Have you ever been hacked online? If you have, you’re not alone. One in three Americans are victims of online hacking, and over half of all cyber attacks are directly targeted at small businesses. When a cyber attack results in a data breach, it can get expensive: you’ll need to notify customers, pay compliance fines, and undergo a security examination before you’ll be able to accept credit cards again. All of these factors add up fast: the average cost of a data breach for small businesses is $116,000. In fact, over half of affected small businesses go out of business after a data breach due to the out-of-pocket expense and loss of customers who know longer have trust in the business.

There are tons of different ways that data can be breached online, sometimes through hacking cybercrimes, such as phishing (emails, phone calls, or text messages that try to lure sensitive data from users), password attacks (attempts to crack users’ passwords with malware or code-cracking algorithms), denial of service (DOS) attacks (flooding a network with information like spam or pop-ups that prevent users from accessing websites or programs), ransomware (malicious software downloaded on a user’s computer or device that blocks access until the user pays a sum of money), or malware (malicious software in general, commonly called a “computer virus”, that causes damage to a user’s system or steals information). Data can also be breached through in-house accidents or malicious acts, such as office break-ins, unauthorized data sharing by disgruntled employees, sending sensitive information such as non-encrypted passwords or credit card numbers through emails or texts, or complete system failure (where computer data that is not backed up is lost forever).

Even the kid from Home Alone is terrified of cyberattacks.

If these stats are frightening to you, it may be time to audit your storage business’s technology, point of sale (POS) system, and security technology. As a self storage owner, you’re constantly handling customers’ sensitive data and cardholder information, so you’ll want to ensure your technology tools and security measures are ahead of the curve when it comes to hacking and phishing trends. But don’t panic! With a little research on your technology providers and good in-house security practices, you can un-complicate the process and safeguard your customers’ data from cybercrime.

Learn everything you need to know to protect your customers’ data from bad actors online in this blog post, or jump ahead to any of the below topics to get going fast. Let’s dig in!

Important data privacy laws that affect storage operators

There are many sector-based or information category laws in the United States when it comes to data privacy, but with the recent Facebook data scandal, online privacy is a growing legal concern and a comprehensive federal law protecting personal information may be in the foreseeable future. As of 2018, businesses simply need to meet data and privacy security standards set by the Federal Trade Commission (FTC), such as HIPAA, FERPA, and COPPA.

In self storage, you’ll need to comply with computer security basics (such as password protections and router security) and maintain an SSL certificate on your website if you’re taking credit card payments online. But most importantly, you’ll need to ensure your technology providers are meeting higher standards of information security, such as SOC and PCI compliance.

SOC compliance

Service Organization Control (SOC) auditing is a rigorous procedure that examines a service providing company (such as software) to ensure they are properly managing their internal controls to be in line with security regulations. A current SOC report ensures that information security practices, policies, procedures, and operations meet or surpass the SOC standards for information security, availability, confidentiality, and processing integrity. There are different levels of SOC report standards (1, 2, and 3), types (I and II), and new Statements on Standards for Attestation Engagements (SSAE) auditing standards are detailed every year. Type II SOC reports require a deeper dive into a company’s records by independent auditors who come on-site to verify and ensure the company is compliant across a variety of security areas.

storEDGE is SSAE 18 SOC 1 Type II compliant and receives SOC audits every year to maintain rigorous security standards.

Essentially, SOC inspections hold your technology provider accountable for any security claims they’re making on their website and proves that they’re meeting standards for data privacy. If you’re running a publicly-traded self storage business, you’ll need to have a SOC report from any key vendors that you use to be listed on the NYSE.

To evaluate your current technology, ask your technology provider if they’re on the latest SSAE auditing standard of the SOC 2 report. They should continue to audit their security every year to maintain the most up-to-date SSAE/SOC compliance.

PCI compliance

Payment Card Industry (PCI) data security standards are a set of strict security regulations designed for merchants and service providers that accept, store, process, or transmit customers’ credit card information during POS transactions. Unlike SOC reporting, PCI compliance is only concerned with credit card security. Any merchant or service provider that accepts credit cards must meet PCI regulations in order to protect businesses and customers from credit card data breaches. These regulations include security measures such as credit card masking and encryption, login and password requirements, an SSL-certified payment portal, and password-protected emailed reports. (Read this blog post to learn more about PCI compliance and take additional steps to evaluate your software’s security features.)

storEDGE has been a PCI certified service provider since 2014.

If your business and your technology systems are PCI compliant, you don’t need to carry extra insurance on your business to protect yourself from liability in the event of a data breach - if you’re in compliance with PCI, you’re protected in the eyes of the law. In the below clip, you can listen to financial expert Dave Ramsey’s advice to Trina, a self storage facility owner in Milwaukee, Wisconsin, who calls in to ask about the necessity of a data breach insurance policy in self storage:

Because of the high-cost of data breaches (upwards of $100,000, remember?), it’s absolutely worth it in the long run to invest in high-quality self storage technology that meets top security standards and protects both customers’ data from hackers and your business from damaging losses.

Common misconceptions about data privacy and security

Protecting private data is more important than most people realize, and sometimes web users can take their own data security for granted by storing password information in an office notebook where anyone could find it or not reporting a phishing email intended to steal sensitive information. In the wrong hands, your business data could do serious damage. Check out the myths below to continue your security audit and find out where your security is weakest.

Myth: Employees understand what information they can or can’t share.

