Through its exercise videos and nutritional shakes and supplements, Beachbody helps people get buff, lose weight and live healthier lives. In fact, the fitness company’s IT team knows all about working up a sweat, but in their case, it’s to add muscle to the company’s cybersecurity defenses.
The Santa Monica, Calif.–based company, which sells its products online, direct to consumers and through network marketing, tops $1 billion in sales per year. Although it still sells workout DVDs, its fastest growing products include a video-streaming service that lets subscribers access hundreds of workout videos, as well as customized online meal planning, personal guidance from online fitness coaches and peer support on message boards.
To protect its intellectual property, and customer, employee and independent distributor data, Beachbody has deployed a healthy diet of security tools and measures, from two-factor authentication and network traffic monitoring to practicing drills in case breaches occur, says Grant Leathers, the company’s vice president of technology operations.
“With the rise in cyberattacks, no company is immune, including us,” says Jonathan Gelfand, Beachbody’s chief legal officer and senior vice president of business development, who also oversees the company’s security. “Like us, any company that interacts with consumers, processes credit cards or has sensitive data, which is most companies these days, will be a target.”
Security is a continual hot topic among IT leaders in small and medium-sized businesses and nonprofit groups. New threats emerge, such as ransomware and vulnerabilities in Internet of Things devices, while existing threats evolve and cause havoc, such as distributed denial of service (DDoS) attacks, phishing scams over email and malware that targets mobile devices.
Cyberthieves target SMBs because they have valuable client and financial data, along with other sensitive information, says Eman El-Sheikh, director of the Center for Cybersecurity at the University of West Florida.
“From an attacker’s perspective, small and medium-sized businesses have access to the same data, and they may be easier targets,” she explains. “They may not have the resources or personnel to dedicate to cybersecurity that a larger corporation might.”
To make life tougher for cybercriminals, however, SMBs and nonprofits are investing in resources and IT expertise — and in some cases, outsourcing that work — to shore up their cybersecurity.
To safeguard its IT infrastructure and data, Beachbody takes a comprehensive approach to security through a mix of policies, technology and people, Leathers says.
“There’s never going to be one tool or solution that’s going to be a panacea and do everything,” he says. “You have to have multiple solutions in place and combine technology with good processes and people operating them to provide the best coverage. It’s like concentric circles overlapping.”
The company’s security and IT departments collaborate, and they work with all employees and contractors to ensure security is a priority.
The security team meets twice each week to discuss the latest threats and engages regularly with law enforcement agencies and other companies to share cybersecurity information and strategies. Beachbody also requires all of its 800 employees, as well as its developers, to attend annual security awareness training, Gelfand says.
“We realized early on that if we leave security solely to the security department, we will fail. You can’t be siloed anymore,” he says. “We made it clear to every employee and contractor that they are also part of the security department because the most common threat vector we see is through phishing, spoofing and hacking.”
When people work on the website and develop mobile apps, the company policy is to make sure security is baked in.
“Security is integrated at the beginning of development,” Gelfand says. “And once it’s implemented, we continue to prioritize security with ongoing penetration testing, patching and vulnerability remediation to help us stay safe.”
Beachbody executives say their top security concerns are preventing data breaches and ensuring that the company’s revenue-generating platforms are secure. That includes protecting customer information, ensuring the integrity of e-commerce, preventing DDoS attacks from hampering video-streaming services or online purchasing, and reducing exposure to phishing scams and ransomware, an extortion scheme in which hackers encrypt corporate data and demand payment before unencrypting the data.
While the company does use some cloud services, it primarily relies on its two redundant data centers in California and Nevada.
To manage risk, the IT team uses centralized software for asset management and change management, Leathers says. It also regularly scans software code for vulnerabilities and monitors network traffic for anomalies.
“We have implemented an integrated solution with firewalls and endpoint protection to detect and remediate malware outbreaks,” he says.
What’s more, IT staff members segment the network and use access control lists; employees can only access the data they need. To tap into the corporate network from home or while traveling, employees have to sign in using two-factor authentication to validate their identities.
To thwart DDoS attacks, Beachbody subscribes to a managed cloud service that uses web application firewalls to spurn malicious traffic from the company’s website and data centers, Leathers adds.
The company’s security and IT departments have also developed incident response plans and run tabletop exercises to practice different scenarios such as a data breach, so they’re better prepared if it ever happens.
“You have to make it as real as possible,” Gelfand says. “Who contacts law enforcement and forensics? What systems get shut down? How do you contain it? Unless you are kicking the tires on the plan, it’s just a piece of paper. You won’t know what truly works or what’s missing.”
In particular, El-Sheikh advises, SMBs must focus on securing mobile and IoT devices because they are increasingly used as avenues for attacks.
In late 2016, as noted in Symantec’s “2017 Internet Security Threat Report,” malware known as Mirai attacked IoT devices with weak default passwords (such as routers and internet-connected cameras), which then launched a massive DDoS attack that brought down large internet sites.
“Anything on the network can pose a risk, and we’ve seen a growing range of IoT-related threats,” El-Sheikh says.
A lot of IoT devices are left on default settings, posing a security risk. Instead, businesses need to use more stringent passwords and connect them to protected networks, she advises.
MainGate, an Indianapolis event and retail merchandising company, understands these challenges. It creates pop-up stores that sell goods at more than 100 sporting events annually, which involves setting up a mobile Wi-Fi network at each pop-up venue to run point-of-sale (POS) equipment.
The company has standardized on Cradlepoint AER1600 wireless routers, which let retail staff create secure Wi-Fi networks by connecting to a cellular 4G LTE connection, says MainGate IT Support Supervisor Dan O’Reilly.
To handle transactions, retail staffers use IoT devices: Motorola handheld devices to scan barcodes and run the company’s POS app, and handheld Ingenico payment devices to process credit and debit card payments as well as mobile wallet technology.
The Cradlepoint router has a built-in firewall and encrypts communications on the Wi-Fi network. It also has a built-in virtual private network that lets the company securely transmit inventory and sales data from the devices to corporate headquarters. “It’s a very secure network,” O’Reilly says.
To further protect data, MainGate hides each Wi-Fi network’s Service Set Identifier (the unique, alphanumeric name associated with the network). It also uses a third-party payment provider that encrypts communications.
“We are concerned about securing customer data, so we’ve taken ourselves out of the equation,” O’Reilly says. “We never see the credit card number other than when we are swiping the card. It’s all encrypted.”
In a 2016 survey by the Ponemon Institute of 598 businesses, SMBs reported that 34 percent of their IT security operations are supported by managed security service providers.
The National Kidney Registry is one such organization. Based in Babylon, N.Y., the nonprofit NKR matches people who need kidney transplants with donors, so it deals with large quantities of sensitive health information.
Its apps include email; a central kidney donor database; secure portals for transplant centers and hospitals to enter patient and donor information; and data analytics software to identify potential donor-patient matches.
NKR used to manage everything in-house. To improve uptime and security, it moved its infrastructure to a cloud provider. Joe Sinacore, NKR’s director of education and development, says he frets most that hackers will steal patient data or that malware will incapacitate its apps.
“It’s a matter of life and death, so we can’t afford for our database to go down,” he says.
The provider monitors NKR’s systems 24/7, runs penetration tests and can immediately detect security threats and resolve them. Turning to an outside team of security experts lets the nonprofit’s staff focus on its mission of matching donors, Sinacore says.
“We don’t have time to do the security ourselves, and now we don’t have to worry about it,” he says.