Information Security – Who is Watching the Documents?
No executive in their right mind would voluntarily distribute the sensitive, personal information of their clients to anyone who asked for them, right?
Well, that is exactly what many of us may do, albeit unintentionally.
Private clubs keep a great deal of sensitive information about their members. Often this includes information such as full names, dates of birth, social security numbers, bank account numbers, home addresses, etc. In short, everything a social engineer would need to steal an entire identity (as well as someone’s net worth).
The first question to ask yourself is, “How much information on my members do I really need to have on hand?”
If you offer direct billing to the members’ bank account or credit card, then obviously you need that financial information. Perhaps you also want it initially when you are confirming eligibility for membership.
When information is no longer needed, consider getting rid of it. (And dispose of it in a way that someone cannot possibly retrieve it.)
After you determine what information you need to have, you then have a responsibility to safeguard that information. When you dispose of a document with any personal information on it, shred it. The U.S. Government learned this lesson when the U.S. Embassy was overtaken in Iran in 1979. Crosscut shredders are very cheap and can easily be obtained at office supply stores, and they can prevent dumpster divers from scoring an information bonanza.
Consider where you keep your paper files. For paper files that you need to have on hand, keep them in a securely locked room and limit the access to the room. The door to the room should have a deadbolt lock, and the files should be kept in locked containers within that room.
Surprisingly, I once saw member records kept in labeled boxes in the unlocked coatroom near the front door of a club. You can imagine the bonanza a social engineer would realize if he/she found that.
Electronic files present a different challenge.
Again, get rid of anything that you don’t need to have. Often we collect information because we have always done it, not because there is a good reason to have it. If you really don’t need to have it, don’t keep it.
Once you know what you need to have, secure it (sound familiar?). Your club’s internal records should not be on the same server that any open email networks use. In addition, you should have a good hardware firewall and a strong virus/malware protection software. Speak to your IT professional for specifics. Access to these files should be limited to only the people who need to have them and should be protected with a strong password/access system.
Speaking of passwords… Walk around your staffs’ computer terminals and look under their mouse pads, on the inside of any cabinet doors, under the keyboards, or even in open sight for any passwords. Far too many people are a bit lazy and will keep their passwords written down in a convenient place. Needless to say, this is a very bad practice.
Do you have a comprehensive computer policy that is distributed to all employees? This policy should include descriptions of your password protocols, types of behavior allowed or not allowed, and a description of actions to be taken as a result of violations of the policy. Every employee should read and sign a copy of the policy, and that signed copy should be maintained in their employment file.
It should be made clear to everyone that allowing access (intentional or not) to the club’s computer files is akin to leaving the bank deposit bag sitting on the front steps of the club overnight.
Your member information is arguably one of the assets you can least afford to lose. No one I know would want to deal with the results of a breach of this data. These are just a very few reminders and ideas to try to get you thinking about your information security practices. Now it is up to you.
– KP
Kevin R. Peters, MA
Kevin Peters is a retired federal agent and former club manager who conducts the candidate backgrounding for Kopplin & Kuebler, LLC. He is also owner of K.R. Peters Security, LLC, a security consulting company primarily servicing the private club industry.