What Happens In The Gym Stays In The Gym Part 2: Technical Tips For Coaches and Gym Owners
Last month, we talked about the best ways to ensure privacy for people at your gym (pro tip: don’t post pictures of people in the dressing room on Snapchat). We delved into the importance of keeping people’s injuries/illnesses/health history on the down low, why you should think twice before broadcasting details about people’s performance, the reasons to ask permission before taking or posting photos and videos, and why it’s a good idea to exercise caution before sharing things like mailing addresses, even for seemingly innocuous reasons. We reminded coaches that discretion is appreciated by athletes, who will notice when you’re discussing their injuries or illnesses or whatnot in a room people in which people are walking in and out.
But for better or worse, we live in the 21st century, which means that even if you have all of the discretion and good intentions in the world, you could still be vulnerable to having your data compromised. (Just ask Movati Athletics, which had to ask many of its clients to reset their passwords after 13,000 email addresses and passwords in their system were compromised.) Unless you are part of a gym’s medical staff, or your gym bills an insurance company as part of some kind of partnership wellness program, you may not bound by the Health Insurance Portability and Accountability Act (HIPAA). That said, being professional and holding yourself to high standards can help build the trust of your clients as well as preventing larger problems down the road.
When I’m not writing about health and fitness, I write about cybersecurity, trying to convince people to do a bunch of inconvenient things that’ll help keep them safer. So let’s take a look at the technical side of things to give you some idea of new tools or strategies you might want to pick up to keep your gym secure and your client information private.
Threat Modeling
Before downloading a bunch of new tools or paying for services, it’s important to figure out your strategy, and the first step is threat modeling. Basically, that means that you need to spend some time determining what information you want to protect, who you want to protect it from, how likely you’ll need to protect it, and how bad the consequences could be if you fail to protect it. That’ll help you determine how much effort (time and money) you’re willing to invest towards protecting that information, which will help you decide what countermeasures you want to take to prevent or mitigate the threats you’ve identified. This can be anything from switching to paper intake forms in a locked cabinet (free!) to adopting effective (but sometimes inconvenient) security practices company-wide, to hiring a security firm to run penetration tests to identify weaknesses in your system (which could well be overkill—not to mention prohibitively expensive—if you’re just coaching three people in your garage).
While you’re threat modeling, here’s an important reminder: your greatest asset isn’t your intellectual property, but your people. The best way to get a handle of what’s going on in your gym is by building good relationships with your clients. We’ve probably all been to gyms with group classes where the coaches are pretty much off-limits to students (they’ll go to their office and close the door after class, for example). Often the best advice for new members is to show up early, go to class every day, do their best to blend in, and try not to talk. There’s something to be said for the “shut up and train” mentality, and beyond that, setting boundaries with clients may be important to you for your own personal sanity. That said, being too inaccessible can also shield you from information you need to know, so make sure to find an appropriate balance. If one of your coaches is behaving unprofessionally, or one of your athletes is dealing with some kind of personal safety issue that could spill over into the gym, for example, it’s best if you’re not the last person to know about it.
Secure Your Payment Information
Specifics are difficult because each payment system is unique, but payments industry writer Sarah Blanchard provided four tips to this end: prevent equipment tampering, refrain from storing too much information, ensure stored data is secured, and protect online payment portals.
Use HTTPS On Your Website
Greg called me a dork when I mentioned this to him one day, but you’ll notice that the Performance Menu and Catalyst Athletics sites both use SSL. You can tell by the lock icon next to the URL in your browser, and because the URLs for both sites start with HTTPS rather than HTTP.
Using SSL gives you a basic integrity guarantee that third parties can’t alter the content of your site. (Believe it or not, it’s trivial for hackers to replace HTTP sites with fake ones.) It guarantees that anything transferred between your server and a reader’s browser hasn’t been altered, so your readers will read exactly what you wrote. And it’s encrypted, so anybody trying to spy on the network won’t know which specific page(s) on the site you’re reading. HTTPS also makes it a lot more difficult for someone to use your website as an attack vector targeting your readers.
SSL has gotten a lot easier with tools like Let’s Encrypt and some hosting providers (like Dreamhost), or with Amazon Web Services and a VPS (or virtual private server), but there’s still a bit of work. You have to get a certificate, install it, and renew it when necessary. You may also need to remove some active content that’s not secure, such as old images or videos or fonts. Hopefully you have a web person who can do this all for you.
