This year, a Marriott data breach has made headlines again. It’s 2022, and the world is no stranger to poor data protection. Every year, the events industry and event professionals handle data for millions of people. It’s our responsibility to ensure their data is secure and our systems are risk-free.
That’s why today’s episode focuses on how you can increase data security and protection in your business. Will Curran and Brandt Krueger share first-hand what they’ve learned from working with valuable data. Together, they’ve come up with 6 data protection tips that will help you avoid making common data security mistakes.
#1 Don’t Keep Digital Versions of Data
To kick things off, Will and Brandt discuss the Marriott data breach. Before people stored information digitally, people kept physical files and copies of payment information. While this still posed a risk for data protection, someone would have to steal that information physically. It’s different today.
Brandt begins by referencing paper files and faxing. “That’s less of a problem. But as soon as stuff went digital, people started asking for credit card authorization forms through email. I just knew in the back of my head that this stuff was going into a digital file folder on someone’s hard drive.”
He recommends pushing back when someone asks you to send important information digitally. “When I get asked for credit card authorization forms, I ask why they need a physical copy. I can call it in, I can give them a number over the phone, they can even write it down on a piece of paper,” explains Brandt. “At least it’s not there sitting out there digitally. So, my first challenge would be to ensure the hotel and hospitality industry don’t hang onto these things.”
Will agrees. “That’s a really great tip. Anytime you have sensitive data, delete it from your computer when you’re done looking at it. If you really need it five minutes later, just download it again.”
#2 Secure File Sharing
If you have to share data, Brandt recommends using secure file-sharing systems. These can help encrypt and protect your information, making your data exchange more secure.
“I get asked for ACH information all the time. Now, not only am I sending you my social security number, my name, and my home address, I’m sending you my bank information. And they’re just like, ‘Send it to us via email.’” says Brandt. “I would send an encrypted PDF. I’d say, ‘Call me for the password.’ That’s like the bare minimum of what I would do.”
Brandt found that people were complaining about his process, so he researched alternatives. “I landed on Encyro. It’s about a hundred bucks a year. I found it to be a straightforward solution where I can keep these email templates of things like my ACH information in the cloud,” he says. “It sends them an encrypted email. The second they open it, I get a notification. The second they download it, I get a notification. It’s really aimed at accountants. But, if it’s good enough for accountants, it’s good enough for me. But, once it’s in their hands, it’s out of my control.”
#3 Look Into Security Integrations
Will brings us the next tip, inspired by Endless’ approach to data protection. “We’ve basically gone completely paperless. We actually charge clients to use checks because it became so hard,” he explains. He found that paper checks created a lot of back and forth with clients. “It also creates paper trails. It creates unnecessary use of gas for the mail to get over. There’s no use in it.”
Instead, he recommends setting up a secure ACH system. “Stripe has an integration with Xero (QuickBooks does too). Whenever we invoice someone, it has a button that says ‘Pay with ACH,’ and it pops up with bank account information. For us, it’s actually a Wells Fargo account. It’s a Wells Fargo account because Stripe creates a custom ACH account that’s used just for intake for you, as a client. All these things are not only more secure, but they’re usually also more convenient. So, I like to look into integrations.”
#4 Keep Files off Your Computer
Similar to tip #1, Will and Brandt recommend keeping files off your computer. Rather than just not storing files locally, this tip takes it one step further.
“We do everything in Google Drive at Endless,” says Will. “We have the most secure version of Google Drive that you can have. Our team has learned how to take it from the platform straight to a Google spreadsheet and keep it on Google drive the entire time.”
He continues: “But you’d be surprised at how many times people do weird things where you have to get that file off the server and put it onto your computer. What most people don’t realize is that the second that the data leaves Google Drive, it’s technically a data breach. You now have zero control over it. Who knows who has access to your computer? Try to keep it on the internet within secure tools like Google Drive or an enterprise version of Dropbox. Those tools are designed to keep it secure.”
Brandt agrees with Will’s advice. “That’s one of the simplest things to remember:
If you don’t need it. Don’t collect it. If you have to collect it, don’t keep it for longer than you need. “
“We, as an industry, need to do a better job of understanding the power of the data that we have access to,” Brandt concludes.
#5 Use Two-Factor Authentication and Password Managers
Will “Don’t share login information via email, slack message, whatever it is; use a password manager. I’ve been a Dashlane person. They have a built-in two-factor authentication generator. I really love it because it auto-fills the two-factor authentication code. So just use a two-factor authentication system and use a password manager.”
This data protection tip is great for employees. “It’s built into our employee onboarding system at Endless, so we can share passwords amongst each other. If you can, make them an account first, so they have their own secure password. If you absolutely have to share the password, do it in a password manager. That way you can secure the password, revoke it, or even make it so they can’t see it.”
Brandt “Number one is the password manager. That’s always been top of our list. The second one is two-factor authentication, which we’ve talked about in the past. Make sure to listen to the cybersecurity risks episode. An authenticator app that generates a random code is way better than a text code.”
#6 When in Doubt, Verify
Will leaves us with one last data protection tip. “If you see something suspicious and you wanna say no to it, take a moment to verify it’s real,” he says. “For example, let’s say you get an email that says your bank account has fraudulent activity. Call the branch number. Search for your branch on Google, don’t use the number from the email. Call them and then say, ‘Hey, I saw an email from John Smith saying there’s fraudulent activity on my account.’” If that person exists, they’ll happily verify the information and help you.
Brandt agrees with that tip as well. He finds that many suspicious requests follow a similar template. “For example, ‘We just placed your order for X security software. If you didn’t place this order, click here.’ Of course, people think, ‘I didn’t place an order for X.’ And they click the link,” explains Brandt. “Just slow down, call the company or go to the company website, and contact their support directly. It’s almost never an emergency.”
We Want to Hear Your Data Security Stories
Tell us your stories about poor data protection. We’d love to discuss it on this show and see what we can do better! If you don’t have poor data protection stories, we’d still like to hear how you approach security. Reach out to us! We read every single one of your emails!