Cybersecurity and Your Club Management System

Cybersecurity is a hot topic in the club industry, and for good reason. Your members are affluent individuals whose personal data could be quite valuable in the hands of criminals.

If your club is a castle, then member data is the royal treasure that must be protected at all costs. For all the talk about cybersecurity, there is surprisingly little discussion about the software provider’s role in keeping your club member’s data safe. 

Oftentimes, security is presented as the responsibility of the club, the IT department or outsourced IT company, or the hosting provider, if the solution is delivered via the internet. 

But your club software, which houses your member’s data in its database, is the heart of the operation, and the last line of defense against bad actors. If the software itself is not secure, it’s a soft target dependent on network security to keep it safe, particularly if the software is hosted in on-site servers at your club. While many software providers use best practices for cybersecurity, don’t automatically assume that yours does. It is always better to ask. After all, as a club leader, you’re the king or queen of your castle.   

What Makes a Secure Software Product?

What most people think of as cybersecurity is simply network security. Network security is like the moat around the castle. It’s the outermost level to keep intruders out. To protect the network, the best defenses are educating your staff about how to prevent phishing and malware attacks, and measures such as firewalls.

But just keeping intruders off the property is not sufficient. You can’t just build a moat and leave the rest of the castle without strong gates, locks, and other protections. Club software is the same. Network security is great, but the inner workings of the software must also be secure.

While network-level security is the responsibility of the club, there are 3 more important levels of security that software providers should leverage to secure their applications.

Application-Level Security 

• Prompting users to change passwords frequently (i.e. every 90 days). 

• Timing out at an appropriate interval when a user is away from a terminal to prevent unauthorized access. 

• Having MFA (Multi Factor Authentication) to verify new devices. 

• In-depth audit tracking and usage reporting.

Database-Level Security

• Database encryption. This makes it so the data cannot be easily read by anyone gaining access. Special ‘keys’ are required to decrypt and make sense of the data. 

• High security field-level encryption (DOB, SSN). In addition to encrypting access to the entire database, certain sensitive fields are further encrypted, and access is restricted by user roles and privileges. 

Transport-Level Security 

• All sites should be using security certificates and authentication (SSL or TSL). 

• Passing all data through a secure channel.

• Encrypting passwords before transporting them.

Security Considerations for On-Site Hosting Versus Cloud Hosting

Many clubs still use local servers for their software, providing operational continuity in case of internet outages. However, with today’s more reliable internet, many are shifting to cloud-based systems. This makes things easier for clubs who may not have in-house IT resources to manage network security and reduces the risk of ransomware or phishing attacks on member data since the software and databases aren’t on-premises. It’s like keeping your gold in a vault offsite, rather than inside the castle walls. 

However, components that are accessible via the internet may require additional protocols such as transfer-level security, encrypting passwords during transport, complex password requirements and multi-factor authentication.

Database structure, namely keeping the back-office database in a separate server from the web server, can also provide another layer of protection. This is like having 2 moats: one outside the castle and another between the castle walls and the inner chambers. 

Cybersecurity Questions to Ask Your Software Provider

The following questions can help you evaluate the strength of your system’s security. 

• What year was your software built? (Though this is not always the case, newer software is more likely to use modern cybersecurity tools.)

• Have you or a client ever had a hack, ransomware attack or data breach? If so, how did you support the club? What measures were implemented to reduce future risk? 

• Is data encrypted both at rest and in transit?

• (If Cloud-Hosted) Can you provide a sample penetration testing report?

• Do you use a separate web server and back-office server, or are they on the same server? (Multiple servers are more secure). 

Stephanie Castro is chief operating officer at Cobalt Software, the first club management software provider to offer artificial intelligence solutions for the private club industry. Stephanie can be reached at [email protected].