Rental Management Article on Cybersecurity for October issue of Rental Management
August 31, 2016: Interview with Rob Ross, President, Alert Management Systems
What is your best advice on how rental stores can prevent hackers and attacks on their networks and websites?
Although there are many ‘best practices’ when it comes to cybersecurity, nothing is more important than safe handling of email. For this reason, you should limit email use on company computers to business accounts only. As a further precaution, train your employees to be especially careful regarding attachments, since they are the most common form of delivery of cyber-attacks. Attachments should only be opened if you are expecting them, even if they are sent from ‘known’ email addresses, since a common form of attack comes in the form of an email from someone you already know, who has had their own email account hacked. The most obvious dangerous attachment ends in the suffix “.exe”, which means that it might actually be a program capable of infecting your computer, your network, or even your entire email contact list. So, when in doubt, toss it out. (Delete.) A quick phone call to the sender might also be all it takes to confirm the authenticity of an email prior to opening.
Similarly, infected web sites are a common source of cyberattacks. Require your staff to limit web site visits on all company computers to known business sites that are relevant to the work of your company.
Antivirus protection is also a good idea for every computer. Without it, operators risk losing their data or suffering lengthy down-time until your system can be disinfected, if possible.
A commercial grade Cloud-based backup service is your most important and best precaution. Your backups will be automatic and secure. Even with the best protected network, restoration from backup is your only sure remedy. For example, ‘Ransomware’, or ‘Crypto-virus’, is a very prevalent form of viral software that is used to specifically target businesses all over the world. It locks up (encrypts) your entire system and makes it impossible to use unless you pay a fee to an illegal enterprise, which may or may not result in restoring your system. Just like in a kidnapping, you are subject to the whims of a perpetrator who only cares about one thing: Extracting as much of your money as possible.
A restoration from backup, preferably conducted by your rental software company on an emergency ‘expedited’ basis, is the only sure remedy. If you use a third-party backup service instead, check into their policies and guarantees, commonly known as Service Level Agreements (SLA’s). You need to be concerned not just with the reliability of backups, but the timeliness of the guaranteed response in an emergency. With a third-party service, you might also be surprised to find that you are most likely ‘on your own’ when it comes to actually restoring your rental system, since the SLA usually only covers access to your data, not restoring your rental software.
What has your company done to improve security with your rental software?
At Alert, we devote many hours to security-related programming with every new annual software release. We often install new security features on an immediate basis, if needed. For example, we recently informed our customers of a new credit card encryption requirement and installed it for them at no charge, meeting a recently announced credit card industry deadline.
Cybersecurity threats are constantly evolving. Enhanced security is one of the many reasons we encourage our customers to always stay on the latest software revision, which is down-loadable from our web site (www.alertms.com) and free with any of our Support Agreements.
The ultimate in cybersecurity protection is provided through our Alert-on-the-Cloud (hosting) service. Working with a highly certified data center (springshosting.com), we maintain your server and all your programs and data inside a virtual fortress, which is monitored 24/7 by a team of IT experts who work together with the Alert Support Department. Your system is automatically updated to the latest Alert revision as well as the latest anti-virus software as soon as it becomes available. In the unlikely event of a devastating cyberattack or hardware failure, your system can even be quickly moved to another server, with virtually no down-time or loss of data. Your system is also protected through EasyVault, our ultra-secure guaranteed emergency restoration and data backup service.
More and more rental store operators are switching away from their own ‘on premises’ servers with all of the inherent security risks, costs and inconvenience. When you are leveraging a multi-million dollar data center as the alternative, you can be truly worry-free. A data center also protects your system against theft, fire, floods, lightning, power loss, Internet provider outages, and virtually all other disasters. Over time, it is also more economical, because it eliminates the need to buy a new server or pay for local IT support for your server. For all of these important reasons, we are encouraging our customers to leverage ‘The Power of the Cloud’ as soon as possible. (The Power of the Cloud is the theme of our upcoming Annual User Conference, November 3-4, in Colorado Springs. For more information, go to www.alert-ims.com.)
How does PCI compliance fit into this topic?
Alert provides its cloud-based PCI compliant credit card payment processing system through VeriFone, the world’s largest credit card processor. Such systems eliminate the need to store credit card numbers on your store’s network, so you are protected from outside hackers or even dishonest employees of your own rental business.
If you store credit card information in your store in any form, however, even if it is on a paper credit application in a file drawer, you are vulnerable to attack. For example, an all-too common threat is called a ‘social engineering attack’. Social engineering is an attack strategy that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. It could be as simple as an alleged customer who calls to double-check a credit card-on-file with your company. Since it seems like a friendly inquiry, your employee may not even recognize it as an attack. Train your employees to resist providing even partial credit card information by phone, such as the expiration date or the name on the card. A nefarious attacker might make a second call, targeting a different employee to get the rest of what they need to compromise the card. The same strategy is used to get employees to divulge passwords, bank account routing numbers and other sensitive data.
Ideally, rental businesses should totally eliminate the collection of credit card information via phone, fax, or email, and never write down or even speak card numbers. To achieve this goal, Alert has introduced a secure Cloud-based app for collecting credit card payments, so your customers can process their own card information on a simple web form, from their own smart phone or PC, without exposing your employees to any sensitive information whatsoever. Not only does this solve the security problem, it also eliminates unnecessary admin work for your staff, since your customer does all the work. There are no extra processing fees, and it is totally integrated into the Alert EasyPro Rental Software. You and your customer get an instant confirmation via e-mail, as soon as the transaction clears.
How can your software help with equipment security in the yard and on the job site?
Alert’s Mobile Inventory Manager is an award-winning mobile app for conducting a physical inventory. So this means you can perform cycle counts to uncover shortages or track down missing items before they are lost forever.
Another Cloud-based app, Sign&Rent, eliminates the security risk of a ‘blind drop’ to a job site where no one is available to sign for equipment receipt. Your authorized contact for the job can sign off on their own smart phone or tablet, wherever they are located. The contract includes photos documenting everything from equipment condition and on-site placement to fuel level or meter reading, so your customer can have total confidence that all the details of the delivery are accurately represented. Any photos or attachments are automatically appended to the rental contract, so no extra admin is required. The customer can even submit a secure credit card payment as part of the contract, right from his or her own cell phone. After signing, an instant email delivers a PDF of the signed contract, including payment confirmation, to the customer’s preferred email address.
When it comes to software, what threats should rental stores be aware of?
(See above, most importantly regarding e-mail attachments, crypto-virus and social engineering.)
One trend is to make web sites or apps available for use on mobile devices. What are the security concerns and what should a rental store be doing to protect itself?
Alert offers many useful Cloud-based apps to enhance the customer experience as well as to empower store employees in the field. In all cases, these apps have the latest security precautions built-in, such as deployment over a Virtual Private Network (VPN), using ‘firewalls’ and encryption to prevent any unauthorized access to your Alert system. Naturally, with mobile devices, you need to apply all the same security steps as you would inside your store: Change passwords frequently, beware of suspicious emails, attachments, or web sites, plus maintain adequate backup for personal devices if any data is stored on them. The most important thing is to work closely with your rental software provider and/or your local IT expert, to maintain the most current level of security available.