Does the high turnover of workers within the retail & food industry increase the risk of cybercrime?

Food services and retail are known to have high turnover of staff. But how does this affect the cyber security of these businesses? In short, the risk increases unless your HR and IT are joined up.

Photo of customers in a restaurant with menus - sourced from unsplashed

Why does the threat increase?

Imagine the situation...

Multi-coloured image of welcome sign - sourced from unsplashed

You employ a bright talented person as a summer job.


They are helping with stock inventory and a bit of purchasing and because of this have access to your internal system, which can be accessed remotely. They have a bit of knowledge about social media so you add them to your socials so they can help there as well. You don’t want to give them a company device as they are only there for a short while, so they use their own device to log in when required.


And they then leave. Which is what you expected.


But… you don’t remove their access to your systems, or maybe you don’t realise the extent of the systems you have given them access to and only remove some.


So what?

There could be two scenarios:

Sign with angry face on - sourced from unsplashed

1. The staff member didn’t leave voluntarily.

They are angry and want to pay you back for not seeing them as the “must have” employee they certainly are.

They realise that they have access to your social media accounts and decide to have a rant on there, describing in all the gory details about how bad an employer you are, along with insulting your customers and suppliers. That might be a blow to your reputation.


List of commonly used passwords

2. The staff member left as expected on good terms, but they were lax with their own cyber security.

They reused their password across your systems and their personal accounts, one of which was in a data breach. Cyber criminals obtain a list with their email account (they used your company one for some reason) and try their password on your systems. You haven’t got around to enabling 2FA yet, so the criminal is in.

What will they do now?

Data theft, ransomware, malware? The possibilities are bound to have a criminal rubbing their hands in glee. Oh, and guess what, you added them as an admin so that means the criminal can virtually do as they wish.


What can you do?

  1. Make sure that access to your systems is only to those people who need it – the less people who can get access to key systems the better.

  2. Know what systems users have access to – then you also know what needs to be removed or changed when they leave or change roles.

  3. Have a procedure for when people leave your business to get their access removed as soon as possible. This needs to be physical and virtual access.

  4. Enable 2FA

  5. Speak to your staff about the expectations that you have for cyber security – such as not reusing passwords or using your company email for personal accounts. Show them haveibeenpwned.com and get everyone to check their current compromise. We offer affordable staff awareness training, tailored to your company, through our local university students, who are trained and mentored by senior ethical hackers. Just contact us for a free no obligation quote.


Further guidance & support

The Eastern Cyber Resilience Centre is a not-for-profit membership organisation, run by policing, with the aim of increasing cyber resilience of SMEs within the East of England.


You can contact the Cyber Resilience Centre for guidance and support through our e-mail enquiries@ecrcentre.co.uk or use our online booking system to make an appointment with one of our team.


We also provide free guidance on our website and we would always encourage you to sign up for our free core membership. Core members receive regular updates which include the latest guidance, news, and security updates. Our core membership has been tailored for businesses and charities of all sizes who are based across the seven counties in the East of England.


Policing led - business focussed


The Eastern Cyber Resilience Centre logo

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.