre- vent employee theft. You can set the software to rent the oldest unit first to keep employees from taking cash from friends and allowing them to rent units off the books. There are also extensive unit controls so your employees can’t see reports and can customize what an employee can and can’t do.”
SECURITY YOU CAN’T SEE
Criminals continue to use ever-changing methods to make a quick buck. A survey of cybercriminals showed that they are looking for easy “typical” IT security that takes less than 24 hours to access. While we hear about the big data breaches of Uber, Yahoo, Marriott and others, most of the attacks are on regular businesses. But even basic security measures, policies and procedures can help protect your business and data from employee theft, a break-in, natural disaster and cyber- criminals.
Jennifer Jones is managing editor of Self- Storage News and owner of JKJ Marketing in Austin.