7 minute read
Safety first
Safetyfirst
With most salons and spas in South Africa now operating via management software, a critical aspect is security of systems and data. We asked four leading software providers to answer some pertinent questions in this regard.
Advertisement
If I’m a salon owner looking to invest in a software system, what sort of security aspects should I be looking for?
Chris Parker (ESP)
There are threats from two groups, namely internal and external. Internal being fraudulent staff, and external being criminal third parties (who could also be working in collaboration with internal staff).
Therefore, you should look for good controls to manage access to data for internal staff, such as passwords and user rights to manage access to business information, as well as data logs to monitor activity to react to any potential manipulation of information.
Controls for external threats include: secure traffic over the internet (i.e. certificates); controls to access the environment (i.e. passwords, API keys, 2-factor authentication, firewalls, user rights, whitelisting access to databases, separation of data and servers); and data recovery for any loss of data due to malware (i.e. off-site back-ups).
Shani Leon (My Appointment)
The kind of security aspects a salon owner should be looking for is not a one-size fits all answer. The main aspects that need to be covered is to ensure that your company data, as well as your client’s personal information, is protected. That is an absolute must for any business. Then, depending on the size of the business, different levels of access may be required. For example, a small home-based salon would not need to put additional security measures in place, while a larger salon would need to have different levels of access for different staff members, so that nobody gains access to information that they do not require in order to do their job.
Colette Halberstadt (SpaGuru)
If you are considering a cloud-based solution, there are some nonnegotiable requirements that need to be considered. Firstly, the solution should be hosted in a reputable Tier 4 datacenter. Tier 4 refers to the level of security and redundancy offered by the hosting platform. This in an indication of how physically secure your data will be.
Secondly, the software solution itself must use industry standard SSL to encrypt all communication between your browser and the datacenter. This ensures there is little risk of data being intercepted whilst working with the software solution.
Thirdly, the chosen software provider should be aware of all local privacy and security regulations such as POPI, GDPR etc. and comply with the requirements.
Finally, the software should allow you to configure different roles for different users of the software. This ensures that general users cannot view data that only owners should have access to.
Terry Miles (My Salon Software)
There are two areas of security software to look at – firstly the safety of your data from loss due to viruses, hardware failure or hardware theft, and secondly, securing sensitive /confidential data from unauthorised access. >
Where could breaches of security potentially occur?
Chris Parker
For Internal threats common areas include: stealing client information; manipulating sales for theft purposes; manipulating sales for commission purposes; fraudulent activity relating to gift vouchers; fraudulent activity relating to loyalty points; and theft of stock.
External threats include areas like: stealing of client information; manipulating of data for fraud purposes; and ransomware or other loss of data.
Shani Leon
There are a few types of breaches we could consider. It is possible for people within your organisation to gain access to information unlawfully. This can be avoided by having the necessary access levels in place. It is also good practice to change passwords regularly in case a breach has occurred.
Another risk is from people outside of the organisation gaining access to confidential information. The necessary security measures need to be in place in the software in order to prevent this. Again, changing the passwords regularly is always a good idea. Having an online cloud based system with the appropriate firewalls and security in place can also protect against physical theft of devices. If your computer or smart device is stolen, a software system should be able to remotely change the password and prevent the data from being accessed. An older system that stores all of the information on the physical device can be more difficult to protect in the case of theft.
Colette Halberstadt
Salons and spas store a lot of personal client information, including some that could be classified as medical information. Allowing this data to be accessed publicly, or by unauthorised users is the most common security breach that businesses need to plan for.
Terry Miles
Server based systems (i.e. that sit on your computer) should be backed up regularly to protect data loss by viruses or hardware failure. Cloud based systems provide a lot more data security as information is saved away from your computer. Your PC, tablet or smart phone are used to access your site, and nothing sits on your device. The software system should protect against unauthorised access by staff for nefarious reasons.
How can salon software be programmed to restrict access to certain data, so that it can only be accessed by the owner/manager of the salon and not by therapists?
Chris Parker
It is important to create a balance between practical use of the system by internal staff, while at the same time ensure the correct controls in place pro-actively prevent fraud or retrospectively detect fraudulent activity.
Therefore you need software access controls via user rights and passwords; environment access controls via user rights and passwords; and monitoring via reports and logs.
I must stress that vigilance is important. Think about how you would steal from your own business and start to proactively monitor areas that are risks to your business.
Shani Leon
Within a system you can cater for different levels of access in order to allow staff to perform their jobs, while not giving over unnecessary access. For example, some staff members need to log sales, and some do not. Even those who log sales do not necessarily need access to other financial information. Another key aspect is to protect your client database. Those who do not need access to it for their daily tasks should not be allowed to have free reign over it. The above is all achieved by configuring different levels of access and password protecting certain functionality.
Colette Halberstadt
Your chosen software solution should allow you to configure different roles for different users of the software. This can help ensure that sensitive data is only visible to authorised users.
Chris Parker
ESP has a combination of features controlling who can access systems via: • Usernames and passwords • 2-Factor authentication via a one-time pin • Roles and permissions • Data audit logs • Secure internet traffic
Shani Leon
In our My Appointment system, one of the key security components is that we store everything in the cloud and not on physical devices. This eliminates the risk of someone stealing your device and gaining access. We can remotely change passwords and prevent access on stolen devices. Furthermore, we also have multiple levels of access for each staff member and password protected functionality.
What are the USPs of your respective systems?
Colette Halberstadt
ChiDesk is hosted in the local Tier 4 Microsoft Azure datacenter, which provides a range of physical and softwarebased services to secure and protect your data. We also make use of industry-standard SSL communication for all interactions with our software. In addition to role-based security functions for your users, we also allow you to configure IP address ranges to limit where users can open our software solution from. This allows clients to limit online access to devices inside their own businesses, and prevent users accessing data from home.
Terry Miles
Software that already understands the need for security will have the following in place: individual access by staff using their own user-name and password; access only to functions relative to their position; the ability to customise security for menus and buttons (functions and commands such as print / delete); and the block ability to change historical data e.g. invoices, stock figures, turnover etc. I believe that the effectiveness of security protocols need to be continuously reviewed.
Terry Miles
My Salon Software is able to provide forensic analysis of the system’s usage (i.e. who, what and when) as part of their back-up and support. PB
