Data breaches are at an all-time high so maybe it’s time to take more responsibility
Cybercrime isn’t just the stuff of sci-fi; it can have a devastating impact on your business. Last year the accountancy firm PwC found that almost 70% of UK firms experienced an incident in 2014, which is higher than the global average. This coincides with some very high-profile data breaches. American retailer Target experienced something of a nightmare before Christmas in 2013 when a spill of information belonging to 70 million customers led to losses upwards of $148m (£100m). Similar incidents occurred with Office and Home Depot and they are by no means isolated incidents – we just don’t always hear about them. This is also a massive problem in the UK and small companies bear the brunt, making up 85.7% of hacking incidents.
Franchises are just as much at risk and can leave themselves open to attack if they don’t prescribe the right approach to security, both centrally and for individual franchisees. Stuart Facey, VP of EMEA at Bomgar, a company specialising in enterprise remote support solutions for computers and mobile, says IT security should be a much bigger concern for franchises. “A lot of bigger brands require that franchisees give the mothership access to their back office systems, and in that case security should be very important but based on what we’ve seen, it isn’t a top priority.”
Because there are now so many platforms on which you can store data, not having proper measures in place is very risky. “In the old days it was pretty straightforward as there were maybe only two PCs working through a server, but now, with everything being wifi-enabled, you’ve got a massive potential hacker problem,” says Facey. He cannot stress enough the importance of encryption when it comes to protecting data. “Consider if you were to leave your mobile device with your work emails or a USB stick on the train; if they’re not encrypted it’s a massive liability.”
Keeping data secure is a major responsibility and your customers trust you to keep theirs safe. If you lose it or expose it to others, you’re at liability for that exposure or loss. This can lead to lost revenue, legal and regulatory costs, and all the associated disruption to business. Franchises are built on brands and so reputational damage should be a particular concern. Why then are so many still so lax when it comes to security? “A lot don’t understand or are too busy selling, promoting and doing all those other essentials,” says Facey. “IT is still largely seen as a service other than being business critical – until things go wrong, that is.”
Not all threats are new, however. Some of the most common breaches occur because of security risks that have been around for a long time – code injection or malicious web shells, for example. Innocent looking programmes that have been on your system for an age can also wreak havoc. Take PC Anywhere, a perfectly good product in its day but it has since been discontinued. Despite this it is still in use by some. “With PC Anywhere, if you aren’t careful you could leave ports open on your devices where you had a session running and so it was relatively simple for a hacker who knew about the programme to access your network,” says Facey. “Once they’re in they can start placing all sorts of malware and do naughty things.”
While no measures are 100%, software exists that will keep companies as well-protected as possible. The problem is that so many businesses aren’t using this software or don’t update theirs regularly enough. “If you kept up-to-date with all your products and patches, you could be incredibly secure,” says Facey. “One thing we find, however, especially with larger companies, is that there is a ‘legacy’ product – one which they’ve been using for a long time – and you can’t modify, update or replace it easily, which can lead to security issues.”
Credit cards are of particular interest to hackers, and over the last three years British businesses have paid out more than £878,000 as a result of unauthorised access to cardholder data. According to card processing services company Worldpay, instances of fraud rose by 80% in February alone this year, following the Christmas shopping period. Tim Lansdale is head of payment security at Worldpay and works with some pretty big names in the franchising world, including Clarks. Lansdale recommends that when endeavouring to prevent data breaches, franchises should should be Payment Card Industry Data Security Standard (PCI DSS) compliant, which is a standard for organisations that handle branded credit cards from the major card schemes including Visa, MasterCard and American Express. “This inevitably makes your company more secure,” he says.
Once you are compliant Worldpay can work with you on a one-to-one basis at an affordable rate to ensure you stay on top of your IT security. The cost of cyber liability and data cover is overall relatively inexpensive when compared to the damage that can be done. You can take the decision now to invest in some decent software, or risk not paying that £100 for another year and leave yourself open to all sorts of trouble.
As smaller companies often have less money to spare, they are most open to risk. It therefore makes most sense for a franchisor to include data breach prevention measures in their initial package to franchisors. In his experience, it makes most sense for IT security to be more comprehensively included at the outset in the franchisor package.
Lansdale also recommends measures such as changing passwords, regularly testing your firewalls and destroying all card data records when you no longer need them.
Another area you could look into is insurance. Moreland is one of six brokers in the UK that has been chosen to pilot a new product to protect businesses against cybercrime.
“We’re now in a situation where there is a big gap in cyber liability in most businesses,” says Maurice Logie, director at Moreland. “They take it for granted but when it comes to insurance coverage the market is only now catching up.” But the UK isn’t alone – even in the US only 40% of companies have got cyber insurance. “It’s a big, big issue,” says Logie.
Everyone has a story, whether they were hacked or their credit card was used for something dodgy. The same is happening in the world of business – and a lot goes undetected. “If you’ve been the victim of cyber crime, you’re not going to put your hand up and admit it,” says Logie. “It’s a kind of iceberg syndrome in that here’s a lot happening below the surface.”