In the spa world, one of your biggest concerns is keeping client data safe. If credit card or personal health information were to fall into the wrong hands, you’d have a real crisis on your hands. Breaches can result in negative publicity, embarrassment, loss of business, and if you’re capturing any kind of health information hefty fines if you’re found to not be HIPAA compliant.

It’s imperative that spa managers and directors take every possible step to keep that from happening. And one of the ‘silent’ threats you have to guard against is internal breaches by spa employees and contractors.

It’s an unpleasant thought, but one you have to face sooner or later: your greatest security risk might be the people you trust the most – your employees.

This might sound unlikely, as most of the data breaches we hear about are outsider attacks. But, the reality is that your staff also present a risk for data breach – due to both malicious and non-malicious intent.

Why do these breaches happen? Here are the top three reasons:

Personal gain: Such as to advance their careers. This is a big issue in spa and salon. When employees leave, they want to take their customers with them. While you can’t stop a client from following their favorite massage therapist, the departing employee should not be taking your whole client list to a new employer.

Also, it’s not unheard of in any industry for an employee to take trade secrets to either a new employer or to start their own business. The most famous recent example of this might be self-driving car engineer Anthony Levandowski. In February 2017, Levandowski’s former employer, Waymo, reportedly filed a lawsuit alleging Levandowski “downloaded 9.7 GB of Waymo’s highly confidential files and trade secrets, including blueprints, design files, and testing documentation” before resigning to set up a new company.

Your IT team or contractors could also be backing up your database in order to target or sell your customers.

Pure malice. In 2017 it was reported that an employee of Beverly Hills plastic surgeon Dr. Zain Kadri had stolen thousands of files from Kadri’s clinic, and surreptitiously taken photographs of (many alleged celebrity) patients before and during surgeries, and uploaded them to Snapchat.

Kadri is said to have believed the motive to be “revenge,”( though we don’t know what for.

According to Entrepreneur, research conducted by Biscom found that a disconcerting number of employees admitted to taking company documents and information when they left a company and that 90% of these indicated that the primary reason for doing so was that their employer did not have a policy or technology in place to stop them. More significant to this point: 20% indicated they would be more likely to take data out of anger and more likely to pass it to a competitor if they were laid off or fired.

Accident: Not every breach is intentional. Carelessness can also lead to a breach. Clicking on a phishing link, sending sensitive emails to the wrong address, using an insecure WiFi network; all can lead to compromised data (though, yes, it takes a third party to have sent that phishing email in the first place.)

According to a 2016 worldwide survey of Information Security Forum (ISF) members, the vast majority of internal network openings “were created innocently through accidental or inadvertent behavior by insiders without any intention of harming their employer.” And in the 2016 Cyber Security Intelligence Index, IBM found that 60% of all attacks were carried out by insiders. “Of these attacks, three-quarters involved malicious intent, and one-quarter involved inadvertent actors.”

Fight breaches before they happen

How can you protect yourself? Be vigilant. Some say that 90% of data breaches are the result of known vulnerabilities.

And do the following:

  • Hire someone whose top priority is your data security. Use a spa software company that is HIPAA compliant and conducts annual SSAE/ ISAE 3402 audits. Choose a cloud provider with large enterprise accounts, this helps ensure your spa software vendor has gone through strict technical and security due diligence demanded by most large businesses. Book4Time does all this and more, including monitoring user action, so that in the very unlikely event of a breach, you can trace it to its source.
  • Manage your team’s access. Restrict user access by employing the principle of least privilege (PoLP) – a computer security term meaning that user privileges are based on users’ job necessities (more on this at Tripwire). Restrict what staff can do from home or outside, and use two-factor identification.

Book4Time takes your spa data security and compliance seriously. Contact us and learn how we can help your business.