Our IT Director, Mark Noble, gives his advice on how public venues can avoid cyber attacks.
Did you know there is a cyber attack every 39 seconds? And 75% of these attacks simply start with an email? These are shocking stats, but show how commonplace cyber attacks really are.
Your venue is not immune. Hackers don’t care who they target. It’s not personal. Cyber criminals make thousands of attempts to hack into systems and steal data or fraudulently take money. It’s a game of risk and chance for them. Whose system is weak enough, or whose employees aren’t being vigilant enough?
Why would my venue be a target for cyber attacks?
Did you know identify theft is one of the most common forms of cyber activity? If a venue is taking and storing customer data then this information, even an email can be used to further gain information.
While identity theft should be concerning enough, the real, tangible damage usually comes afterwards. This is when an attacker uses the stolen information for malicious purposes. Don’t compromise your customer’s data!
Setting up a guest Wi-Fi network
It’s likely your venue will have more than one Wi-Fi network visible to guests. These are known as SSIDs. For example, if you were to stand in a congested area such as a town centre, chances are you’d be presented with several different Wi-Fi connections to click on.
You should create different SSIDs on a Wi-Fi network to separate guest and company access. Many venues may have a guest Wi-Fi but also an ‘office’ or ‘staff’ network visible. These will all run off the same connection, and it’s a good idea to hide any non-guest networks to limit potential issues.
It’s important that any guest Wi-Fi network is separated from your main Wi-Fi by a different, strong password. You should also consider using a splash screen, whereby a customer must enter some details (usually just an email address) in order to use your Wi-Fi. Be mindful not to use this information for marketing purposes unless the customer has been made aware and provided explicit consent. You don’t want to fall foul of GDPR!
Take payments securely
The most secure way to take payments is to use a terminal. This is usually in the form of a physical device although sometimes details may by entered into a computer.
With either option, you must be compliant with the Payment Card Industry Data Security Standard. This ensures your network is secure, cardholder data is protected, transmission of data encrypted, anti-virus/firewalls are in place, strong access control measures implemented, access to data restricted, and all networks monitored and tested regularly.
Compliance is particularly important if payments are taken over the phone. Compared to card machine payments, phone payments are more vulnerable to fraud as the customer isn’t present.
You must also ensure your payment gateway is secure as this is the gatekeeper of your customer’s payment data. There are several companies including banks which can help you on your way.
For online merchants, a payment gateway relays the information from your venue to the acquirer and the issuing bank using data encryption to keep unwanted threats away from the sensitive card data. Aside from fraud management, a payment gateway also protects your venue from expired cards, insufficient funds, closed accounts, or exceeding credit limits.
Your venue’s invoicing system may contain payment information and bank details too. Any financial systems should be secure either by 2FA (two factor authentication – now mandatory when accessing online banking) or locked down by computer access.
How can public venues improve their IT infrastructure?
Physical hardware such as servers, associated network devices and cabling should be away from sight. Preferably stored in a locked and secured area.
If your venue has network points, ensure any unused ports are not ‘live’ and connected back to IT equipment.
Never leave devices logged in. You might think it’s safe to leave an iPad on the bar while you pull a pint, but you never know who could swipe valuable data when you’re not looking.
Managing your team
62% of companies have experienced phishing or social engineering attacks. Your employees may be manipulated into divulging confidential information or making a fraudulent payment.
You must manage your staff in order to keep your business safe and your customers’ data secure. Train all new staff in cyber security and ensure every member of your team knows the correct procedures to follow. You should also run refresher training courses to make sure existing staff members don’t forget vital information.
All IT systems should follow a starter and leaver process to ensure correct access is granted and then withdrawn. Many businesses within the hospitality and leisure industry will have a wide range of staff on-site, some will be temporary workers, others part-time or on flexible contracts. You must manage the process of employees starting and leaving your business effectively to minimise cyber risk.
Only allow certain members of staff to have significant levels of access to your systems and, therefore, data. All employees should have secure passwords that grant them the correct level of employee access. This gives you peace of mind that only the right people within your business are accessing the information they need.
Keeping your guest’s data safe
It’s a requirement for venues to record contact details of customers and visitors. Venues must ensure they’re doing this compliantly.
Writing down names, phone numbers and email addresses on scrap paper could cause trouble later down the line should someone manage to obtain this data.
You must collect, store and delete personal data you’ve collected securely. The ICO offer a range of advice, but here’s a brief overview:
- Don’t take more details than you need
- Be transparent about why you’re collecting customer details, even if you think it should be obvious
- Make sure customer data can’t be viewed or photographed by other people
- Keep temporary records for 21 days, but not longer than necessary
- Delete data carefully. Throwing something in the trash or just clicking ‘delete’ won’t be enough!
- Train your team thoroughly so that, if your customers have any questions, they’re able to answer them
What do I do if I’m the victim of a cyber attack?
You should start thinking about what you’ll do way in advance, so you have an action plan ready.
Change passwords and try to contain the breach (disconnect your computer from the network and the internet etc). Try to work out who has been affected by the breach and notify all employees and customers.
You should also report the attack to the Information Commissioner’s Office (depending on the severity of the breach).
How can I protect my business against cyber attacks?
You should be vigilant against attacks. Conduct a cyber risk assessment and put adequate security measures in place to protect your business.
Unfortunately, due to the very nature of cyber attacks, we often don’t know what the next big things will be or how to prevent it. Cyber criminals use advanced methods to hack into systems or fraudulently steal money.
The best way to ensure your venue can weather the storm of a cyber attack is to purchase Cyber Insurance. If your business suffers a data breach or a fraudulent payment is made, you’ll be able to weather the storm. Cyber Insurance will cover you financially, so you can get your venue up and running again as quickly as possible.
Want to chat cyber? We’re all ears
Give our award-winning team a call to find out more.