Secure Your Online Intake Forms
As a coach or a trainer, you’re probably sending your clients intake forms to fill out with their goals, weight, family health history, every injury they’ve had, etc. Most people will either print this out and fill it out or email it back to you, something a doctor would never ask for. It’s best if you have a more secure way they can fill it out and submit it online. For example, WordPress has some plugins (GravityForms and Fast Secure Contact Forms) that can be used for intake forms, which may be worth looking into. Alternatively, if all of your coaching is in person rather than online, you can always have clients print the form out and bring it in with them (or at least offer that as an option). Using something like Box.com, Dropbox, or even creating shared Google documents are some other options worth looking into.
Use Strong, Unique Passwords
Whether you’re using email to communicate with your clients or some kind of tool or app, please pay attention to your passwords. (Make sure it’s not one of these.) Even if you think you have a good password, it’s probably not as creative as you think it is. There are automated attacks that can guess passwords at more guesses per second than you can imagine. Just as important as having good passwords is having unique passwords. Reusing passwords on multiple accounts leaves all of your accounts vulnerable if just one gets hacked and the passwords get dumped online (which happens all the time). Even if you memorize three or four passwords, the chance of forgetting which one to use on a particular web login form is high. And if you’re on a compromised website, and testing one password after the other until one works, you could potentially give away all of your passwords for all of your accounts.
If you take my advice and create a unique password for each account, the next time you get an email telling you that a site you use has been compromised, you will only have to change the password for that one site.
Having good, complex, and unique passwords means you won’t be able to remember them yourself, so get a password manager (like 1Password or LastPass) and let it do the rote memorization for you. There are options for shared passwords across a team as well. (They don’t involve writing passwords on sticky notes on computer screens.)
If you use different passwords for each account, there’s not much of a benefit in changing your passwords on a regular basis. However, just like some companies change the locks when an employee leaves the company, you’ll want to change any passwords they had access to when they leave as well.
Use Two-Factor Authentication
Two-factor authentication is a way to keep you safe from someone nefariously trying to reset your password. It adds an extra layer of security by asking for a second factor, in addition to your username and password, to prove your identity. This might be a numeric code sent to you via text message, a code generated on a phone app like Google Authenticator, or a Yubikey, a small hardware device that can be used to secure passwords on some sites or accounts. If someone tries to reset your password and you have 2FA enabled, it’ll be much harder for them to gain access to your account. For a huge list of sites that use 2FA, check out https://twofactorauth.org/. However, be aware that using 2FA for shared services gets a little tricky since some services simply send a text message with a code that needs to be entered, and the person whose number is assigned to that service may not be in the gym, so that’s something to pay attention to! You can often print out extra passphrases to use for 2FA in this circumstance, or in case you’re on a plane and can’t use your phone but want to check your email, for example, or your phone gets lost or needs to be charged.
Password Protect Your Microsoft Office Files
You can easily password protect your Excel spreadsheets and Word documents. Go to the Word menu, click Preferences, select “Personal Settings,” and click on “Security.” You’ll get to choose between setting a password to open a document, or setting a password to modify it (if you want people to be able to open it but not make changes). This is a great option for writing programs on shared computers, or if you’re doing any kind of academic research you’d like to keep private. (If you’re worried about people stealing your ideas, you can use this feature for book manuscripts or your next Performance Menu article as well.)
And since we’re talking about Microsoft Office, I’d be remiss if I didn’t recommend disabling macros, especially since you’re probably not using them, since hackers use macros to spread malware onto computers. This is important if you’re opening a lot of Excel spreadsheets, Word documents, and other attachments. (More on not opening sketchy attachments later.)
Keep All Of Your Apps And Tools Up-To-Date
Old versions of software are far easier to hack into than new versions, because hackers might not have an exploit yet for software that’s been fixed. So… install updates as soon as you can. Just do it.
Have 2+ Backups
A good way to deal with everything from system crashes to ransomware (and yes, theft) is to have good, regular backups. It sounds crazy, but you’ll want at least two backups. For example, you could back up the data on your laptop on an external hard drive and also sync it Dropbox. Or you could have two external hard drives. Or you could look into cloud backup tools for businesses, like CrashPlan or BackBlaze. If you do backup to a local storage device, it’s safest to only connect our machine to the drive when doing a backup, and then disconnecting it. (If it’s directly connected, it can still be reached by ransomware or an attacker.)
