By Kay Miller Temple
Tick-tock-look-at-the-clock. Are you kept awake at night thinking how the next sensitive-data breach might affect your self-storage business? Target, Neiman Marcus, Heartbleed, Internet Explorer—who's next? Fortunately, the industry's management-software companies offer many features that will help you protect tenants' information and your business.
Self-storage software companies are keen on meeting Payment Card Industry Data Security Standards (PCI DSS). These requirements, included in any discussion of credit card data security, are created by the PCI Security Standards Council, which introduces new goals every three years. This is the timeframe to accommodate updates and deploy new security approaches.
Passwords are one of the most vulnerable points of software, mainly due to the unbelievable number of global users that still use the word "password" as their password. Passwords are key to limiting access to data, but only if they're strong, not shared and changed frequently. Essentially, passwords are a way to augment data security.
"Configuring software to cause current passwords to expire and new passwords to be assigned after a specified number of days can also be complimented by lockouts after a specific number of failed attempts," says David Essman, director of marketing for Sentinel Systems Corp., a provider of self-storage software and security products.
Encryption and Tokenization
Partnered with PCI DSS in conversations about personal data security are "encryption" and "tokenization." Both offer ways to provide data protection. Complicated mathematics aside, encryption is the process of translating data into a code, making it more difficult for unauthorized users to read. Tokenization takes sensitive data and replaces it with a surrogate value. In addition, information goes back to company software to be stored and used for subsequent payments.
"This means if someone were to access your data, they would only have useless reference numbers that can't be used anywhere else," says Steve Weinstein, business development consultant and security specialist for QuikStor Security & Software, a provider of security and software products. "This puts the responsibility of PCI compliance and credit card data security in the hands of the experts: the credit card companies themselves."
Layer Upon Layer
As hackers try to whack their way to sensitive data treasures, software companies add layers of cyber hurdles. Multiple firewalls offer protection. Sometimes hackers get in only to find the treasure chest is empty and a facility's software doesn't even store the data.
Another security layer can be data encryption specifically at the database level, says Mark Smith, senior vice president of product strategy for software provider Centershift Inc. "This ensures that even if the data were to fall into the wrong hands, it would be virtually impossible to decrypt the data and derive any value from it."
Testing security layers may also be a good idea to beat hackers at their own game. Markus Hecker, chief operating officer for SMD Software Inc., the manufacturer of SiteLink management software, says "one approach is hiring outside corporations to conduct penetration testing."
In addition to security layers, software can subvert hackers by avoiding certain encryption systems like OpenSSL, the target of the recent Heartbleed vulnerability. Additional software components can be implemented at the facility level. Unique elements, such as fingerprint scanners, can also beef up site security.
"Programs that provide permission management can allow upper management and owners to decide how much of the program will be exposed for an individual or group," says Kevin Kerr, marketing and sales director for Empower Software Technologies Inc., a provider of management software.
Other programs can be considered secure by default using built-in security that can't be turned off. Security features are present for a reason: to provide the highest level of security, not to be downgraded, says Katelyn Wyss, a public-relations specialist for StorageAhead, which recently launched StorEdge, a cloud-based management software program.
"If there are security features a program offers, why would you ever turn them off?" Wyss says. "Because you don't like entering your password eight times a day? You get one data breach and you're the next Target. Your business is done."
Your Data: Gone, but Not Forgotten
No doubt credit card payments made at the counter or over the Internet increase business liability. Again, one of many ways to lesson the risk is to get rid of credit card information by removing all sensitive data from office computers. Storing cardholder information on computers also creates the need to meet the PCI DSS requirements.
"Remove all cardholder data from your computer," advises Ramona Taylor, president of management software company Space Control Systems Inc. "It's based on a simple idea: If it's not there, it can't be stolen."
While modern security practices involve data transfer to off-site experts, the data still belongs to the facility. Reviewing data, such as demographics, payment patterns and occupancy information is vital to business health and growth.
Self-storage owners should remember that though software companies can manage data storage, the data belongs to the business that generates it, says Patrick Lane, marketing director for Syrasoft Self Storage Software. "Data should never be held hostage or be used for leverage."
A worry-free, cyber existence is impossible and criminals aren't going away. But modern software products combined with user sensibilities can minimize chances of crime involving sensitive data.
Kay Miller Temple is a physician and recent graduate from the master's program at Arizona State University's Walter Cronkite School of Journalism and Mass Communication. To reach her, e-mail [email protected]