Five Tips for Keeping Your Campers’ Data and Information Safe

Sheryl Hoskins
May 2017
Photo courtesy of Active Network

Camp directing is not merely a job that provides a paycheck. Rather, it is the reason to get up in the morning. A camp director’s ROI is in every child’s smile, when he learns a new skill, discovers a new world, achieves the “impossible,” or wins for the first time as part of a camp experience. In this way, camp directors embrace the role they play in shaping social change and transforming our communities for a better tomorrow.

Delivering camp experiences that instill good habits across a range of interests and ages is no small task, but recent advances in camp management technologies are making it easier for camp directors to dedicate more time toward planning, resourcing and giving kids and their families the exceptional experiences that they crave and, in some cases, expect. And as more and more camp directors adopt technology, they also take on the responsibility of safeguarding campers and their families in the online world, just as they do each day in offline environments.

The Case for Investing in Data Security

Depending on the size of your organization and the number and types of camps you offer, there exists a camp management software solution that can deliver the functions and capabilities you need to meet your goals, whether your goal is to wow and engage loyal, long-term campers with new types of activities or to attract new campers to your existing programs. As you assess your needs, you may focus on how certain technology functions can help you streamline (online registration and payment processing), help you discover and attract new campers (digital marketing tools), improve the camper and employee experiences (mobile camper check-ins and staff management features), or track your progress toward goals (financial tracking and reporting tools).

Today’s camp management software solutions can deliver a broad range of tools and features that streamline your administrative workload and manage your campers. Convenient, mobile-friendly participant portals, coupon and discount management features, and easy-to-use e-mail marketing tools and analytics have become table stakes for camp management software offerings. While camp management technologies certainly create efficiencies and improve experiences for you, your campers, volunteers and staff, the most critical component of any software designed to facilitate kids’ activities is that it aligns with your mission to help children.

Internet mayhem and identity theft are now a universal part of the relentless, illegal pursuit of data. The reality is that while consumers can take steps to protect themselves, once they engage with an organization, the responsibility for protecting their information lies with the organization that has collected their data.

The solution is not to simply maintain a paper-based, offline existence. While consumers are concerned about the security of their information, they simultaneously demand the convenience of online services. For your organization to continue serving children, it must also serve parents. Manual “offline” registration and management of administrative tasks may decrease the risk of camper data compromises, but does the potential risk reduction of using “offline” processes outweigh the benefits of utilizing online camp management software? The answer is no. For one thing, most paper registrations conclude with an online payment transaction (a top expectation of parents), so a complete online solution ensures the security of all data at each transaction touch point.

What Level of Security Should You Expect of a Software Provider?

If you’re currently using a camp management software solution or considering moving to an online solution, be sure you investigate not only the data and information security capabilities of the software suite itself, but also those of the company providing it.

For example, the provider should be able to demonstrate proof that it maintains one of the best system availability and security application infrastructures within the industry in which it operates, backed by state-of-the-art data centers, each holding either a current SAS70 or SSAE16 certificate and a team of highly skilled and trained technology professionals. The company’s data centers should operate 24/7/365 across multiple sites to be able to guarantee redundancy of data. With a comprehensive and advanced recovery solution in place, in the event of a regional disaster, its recovery programs and activities should immediately begin in a secondary data center. This level of investment, rigor, and oversight must be in place so that the company can confidently ensure the safety and security of not only campers’ data but also any company data.

At the same time, any provider you select should continually invest in making the technology upgrades needed to deliver the highest available processing speeds for every user and to ensure a 99.5 percent or greater “uptime” standard, with data center “uptime” and security standards mirroring those of the U.S. government.

As a camp director, you may not be trained to architect and monitor security solutions, and with the right technology partners, you don’t have to be. Whether you are considering transitioning from a paper-based registration and administration process to a camp management software solution or you are currently using an online solution, there are five primary evaluation criteria you can use to determine the caliber of a camp management software provider’s security and infrastructure. Simply asking these five questions and knowing what the answers should be will help you determine whether your system is appropriately secure, and whether the personal data and information of your campers within that system is safe.

These are the questions to ask when determining whether the systems you use employ best-in-class safety and security precautions to protect your company and camper data:

1.  Is the Physical Security of Your Data Centers Comprised of Five Layers of Protection?

Both digital and physical mechanisms must be in place to keep your campers’ data safe. We typically think of cyberattacks when we hear the words “data breach,” but in actuality, your campers’ data could be physically removed from your software’s data center due to lax data center security and protocols. The provider’s data center strategy should ideally leverage the most advanced facilities possible to house their infrastructure, with Tier 3+ data centers that provide full redundancy for the country within which you operate your camp. Check to ensure that each facility provides robust connectivity with access to multiple Telco providers allowing for near unlimited application bandwidth. The physical structure that houses the data centers should not only provide reinforced walls and enclosures, but also state-of-the-art surveillance to protect data centers from forced entry attempts.

  1. Perimeter: Blast walls, locked gates, no clear avenue of approach/entry, video surveillance and no external signage.
  2. Exterior Walls: Reinforced concrete with reinforced, alarmed doors. Entry to lobby requires validation against an authorized list.
  3. Mantraps: Once inside the lobby, entry to the data center is blocked by steel mantraps.
  4. Manned Access control: Access beyond the mantrap requires ID and biometric authentication controlled by 24/7 armed guards and audio and camera surveillance.
  5. Caged Spaces: Within the data center, all provider-operated equipment should be separated and contained within an individually locked and monitored cage.

An easy way to gauge the physical security of your technology providers’ data center is simply to ask them for pictures and locations of their data centers. If they appear disorganized, do not visibly have these five layers of protection in place and are not geographically dispersed, your company and camper data may be at risk.