Encrypt Your Hard Drive
Full disk encryption is a great way to protect your data in case your laptop gets lost or stolen, and it’s pretty easy to do since it’s built into all of the major operating systems. Use BitLocker for Windows, or turn on FileVault if you have a Mac.
Beware of Phishing Attacks And Social Engineering
Social engineering is a non-technical way to gain access to sensitive information. Instead of hacking into an account, social engineers use psychological manipulation to convince people to share sensitive information, or to break their company’s normal security procedures.
Phishing is an attempt to obtain access to sensitive information (credit card information, usernames, passwords, etc.) for malicious reasons, often by disguising oneself as a trustworthy person in an electronic communication. A lot of ransomware attacks begin with a phishing attack, which is typically an email with a malicious link or attachment. Vishing, or voice phishing, takes it to the phone.
Be wary of urgent requests for information. Don’t open attachments or click on links from untrusted sources. (If you must open an attachment, you can open it within Google Chrome without downloading it, or save the file to Google Drive and open it within Drive.)
Before sharing sensitive information in response to an email, pick up the phone to call the business in question (using the number on the back of your credit card, not in an email or on a website that was sent to you) to verify that this information is actually needed. Type URLs in emails in the browser yourself rather than clicking on a link.
If you do click on a phishing link—and we’ve all been there—make sure to respond appropriately. Depending on the scam, you may need to change your passwords, contact your credit card company, and/or get your computer looked at. You can also report phishing attempts to the Anti-Phishing Working Group at https://www.apwg.org/report-phishing/.
Physical Security Tips
These should probably go without saying, but sometimes taking a lot of measures to protect your digital assets means you inadvertently turn a blind eye to physical security. So consider putting a lock on your filing cabinet. Maybe lock up your laptop when you’re not using it, so it’s less likely to be snagged. You can even buy privacy screen for your laptop if you’re dealing with material you don’t want any shoulder surfer to see.
Take A Deep Breath
You don’t have to do everything on this list all at once. Figure out your threat model, prioritize what’s most important, and take one step at a time.
But for better or worse, we live in the 21st century, which means that even if you have all of the discretion and good intentions in the world, you could still be vulnerable to having your data compromised. (Just ask Movati Athletics, which had to ask many of its clients to reset their passwords after 13,000 email addresses and passwords in their system were compromised.) Unless you are part of a gym’s medical staff, or your gym bills an insurance company as part of some kind of partnership wellness program, you may not bound by the Health Insurance Portability and Accountability Act (HIPAA). That said, being professional and holding yourself to high standards can help build the trust of your clients as well as preventing larger problems down the road.
When I’m not writing about health and fitness, I write about cybersecurity, trying to convince people to do a bunch of inconvenient things that’ll help keep them safer. So let’s take a look at the technical side of things to give you some idea of new tools or strategies you might want to pick up to keep your gym secure and your client information private.
Threat Modeling
Before downloading a bunch of new tools or paying for services, it’s important to figure out your strategy, and the first step is threat modeling. Basically, that means that you need to spend some time determining what information you want to protect, who you want to protect it from, how likely you’ll need to protect it, and how bad the consequences could be if you fail to protect it. That’ll help you determine how much effort (time and money) you’re willing to invest towards protecting that information, which will help you decide what countermeasures you want to take to prevent or mitigate the threats you’ve identified. This can be anything from switching to paper intake forms in a locked cabinet (free!) to adopting effective (but sometimes inconvenient) security practices company-wide, to hiring a security firm to run penetration tests to identify weaknesses in your system (which could well be overkill—not to mention prohibitively expensive—if you’re just coaching three people in your garage).
