The threat of hack attacks is increasing but training employees is the best way for franchises to shore up their digital defences
In mid-May, the WannaCry ransomware infected thousands of organisations, including the NHS, across more than 150 countries. But while the attack may have caught some people by surprise, Phil Chapman, senior cybersecurity instructor at Firebrand Training, the IT training firm, wasn’t one of them. “The attacks that make the press are just the tip of the iceberg,” he says. “The cold reality is that this is something that has been bubbling under the surface for an awfully long time.” The increasing number of breaches is due to the technological leaps made over the past few decades: emails, social media and smart devices may have made conducting business easier but they have also increased the likelihood of hack attacks.
And if any franchisor doubts that they should invest more in protecting their networks then they’d better reconsider. “The stories and statistics speak for themselves,” says Leon Deakin, partner and cybersecurity expert at Coffin Mew, the law firm. A report from the British Chambers of Commerce recently revealed that 20% of British businesses fell prey to digitally savvy offenders in 2016. And being breached can often be costly affair: not only could companies lose out on hours, if not days, of productive work but becoming a victim could also see their share value plummet. For instance, after Yahoo was found to have suffered a major data breach, the tech giant had to shave $350m off its asking price when the company was sold earlier this year. Additionally, with ransomware cases like the WannaCry attack, companies can be forced to pay the attackers to decrypt their files.
Worryingly, many SMEs seemingly aren’t concerned about the rising threat posed by malware. A recent survey by Firebrand Training found that SMEs carry out fire drills twice as often as cybersecurity drills, despite the fact that businesses experience breaches 125 times more often than fires. The report also unearthed the fact that 46% of businesses with 50 to 99 employees think cybercrime is not a threat to a business of their size, despite ample evidence to the contrary. “Any business or franchisor should be taking the threat of cybercrime very seriously,” warns Deakin.
The problem is that it isn’t enough to simply invest in a shiny new firewall: to keep their networks safe franchisors have to ensure their workers know what they are doing. This is paramount, as staff members are often the weakest link in companies’ cybersecurity defences. “Many attacks target the vulnerability of employees at some level,” says Oz Alashe, CEO of CybSafe, the cybersecurity firm. “People make mistakes or, more commonly, are unwittingly conned. It can happen to anyone.” Indeed, 95% of incidents involve human error, according to a report from Lawley, the cybersecurity-insurance company. “The good news is that employees can become your greatest defence through a few changes in behaviour, better education and by raising awareness,” says Alashe.
Having acknowledged the need to train franchisees and employees, franchisors should ensure all staff members are given the right education. And it’s necessary for everyone within the network to receive the same guidance if you’re going to keep the company safe. “If the staff don’t receive standardised training, everyone will be working to slightly different processes and have different levels of awareness,” says Alashe. “It only takes one person opening a suspicious email to compromise the business.”
However, convincing a franchisee to prioritise cybersecurity when they’re busy launching their own enterprise can be easier said than done, especially if they have to pay for the training themselves. So it can be a good idea to include cybersecurity training as a part of the package covered by the franchise fee. “Security awareness and training might not rank highly on the priority list of the franchisee otherwise,” says Perry Carpenter, chief evangelist and strategy officer at KnowBe4, the cybersecurity-training company. “Having the fee cover it – as well as having it required by the franchisor – removes any excuses.”
Once the entire network is involved, it’s vital for the success of the programme that each employee can apply it to their individual role. “There isn’t a one-size fits all programme for every employee,” says Carpenter. “We need to recognise that different job roles are likely require different training plans.” Franchisors are advised to start by mapping out the data each individual interacts with to determine which elements to include in the training and which to skip. “The last thing we want to do is overload an employee with information that’s irrelevant to them,” he says.
Nevertheless, there are elements that should always be included. “The ultimate goal is to help strengthen employees’ gut instincts so they naturally make better security decisions,” Carpenter says. A good starting point is to discuss the different social-engineering tactics hackers use to exploit human nature. These strategies range from the more commonly known phishing attacks to pretexting, which is when hackers obtain privileged information under false pretences. Another common technique is called baiting. As the name suggests, people are lured to give away data by being offered something enticing like free music or tickets. To really bring the point home, educators often put workers through attack simulations. “That way you can detect if they don’t make the appropriate security decision and immediately adjust their training,” says Carpenter. Additionally, the course should cover the appropriate use of systems, secure ways of handling data and the importance of strong passwords.
Restricting the training just to what employees do within the workplace could be a mistake, as cyber criminals aren’t just limiting their tactics to work activities: employees’ personal lives can provide hackers with another point of entry into your systems. “How people behave online at work and at home can present weaknesses that criminals exploit in order to gain access to valuable company information,” says Alashe. While it may seem innocent enough to share holiday pictures and details about conferences you may have attended, that’s the kind of information that hackers can capitalise on. For instance, they could mount attacks by looking up workers online and personalising emails to convince employees that they’re legitimate. “Cyber criminals seek to exploit this information and our human nature,” says Alashe.
However, even once franchises have completed their cybersecurity training they can’t rest on their laurels. “It’s critical that franchises don’t consider security awareness and training a one-off,” says Carpenter. “Knowledge that isn’t reinforced and skills that aren’t practiced are quickly forgotten.” Continuously refreshing skills and adding new training to counteract how cyber attacks evolve will keep the network safe in the future. “Cyber attacks are becoming more complex as technology develops and criminals are always finding new means of accessing information so people must keep up to date,” says Alashe.
Staying safe requires a lot of investment and effort but when the next major malware attack or data breach hits the headlines then the franchisor will know it was worth it. “Effective cybersecurity is not a simple task but it is a crucial one,” concludes Deakin. “It seems this message is finally getting through.”