How Mindbody Keeps Your Data Secure—and What You Should Ask Your Software Provider About Cybersecurity
By Jason Loomis
Do you know how secure your business’s data is? If you can’t answer that with 100% certainty, this is what Mindbody can do to help.
No business can take cybersecurity for granted. It’s a necessity that grows more complicated every day and becomes increasingly tied to the success of your business.
A quick look back
According to the FBI’s most recent Internet Crime Report, the 467,361 complaints they received in 2019 resulted in over $3.5 billion worth of damage to businesses. Layer on the Solarwinds attack and the 100% YoY increase in ransomware attacks in 2020, and it’s safe to say the last few years alone are enough to pay closer attention to cybersecurity.
2021 and “supply chain” security
2021 is shaping up to be the year of supply chain security. We’ve already seen supply chain violations, third-party hacks, and breaches at large companies like Microsoft, Internet of Things companies like Verdaka, and even other health and wellness software providers. With breaches like that, it’s a good time to ask, “How secure are your vendors and SAAS providers?”
How Mindbody keeps your data secure
Keeping your data secure, confidential, and readily accessible are our greatest priorities. Our industry-leading cybersecurity program is based on the concept of Defense in Depth: securing our organisation and your data at every layer.
Our commitment to your business includes spending more than US$4 million per& year securing your data. We have 15+ dedicated cybersecurity team members with over 120 combined years of security experience, as well as 18 different layers of security encryptions overseeing our every effort. While no system can guard against every potential threat, Mindbody's defensive line is advanced and monitored 24/7, 365 days a year by those 15+ skilled, highly trained professionals.
Almost every company has three priorities: revenue generation, cost-saving, and risk reduction. With my experience in startups, cybersecurity is predominantly a “risk reduction” activity. The model for startups, especially in the SAAS space, is to achieve low-cost, high-growth objectives. They do this by focusing on revenue generation and cost savings, not risk mitigation.
However, at Mindbody, we put security and risk mitigation at its core (it’s one of the reasons I was attracted to join the team here). It's a requirement and supported feverishly across our board and at the executive level.
Mindbody certifications support this commitment
- PCI DSS LEVEL 1 Service Provider—PCI Level 1 Service Provider Certified: the most thorough and stringent security standard in the payment card industry. Mindbody provides payment offerings that secure consumer data, reduce fraud, and provide secure online services.
HITRUST CSF Certified: 75% of Fortune 20 companies are HITRUST certified. HITRUST is the most widely adopted security framework in the U.S. healthcare industry.
SOC 1 Type 2 Certified: giving our customers the assurance that the controls of our financial and reporting systems are designed and operating correctly.
The truth is, cybersecurity is hard no matter what your size. We know this at Mindbody. And we know what's it like as a small SaaS provider to not prioritise security. In 2018, we purchased FitMetrix, a SAAS startup. Months later, a data exposure was discovered that leaked FitMetrix customer data. We've been through acquisitions since then, and I ensure that my teams jump in on day one to bring them up to our cybersecurity standards.
Questions to ask your SAAS provider
Ultimately, data breaches can result in significant financial and reputational loss for your company. To minimise your risk, being aware of your third-party supply chain risk is critical.
Here are some simple questions you can ask your vendor or SAAS provider to help vet their cybersecurity readiness:
- Do they have a dedicated chief information security officer or equivalent role? If a third party deploys dedicated resources to manage risks and safeguard its critical information, it shows they approach their security with the utmost seriousness.
- Do they have industry certifications? Are those certifications theirs or THEIR vendors’ (like Stripe)? While industry certification may not necessarily indicate the effectiveness of third-party security controls, it does provide additional assurance about the vendor's commitment to protecting their systems and customers' information. Have them share their proof of certification. Our industry certification outlines our dedication to keeping your data secure.
- Do they have comprehensive security policies? Can they share? A good cybersecurity program starts with good policies. Think of it like a "say/do" thing. If you're not documenting what you need to do for security, the chances of you actually doing it are not great. Our policies are publicly available.
- Do they have a mature incident response plan? Regulations regarding data protection and privacy have become stringent, and organisations are obligated to disclose material breaches within a specified timeframe. The responsibility of the disclosure is with the data owners and custodians, so your organisation would need to work closely with an affected vendor to meet those timelines to avoid potential non-compliance or penalties. We have extensive plans; those plans are practiced and improved continually.
- Do they have a mature cyber risk management program? It's crucial to ascertain the effectiveness of their security controls. This can be done by reviewing independent security audit reports (PCI, HITRUST) to assess the vendor's vulnerability management, secure software development processes, and threat management programs, such as cyber intelligence. Organisations can also internally report on cyber risk. We do. We have a dedicated IT risk team that continuously measures and reports on the effectiveness of our cybersecurity program. ;
Cybercrime is lucrative and target-rich for criminals around the world. Since nothing succeeds like success, don't expect cybercriminals to abandon their attacks any time soon. Partnering with companies that take cybersecurity seriously is your best way to mitigate the risk of a third-party breach.
For more information, download our Cybersecurity whitepaper.
Visit our enterprise management page and schedule a call with a Mindbody expert to see how we can partner with you to grow your business—and provide you with the highest level of data security.