Data Security
Especially today, data security is critical, and any company — large or small — must take the necessary steps to secure its data and mitigate risk.
Deron Hess, director of information systems at Master Spas, created a cybersecurity training to help address this issue. His presentation covers what types of hacking there are, how to create secure passwords, the importance of two-factor authentication and more.
He shares that data security is just as important for hot tub retailers as it is for any other business.
“Should a business get hacked, the business can be held liable for any data loss if it did not take appropriate measures to keep the data secure,” Hess says. “The dealer will most likely suffer a loss in business as the details of the leak or hack get out to the public, especially if there is credit card information involved.”
Hess adds that there are a few areas where hot tub retailers are most at risk with data, including keeping personal customer data in unsecured spreadsheets within shared folders, storing unencrypted credit card or financial data and not having frequent backups of the data.
The most common type of breach retailers should be vigilant for is email phishing.
“We have all seen these where you will get an email from what looks like a legitimate company or financial institution,” Hess says.
These emails will usually give you some reason to click on a link with a sense of urgency. Once you click on the link, you will be directed to a website that looks legitimate asking you to log in. After you attempt to log in, the hackers have your username and password. They can then log into the real site with your credentials and change your password, so only they have access.
Retailers should also protect against smishing, which is similar to phishing but done via text messages.
Hess shares there are several steps hot tub retailers can take to mitigate their data security risk. One is to educate users.
“A large percentage of data breaches happen because of human error,” he says. “People click on links without thinking about if the email actually makes sense for them.”
Using two-factor authentication, which combines something you know, a password, with something you have, a smartphone, to respond to any login request, is also helpful.
Additionally, all passwords need to be complex.
“If your systems allow the use of passphrases, they are even better,” Hess says. “Passphrases are typically sentences. These make it more difficult for AI to crack them since they do not have the typical formatting of a password.”
Other steps companies can take are implementing a proper and immediate off-boarding process for former employees and purchasing cybersecurity insurance.
If a company does face a data breach, it should change all passwords immediately, contact a cybersecurity response company to help with the detection and cleaning of the network and secure its systems.
“Remove the internet connection immediately, but do not power off the computers until you have consulted with an IT consultant who has expertise in cybersecurity,” Hess says. “Remove all computers from the network to help prevent the spread of any malicious software.”
Depending on what data was breached, a company may also need to contact all people who were affected, which could be employees and customers.
For Tyler Waters, operations manager at Backyard Leisure, cybersecurity is a priority.
The company has migrated its email servers to Google Suite, which allows for multiple security measures. Employees are prompted to change their password every 90 days, and a pin or code is required on employees’ personal devices if they’re using email on it.
“I personally think that data security should be a foundational pillar in every business, no matter the size or industry,” Waters says. “In the hot tub industry specifically, my observation is that there are not enough retailers focusing on securing their internal processes and customer information.”
Another unique tactic of Backyard Leisure’s is to place canary tokens on certain devices and systems throughout the organization. These are embedded files buried deep within the system to avoid accidental openings that contain data hackers seek out. If opened, an internal alert is sent to Backyard Leisure with data about the hacker.
As retailers, we collect all sorts of data on our customers and even our vendors. It’s our responsibility to make sure we have the correct safeguards in place to protect those relationships from any data breach.”
Tyler Waters, Backyard Leisure
“As retailers, we collect all sorts of data on our customers and even our vendors,” Waters says. “It’s our responsibility to make sure we have the correct safeguards in place to protect those relationships from any data breach.”
For additional information, Hess recommends KnowBe4, a software company specializing in security awareness training, as a helpful resource.