While you’re threat modeling, here’s an important reminder: your greatest asset isn’t your intellectual property, but your people. The best way to get a handle of what’s going on in your gym is by building good relationships with your clients. We’ve probably all been to gyms with group classes where the coaches are pretty much off-limits to students (they’ll go to their office and close the door after class, for example). Often the best advice for new members is to show up early, go to class every day, do their best to blend in, and try not to talk. There’s something to be said for the “shut up and train” mentality, and beyond that, setting boundaries with clients may be important to you for your own personal sanity. That said, being too inaccessible can also shield you from information you need to know, so make sure to find an appropriate balance. If one of your coaches is behaving unprofessionally, or one of your athletes is dealing with some kind of personal safety issue that could spill over into the gym, for example, it’s best if you’re not the last person to know about it.
Secure Your Payment Information
Specifics are difficult because each payment system is unique, but payments industry writer Sarah Blanchard provided four tips to this end: prevent equipment tampering, refrain from storing too much information, ensure stored data is secured, and protect online payment portals.
Use HTTPS On Your Website
Greg called me a dork when I mentioned this to him one day, but you’ll notice that the Performance Menu and Catalyst Athletics sites both use SSL. You can tell by the lock icon next to the URL in your browser, and because the URLs for both sites start with HTTPS rather than HTTP.
Using SSL gives you a basic integrity guarantee that third parties can’t alter the content of your site. (Believe it or not, it’s trivial for hackers to replace HTTP sites with fake ones.) It guarantees that anything transferred between your server and a reader’s browser hasn’t been altered, so your readers will read exactly what you wrote. And it’s encrypted, so anybody trying to spy on the network won’t know which specific page(s) on the site you’re reading. HTTPS also makes it a lot more difficult for someone to use your website as an attack vector targeting your readers.
SSL has gotten a lot easier with tools like Let’s Encrypt and some hosting providers (like Dreamhost), or with Amazon Web Services and a VPS (or virtual private server), but there’s still a bit of work. You have to get a certificate, install it, and renew it when necessary. You may also need to remove some active content that’s not secure, such as old images or videos or fonts. Hopefully you have a web person who can do this all for you.
Secure Your Online Intake Forms
As a coach or a trainer, you’re probably sending your clients intake forms to fill out with their goals, weight, family health history, every injury they’ve had, etc. Most people will either print this out and fill it out or email it back to you, something a doctor would never ask for. It’s best if you have a more secure way they can fill it out and submit it online. For example, WordPress has some plugins (GravityForms and Fast Secure Contact Forms) that can be used for intake forms, which may be worth looking into. Alternatively, if all of your coaching is in person rather than online, you can always have clients print the form out and bring it in with them (or at least offer that as an option). Using something like Box.com, Dropbox, or even creating shared Google documents are some other options worth looking into.
Use Strong, Unique Passwords
Whether you’re using email to communicate with your clients or some kind of tool or app, please pay attention to your passwords. (Make sure it’s not one of these.) Even if you think you have a good password, it’s probably not as creative as you think it is. There are automated attacks that can guess passwords at more guesses per second than you can imagine. Just as important as having good passwords is having unique passwords. Reusing passwords on multiple accounts leaves all of your accounts vulnerable if just one gets hacked and the passwords get dumped online (which happens all the time). Even if you memorize three or four passwords, the chance of forgetting which one to use on a particular web login form is high. And if you’re on a compromised website, and testing one password after the other until one works, you could potentially give away all of your passwords for all of your accounts.
If you take my advice and create a unique password for each account, the next time you get an email telling you that a site you use has been compromised, you will only have to change the password for that one site.
Having good, complex, and unique passwords means you won’t be able to remember them yourself, so get a password manager (like 1Password or LastPass) and let it do the rote memorization for you. There are options for shared passwords across a team as well. (They don’t involve writing passwords on sticky notes on computer screens.)
If you use different passwords for each account, there’s not much of a benefit in changing your passwords on a regular basis. However, just like some companies change the locks when an employee leaves the company, you’ll want to change any passwords they had access to when they leave as well.
Use Two-Factor Authentication
Two-factor authentication is a way to keep you safe from someone nefariously trying to reset your password. It adds an extra layer of security by asking for a second factor, in addition to your username and password, to prove your identity. This might be a numeric code sent to you via text message, a code generated on a phone app like Google Authenticator, or a Yubikey, a small hardware device that can be used to secure passwords on some sites or accounts. If someone tries to reset your password and you have 2FA enabled, it’ll be much harder for them to gain access to your account. For a huge list of sites that use 2FA, check out https://twofactorauth.org/. However, be aware that using 2FA for shared services gets a little tricky since some services simply send a text message with a code that needs to be entered, and the person whose number is assigned to that service may not be in the gym, so that’s something to pay attention to! You can often print out extra passphrases to use for 2FA in this circumstance, or in case you’re on a plane and can’t use your phone but want to check your email, for example, or your phone gets lost or needs to be charged.
