Don’t assume that just because you are a small to medium sized business, that you won’t be targeted by cyber criminals. The hotel, restaurant and hospitality and leisure sectors are possibly more vulnerable because of having small IT teams and a lack of knowledge around protection and best-practice.

Cyber criminals look for the easiest and fastest way to be successful. By attacking at the weakest link, or accessing via your supply chain, cyber criminals use small businesses as an entry point to move higher up the business ‘food-chain’.

More than half (54%) of SMEs in the UK had experienced some form of cyber-attack in 2022. Around 65,000 attempts to hack small- to medium-sized businesses (SMBs) occur in the UK every day, around 4,500 of which are successful.

Hospitality is targeted for two reasons

It has been found that those in the food and hospitality industry are 19% more likely than the average business to offer online payment options, and 11% more likely to use network connected devices. This combination means there are more possible entry points to better quality data sets.

https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2022/cyber-security-breaches-survey-2022

It’s understood that 31% of all retail and hospitality businesses have experienced some form of security or data breach. And the majority – 89% – have experienced more than one attack per year. This suggests that those with vulnerable networks or processes are likely to be targeted again.

www.securitymagazine.com/articles/96515

Many leisure sector businesses outsource services such as Payroll, employees benefit packages or ICT or network support. If the level of access a vendor or contractor has to your data or network, is not controlled properly breaches can happen, and do, frequently. You could become a victim of extortion, phishing attacks, social engineering or your website could get hacked.

 Humans are the weakest link

From a data security perspective, employees are one of the biggest risks to business. Research has shown that more that 90% of security breaches involve some degree of human error. They can pose a risk by:-

  • Clicking on bad links in emails
  • Visiting websites containing malicious software
  • Forgetting to close the access point created for a vendor or contractor
  • Using personal devices

So ensure account access is controlled and audited to identify potential issues. Use encryptions for all sensitive or confidential data. It is vital to have the right technologies in place to support them, such as firewalls.

Having up-to-date data backups and a disaster recovery plan will help recover and restore your business information.

  • Employees must be trained about cyber security risks. Information Technology team members should be encouraged to get cyber security certificates.
  • Hospitality organisations should invest in reliable hosting and CDNs.
  • End-to-end encryptions should be used on the PoS system. 

Security is everyone’s responsibility so here are 10 security tips to help you stay vigilant.

  1. Phising Emails- Don’t open emails from unknown sources. Think before you click on links or open attachments.
  2. Log off- when you’re away from your device and use a security screen to protect confidential information from prying eyes.
  3. Strong Passwords;- make them complex using at least 7 uppercase and lower case letters, symbols and numbers. Never write them down or share them. Don’t reuse passwords from other sites.
  4. Protect your stuff- keep your equipment locked up or take it with you. Report any loss immediately.
  5. Shred it- Don’t write passwords down and shred confidential waste
  6. Sharing & Storing- only use approved applications. Hackers use clouds to gain access to information.
  7. Back up – save your data and critical files regularly
  8. Secure Connection- when accessing work networks, use a secure WiFi not open to the public. The use of VPNs should be encouraged in hotels and hospitality organisations. 
  9. Updates- Keep your devices, browsers and apps up to date with the latest software and anti-virus protection
  • Report it- If it looks suspicious report it

Reporting breaches

If you suffer from a breach that poses a risk to people’s rights and freedoms, such as damage to reputation or financial loss, then you do need to report it to the Information Commission Office (IOC) within 72 hours of discovering the incident. The ICO has produced a guide which may be found on its website (link) https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/

The Government’s Cyber Essentials scheme is a responsible way of demonstrating that you take the protection of any customer or supplier data seriously. Their details can be found at www.cyberessentials.ncsc.gov.uk

Get insurance cover

You can also get special cyber insurance to cover recovery costs in the event of an attack.