2. Are Digital Communications Between Your Data Centers and Solutions Delivered Via Encrypted Transmissions?

Your campers’ parents should trust that when they’re inputting personal information, including payment details and login credentials, that your software platform leverages the most current encryption protocols to ensure the security of all transactions and communications. You may recall the first time you noticed a website address that started with https rather than http. The “s,” of course, stands for Secure Sockets Layer, or SSL, which represents the technology that encrypts a website connection to prevent hackers from intercepting sets of data that travel through that connection. If your registration is hosted at a non-https address, you could be deterring prospective customers who are looking for that secure “s” from signing up for your programs in the first place.

All network communication to your software provider’s equipment should be delivered via cryptographic protocol. It is best if the provider uses strong encryption keys, securing all information at every step of transmission, for end-to-end protection. Digital traffic in and out of the data centers should ideally go through seven layers of firewall protection, denial-of-service, and hardware-based protection, using best-in-class equipment.

Also, does the provider use a comprehensive suite of software and hardware tools to inspect network activity and proactively protect against any external threats? Ideally, the provider of camp management software should also perform frequent scans of their infrastructure to detect potential risks in your environment, with any new risks being ranked in accordance with the National Vulnerability Database Scoring System and remediated accordingly.

3. Do You Provide 24/7/365 Monitoring to Ensure Uptime Stability and Reliability?

Ever come across an annoying 404 error message after clicking on a link? Consider the experience for a parent clicking on your “register now” link. Server errors are frustrating because they seem to affect us right when we’ve committed to taking action and happen to have only a few minutes to do so. As much as you may wish you could continually monitor your system, you can’t be awake 24/7 to address your current or prospective customers’ technical support issues, so working with a provider that works for you throughout the night, during holidays and every other minute to ensure your programs are accessible online is crucial.

Any camp management software provider should validate that their monitoring strategies are supported by an internally staffed 24/7/365 network operations center. Be sure that they constantly monitor for customer experience issues and regularly test for key functions from a variety of geographic locations through the use of enterprise-class monitoring tools and proprietary monitoring and management solutions. In the event of error conditions, they should have protocol in place to immediately alert their engineering team to investigate and resolve any issues. Environment stability can be further augmented by extensive release-and-change management processes to prevent the introduction of unintended issues through new functionality or
product enhancements.

Ensure your provider has both the resources to manage all their own equipment as well as proof that they have highly skilled technical engineers in-house to monitor and respond to issues faster and more proactively than externally managed, 3rd-party and “white box” environments. Additionally, has the provider implemented an advanced content caching solution to enable delivery of seamless online experiences for campers and their families? If not, you should be skeptical of engaging with that vendor.

4. Does Your Solution Enable Controls for Limiting Employee Access to Select Modules?

Have you ever wondered who is on the other end of your phone or internet connection when you create a new account online? It’s easy to assume that the organization has done its due diligence in conducting security checks, training employees and deploying safeguards to deter employees from misusing or appropriating your data in any way. For example, if you use the same password for your bank account as you do for an online retailer or e-mail account, your level of risk can exponentially increase if just one company with which you transact has not taken adequate employee-related security measures.

Ultimately, mitigating the theft risk of a camper’s records and personal information falls on both the provider and you, the camp director. Ensure that your provider’s solution includes processes and functionality that allow you to improve and maintain security on your end, too. Take the time to establish various levels of access to campers’ records based on the respective roles of your volunteers and employees. Your provider’s software can and should enable your organization to completely control user access levels to ensure that each staff member can only access the specific areas you choose.

5. Do You Assume All the Risk of Payment Processing Per PCI Standards?

All credit card transactions between customers and merchants can and should go through reputable, stable, financial, or banking system vendors that properly process, administer, verify and either accept or decline credit card transactions on behalf of the service provider through secure Internet connections. As such, your software provider should assume all the risk in payment processing.

According to the Payment Card Industry (PCI) standards, any business that stores, processes, or transmits credit card transactions is required to meet specified levels of compliance in order to protect its customers. Ensure your software provider’s level of compliance completely covers you. For companies that process more than billions of dollars in annual credit card transactions on behalf of thousands of customers from around the world, it is critical for that company to hold Level 1 Payment Processor and Service Provider status. Such status requires companies to undergo annual third-party certification audits to ensure those high security standards are always maintained. The company’s PCI compliance level must be verified by a Qualified Security Assessor (QSA), covering everything from network security and application security to background screening of its employees. When a company stores a customer’s financial data, it takes on the burden of PCI requirements for that customer, eliminating their pain of compliance in cost, time and resources.

In Summary

Selecting a camp management software is potentially one of the biggest decisions you’ll make as a camp director in terms of the potential benefit to you, your business, and also your campers and their families. When shopping around for a provider of camp management software, make data security a top priority among your selection criteria. Directors of camps today face increased challenges and competition due to advancements in technology that have made programs more accessible than ever. At the same time, it is technological advancement itself that can help solve a variety of camp management challenges.

As you adopt new technologies in the future to help you better manage your operations and meet the needs of new generations of campers, the safety and security of your campers’ data and information should be a top priority. Ask potential providers for documentation supporting enterprise-level security compliance, physical security specifications and images of their data centers, data storage and backup capabilities, architecture specifications, cloud operations classification, and payment security measures. If a provider cannot or will not deliver proof that their data centers meet these security standards, purchase your software from a provider who can demonstrate to you that they have the technology and security infrastructure needed to protect your campers.

Sheryl Hoskins is the general manager of Communities at ACTIVE Network, an organization supporting camp directors in their mission to enrich lives through camp, event and activity management technologies that deliver online registration and payment processing, digital marketing, mobile camper check-in, staff coordination, and financial reporting capabilities.

Photo courtesy of ACTIVE Network.