With all the information that storage managers gather (from military status and driver’s license information to personal addresses and billing information), it’s just not that simple. Most employees would never intentionally leak sensitive information, but without the proper training, they may not understand why sending tenant information through their personal email is risky or why having a strong software password is so important to protecting the business. Best practices for data security include training employees on how to handle sensitive cardholder data and tenant information, as well as computer use policies that detail password, email, and sharing standards.

Myth: I have security software downloaded on my computer, so I don’t need to worry about any of this.

Protecting customers’ data is for more complex than downloading a firewall. While antivirus and security software can help protect your locally stored data, it’ll do nothing to prevent cyber attacks if your website, POS system, or cloud-based software systems are not secure. In fact, most attacks are done via email or during web transactions, neither of which are protected by firewalls. Your business has multiple vulnerabilities online, so you’ll need to widen your scope of security beyond just security software to meet industry standards.

Myth: A hacker would be more likely to go after a big retail business than a small self storage business.

Data security affects all businesses, no matter the size, scope, or location, but small businesses are sitting ducks. Why? Hackers know that small businesses are less likely to invest in high-security technology tools than large corporations, so they specifically target small businesses with less than 250 employees as ideal victims. If you’re a small business, it’s even more important to commit to following best practices for security to shield against unauthorized access and cybertheft.

Myth: I would know right away if a data breach happened at my storage business.

On average, it takes a business 206 days to detect a data breach, and the longer it takes to detect a breach, the more expensive it will be. Hackers are great sleuths, and just like your own bank account, you’ll likely not know your information has been stolen until money disappears. In the meantime, hackers can distribute credit card information, social security numbers, and other sensitive information throughout the dark web and wreak havoc on your tenants’ finances.

Common sense steps to take to protect customer data

With all the sensitive information you gather for storage unit rentals, you’ll need to be extra careful to protect tenants from cyber crime. In addition to making sure your technology systems are meeting or exceeding regulatory compliance standards, ensure that you’re safeguarding personal information in-house by nailing the basics.

Don’t collect more than you need.

If you find yourself not using military information during the tenant life cycle, why are you still collecting it? Evaluate your current information-gathering processes to see if there are any places you can trim the fat. Ensure you’re not taking down credit card numbers anywhere except in your secure, PCI-compliant systems (like on sticky notes during phone calls!), and only collect social security numbers for legal purposes like reporting employee taxes. Never use social security numbers as employee or customer identification numbers. Don’t print copies of business information or tenant records if you can instead store data in a secure cloud-based server, and destroy any printed information by shredding or burning documents before they’re discarded.

Ensure that your facility management software is PCI compliant.

Credit card theft is a huge vulnerability for your storage business. If you accept credit cards at your storage business, you’ll need to ensure you’re PCI compliant. Scroll up to read up on SOC and PCI compliance, or check out this in-depth article on PCI compliance in self storage to ensure your property management software is secure enough to handle sensitive credit card information.

Train employees on data security best practices.

Your facility managers handle a lot of sensitive information, from business metrics and financial reports to tenants’ credit card data and personal information. Your best bet at protecting sensitive business data is hiring the right people and training them properly on a regular schedule. A “one time” security training doesn’t work for today’s technology - you’ll need to update your security training year after year as you implement new technology and new vulnerabilities arise. Check out this article by the FTC for great tips on training employees how to handle data securely and protect sensitive information online.

Know where your cloud-based services and website are hosted.

If you have a self storage website, you’ll want to ensure your software data is hosted on a high-security server. High-security data servers like Amazon Web Services (AWS) are protected by the strictest data security controls, and servers are ultra-secure. In fact, Amazon is so secretive and protective of their servers that only authorized AWS personnel know their locations, and rumors of the AWS facilities’ James Bond-esque security measures abound. Website hosting should be done using secure, fast, and reliable servers like Amazon’s to ensure your data is backed up safely.

Lock things down to protect your data inside and out.

From encryption in-software to locking your office and facility with high-tech access control tools, the best way to protect your business’s sensitive information is to lock it down. By combining physical security (like a locked office door) with electronic security (like password protected computers), employee training (like what information can or cannot be shared via email), and secure practices of technology providers (like SOC and PCI compliance), you’ll have a four-sided security plan that’s fortified to protect tenants’ data and sensitive business information.

Questions to ask your vendors

Ensuring the security of your data across technology platforms like software, access control, websites, and more is vital to protecting your sensitive business information and your renters’ private data. You don’t need to be an information security expert to spot a high-security tech provider from a poor one, you just need to know what questions to ask and what red flags to look for.

Ask these questions:

  • Are you compliant with the most recent SOC and PCI standards? What level are your certifications?

  • How is data encrypted in my software? What are your latest in-software security improvements?

  • Where is my website hosted? How reliable and secure are the servers my website is hosted on?

  • Does my website have a current SSL certificate? Where can I find this information?

  • What in-house practices do you have for protecting my business’s data?

Watch for these red flags:

  • Tenant credit card, bank account information, or payment portal login/password information is being stored in-software or can be “un-encrypted” when sent via email or text.

  • Credit cards do not have the option of being masked online as they’re being typed in

  • Password requirements are low for software users or tenants creating payment accounts

  • Emailed reports are not password protected

It’s a great practice to audit your storage business’s technology, point of sale, and security systems once a year, and don’t forget to consistently provide security training to employees whenever technology is updated or new security standards emerge. By understanding where sensitive information is stored in your cloud-based technology and on your computers, keeping only the data you need for your business, and protecting your information using the latest security measures, you’ll be prepared to protect your business from damaging security threats and cyber attacks.

Thanks for reading! If you liked this blog post, you may also like: Software and security: What PCI compliance means for your self storage business's data, What the heck is SSL & why does my self storage website need it?, and 5 benefits of call recording software.