“Can you imagine?” I love learning new things. I’m that guy: the one who sees a news story on facial recognition and thinks, “One day, monthly plan subscribers will be able to drive up and enter a wash with nothing but their face.” On the flipside, I sometimes see some problems in the news and immediately think about how to prevent it from happening to me. However, I recently read a story that made me cringe. Instead of developing an action plan with interest, I found myself determined to never have to learn what to do. The story detailed how an intruder placed malware into the point-of-sale system at a car wash site, and by doing so gained unauthorized access to the wash’s customer information. It went on to describe how that business offered affected customers a free subscription to an identity monitoring service. I hope to never learn what I would have to do if there was a breach of data from my business. I hope to never have to brush up on the laws regarding notification, or how to report the incident to the authorities. I hope to never learn the name of an identity monitoring service. Knowing that in order to hope for the best, I had better prepare for the worst, I started making some phone calls. I organized the advice I received below.
RULE #1: GET SERIOUS ABOUT SECURITY
The first call was insightful yet humbling. My colleague asked several questions regarding how I handled passwords. After admitting a rather haphazard combination that ranged from notes stored on my phone, computer, and in writing — further compromised by the fact that I occasionally used the same password across accounts, and could not recall the last time several were changed — it became obvious I wasn’t prepared. Although securing access and passwords is only a tiny component of getting serious about security, it’s a fundamental first hurdle to establish. He gave me the following list of tasks to complete before he’d invest time with further advice.
Manage Unique Credentials for All Online Services
Regarding online services I was in pretty good shape. I already had unique passwords for the most sensitive accounts and only needed three refinements to be in compliance. First, I had to establish a procedure to update all passwords at a specified frequency — something I now do quarterly with the help of a calendar reminder. Second, I created a new and distinct e-mail that I use only to access sensitive accounts including banking, POS system, and tunnel controller. For that I opened a new free e-mail account, assigned it to sensitive accounts, and set it to forward all e-mails to my main account. The third component proved most difficult: how to keep track of all the passwords without driving myself insane. I won’t tell you the method I selected, which wouldn’t be secure, but here are the ones I considered. First, you can write them down on paper. It may sound strange, but from what I learned, provided you treat that document like you would any confidential document, it isn’t so crazy, but it does require you to memorize the ones you use frequently. Next method is to use some form of computer password manager. Most of the major browsers have this built in. Alternatively, use password management software. If you go this route, you’re placing trust onto the developer of that application. Like I said, not perfect, so take some time researching the various programs and companies to choose the method or service right for you.
Manage Unique Credentials for all Hardware Access
I had a lot more work here. Routers, pay stations, tunnel controllers, terminals — basically, anything that connects to your network (wired and wireless) must have secure access. For this, I had to hire an IT pro. I won’t pretend to understand everything they did. However, highlights included creating separate networks for guest access and the main network with different network names. They set up user groups on PCs and the POS to control authority for installing software and limited user access. In all honesty, the process was the same as when the network was first set up. What changed is that I took an active role in understanding what was happening, and paid attention to how credentials were managed.
RULE #2: AUDIT YOUR SYSTEMS
Although I’m a big fan of the expression, “don’t fix what isn’t broken,” it doesn’t apply to securing your business. Just because everything seems fine doesn’t mean there’s nothing to do. Keep a constant dialogue with the supplier of your car wash control systems. Pay attention to any update notifications. I recall a few years back getting a notification that recommended I replace my routers with a newer, more secure model. I had delayed making the switch because the current router worked just fine. Today, I’d upgrade the second I learned about it and ask, “What else can I do?”
The answer I got once all hardware was up to date and network security best practices were implemented was to conduct an audit of what data is being stored and why. Most businesses follow five common sense steps to conduct a data audit. First, find out what data you have. Take for example that you use an online e-mail service to send promotions to your customer base. Before that, did you send it from a PC? That brings us to the second step: find out where the data is. If you used to send e-mail from a PC, chances are you have a spreadsheet floating around somewhere with data that’s not secured. That kicks off the third step: interview key players. Question all of the stakeholders on your team that use any kind of data in their daily activities. Then, prioritize and organize, which is step four.
The person who helped me with this section explained that it’s not just about finding and removing outdated and redundant data, then introduced the fifth and final step: track how data are being used. For example, if you send out coupons each month for a free birthday wash to all customers born that month, you only need to store the month, not the entire birth date. Conversely, if you’re using date of birth to understand the age of customers to influence your marketing, then you’d want to limit access to the file. Basically, if you’re not using it, don’t store it, and if you are, secure it.
RULE #3: STAY ABOVE COMPLIANCE
I learn best from anecdotes, so here’s one that helps make my point: Having owned several gas stations in my career, the threat of thieves installing credit card skimmers on my gas pump is something I faced. Compliance in some places simply means installing tamper-resistant tape — but is this enough? Maybe you can install a new reader, locks, or even replace your dispensers (a huge investment). I don’t currently own a gas station so I won’t speculate, but I will say that at this stage in my career, I’d assign a dollar value to the peace of mind of never having to assume liability in the event of a breach of customer data — and today I suspect it’d be a fairly high value.
Good luck and good washing.
Anthony Analetto has over 35 years’ experience in the car wash business and is a partner at SONNY’S The Car Wash Factory. Before coming to SONNY’S, Anthony was the director of operations for a 74-location national car wash chain. Anthony can be reached at (800) 327-8723 x 104 or at AAnaletto@SonnysDirect.com.