Password Protect Your Microsoft Office Files
You can easily password protect your Excel spreadsheets and Word documents. Go to the Word menu, click Preferences, select “Personal Settings,” and click on “Security.” You’ll get to choose between setting a password to open a document, or setting a password to modify it (if you want people to be able to open it but not make changes). This is a great option for writing programs on shared computers, or if you’re doing any kind of academic research you’d like to keep private. (If you’re worried about people stealing your ideas, you can use this feature for book manuscripts or your next Performance Menu article as well.)
And since we’re talking about Microsoft Office, I’d be remiss if I didn’t recommend disabling macros, especially since you’re probably not using them, since hackers use macros to spread malware onto computers. This is important if you’re opening a lot of Excel spreadsheets, Word documents, and other attachments. (More on not opening sketchy attachments later.)
Keep All Of Your Apps And Tools Up-To-Date
Old versions of software are far easier to hack into than new versions, because hackers might not have an exploit yet for software that’s been fixed. So… install updates as soon as you can. Just do it.
Have 2+ Backups
A good way to deal with everything from system crashes to ransomware (and yes, theft) is to have good, regular backups. It sounds crazy, but you’ll want at least two backups. For example, you could back up the data on your laptop on an external hard drive and also sync it Dropbox. Or you could have two external hard drives. Or you could look into cloud backup tools for businesses, like CrashPlan or BackBlaze. If you do backup to a local storage device, it’s safest to only connect our machine to the drive when doing a backup, and then disconnecting it. (If it’s directly connected, it can still be reached by ransomware or an attacker.)
Encrypt Your Hard Drive
Full disk encryption is a great way to protect your data in case your laptop gets lost or stolen, and it’s pretty easy to do since it’s built into all of the major operating systems. Use BitLocker for Windows, or turn on FileVault if you have a Mac.
Beware of Phishing Attacks And Social Engineering
Social engineering is a non-technical way to gain access to sensitive information. Instead of hacking into an account, social engineers use psychological manipulation to convince people to share sensitive information, or to break their company’s normal security procedures.
Phishing is an attempt to obtain access to sensitive information (credit card information, usernames, passwords, etc.) for malicious reasons, often by disguising oneself as a trustworthy person in an electronic communication. A lot of ransomware attacks begin with a phishing attack, which is typically an email with a malicious link or attachment. Vishing, or voice phishing, takes it to the phone.
Be wary of urgent requests for information. Don’t open attachments or click on links from untrusted sources. (If you must open an attachment, you can open it within Google Chrome without downloading it, or save the file to Google Drive and open it within Drive.)
Before sharing sensitive information in response to an email, pick up the phone to call the business in question (using the number on the back of your credit card, not in an email or on a website that was sent to you) to verify that this information is actually needed. Type URLs in emails in the browser yourself rather than clicking on a link.
If you do click on a phishing link—and we’ve all been there—make sure to respond appropriately. Depending on the scam, you may need to change your passwords, contact your credit card company, and/or get your computer looked at. You can also report phishing attempts to the Anti-Phishing Working Group at https://www.apwg.org/report-phishing/.
Physical Security Tips
These should probably go without saying, but sometimes taking a lot of measures to protect your digital assets means you inadvertently turn a blind eye to physical security. So consider putting a lock on your filing cabinet. Maybe lock up your laptop when you’re not using it, so it’s less likely to be snagged. You can even buy privacy screen for your laptop if you’re dealing with material you don’t want any shoulder surfer to see.
Take A Deep Breath
You don’t have to do everything on this list all at once. Figure out your threat model, prioritize what’s most important, and take one step at a time.
|
Yael Grauer is an independent journalist, a Brazilian Jiu-Jitsu blue belt, and managing editor of Performance Menu. Find her at https://www.yaelwrites.com or on Twitter.
|
Search Articles
Article Categories
Sort by Author
Sort by Issue & Date
Article Categories
Sort by Author
Sort by Issue & Date