Food services and retail are known to have high turnover of staff. But how does this affect the cyber security of these businesses? In short, the risk increases unless your HR and IT are joined up.
Why does the threat increase?
Imagine the situation...
You employ a bright talented person as a summer job.
They are helping with stock inventory and a bit of purchasing and because of this have access to your internal system, which can be accessed remotely. They have a bit of knowledge about social media so you add them to your socials so they can help there as well. You don’t want to give them a company device as they are only there for a short while, so they use their own device to log in when required.
And they then leave. Which is what you expected.
But… you don’t remove their access to your systems, or maybe you don’t realise the extent of the systems you have given them access to and only remove some.
There could be two scenarios:
1. The staff member didn’t leave voluntarily.
They are angry and want to pay you back for not seeing them as the “must have” employee they certainly are.
They realise that they have access to your social media accounts and decide to have a rant on there, describing in all the gory details about how bad an employer you are, along with insulting your customers and suppliers. That might be a blow to your reputation.
2. The staff member left as expected on good terms, but they were lax with their own cyber security.
They reused their password across your systems and their personal accounts, one of which was in a data breach. Cyber criminals obtain a list with their email account (they used your company one for some reason) and try their password on your systems. You haven’t got around to enabling 2FA yet, so the criminal is in.
What will they do now?
Data theft, ransomware, malware? The possibilities are bound to have a criminal rubbing their hands in glee. Oh, and guess what, you added them as an admin so that means the criminal can virtually do as they wish.
What can you do?
Make sure that access to your systems is only to those people who need it – the less people who can get access to key systems the better.
Know what systems users have access to – then you also know what needs to be removed or changed when they leave or change roles.
Have a procedure for when people leave your business to get their access removed as soon as possible. This needs to be physical and virtual access.
Speak to your staff about the expectations that you have for cyber security – such as not reusing passwords or using your company email for personal accounts. Show them haveibeenpwned.com and get everyone to check their current compromise. We offer affordable staff awareness training, tailored to your company, through our local university students, who are trained and mentored by senior ethical hackers. Just contact us for a free no obligation quote.
Further guidance & support
The Eastern Cyber Resilience Centre is a not-for-profit membership organisation, run by policing, with the aim of increasing cyber resilience of SMEs within the East of England.
We also provide free guidance on our website and we would always encourage you to sign up for our free core membership. Core members receive regular updates which include the latest guidance, news, and security updates. Our core membership has been tailored for businesses and charities of all sizes who are based across the seven counties in the East of England.
Policing led - business focussed