Hacking, online security breaches, phishing — call it what you will — mean that the issue of computer security is something pubs cannot now ignore.
Consider the Dog & Partridge, a Staffordshire pub that had its website hacked by Islamic extremists. It was reported in April that a group called El Moujahidin had replaced the pub’s usual homepage with calls to halt any killing of Muslims while calling for a ‘free’ Palestine and Syria.
While the Dog & Partridge incident was irritating, it was relatively benign. Other hacking incidents have been more dangerous. In the US, in June 2011, antivirus software company Bitdefender detailed how hackers stole dozens of customer credit and debit card numbers after hacking into the computer system of Conor O’Neill’s Irish Pub in Michigan.
There are countless cases of firms having their computers locked down and held to ransom after being infected with CryptoLocker.
Breach statistics
The Government’s 2014 Information Security Breaches survey has shown that 60% of small firms experienced a breach of some kind while 81% of large firms have been targeted. In some cases, the damage caused by the intrusion cost more than £1m but, for small firms, the average cost ranged from £65,000 to £115,000.
Interestingly, 36% of the most severe security breaches were caused by inadvertent human error, and 58% of small businesses suffered staff-related security violations.
Joe Ross writing on the Huffington Post says: “Cyber security can be overwhelming and when you have to worry about all other aspects of running your businesses, it is often overlooked. Yet there are many things a small business owner can do to protect their information that don’t take a lot of time, money or manpower.”
Protection matters
Putting the worrying background to one side, what should pubs be doing to protect themselves?
The first thing to realise is you can never be totally safe. The best you can do is minimise the risk of attack. Users should never be so naive to think that they are invulnerable.
The next step is to understand exactly what is at risk, ie, your data and equipment. Just think of what you hold and use — employee and customer information, payroll data, banking credentials, pricing, card details and performance information, etc. In terms of equipment, think of computers, tills, web-connected printers, telephones, broadband and data back-up systems.
It’s important to realise the threats are not just external (as in career criminals), they can be competitors or former and current employees. And remember that a cyber attack doesn’t necessarily mean attack by a rogue gang armed with banks of computers; it can be an employee who abuses a system for their own benefit.
For example, a small family-run publishing house in Sussex suffered a £210,000 loss during six years perpetrated by its bookkeeper with access to the accounts system. The bookkeeper received a two-year jail sentence. Meanwhile, a pub manager abused the card machine of the Old Devil Inn in Knowl Hill, Berkshire, to steal almost £22,000 from the pub — the manager received a 16-month jail term in January 2012.
Plan for an attack
Before any steps can be taken to reduce the risks, you need to assess your present security measures.
Detail your records, where they’re stored and how they’re protected and look at what equipment you use and which companies provide critical services to the pub.
Are there alternatives in case of disaster? For example, if your computers are held to ransom, how would you work or recover the records?
Are your staff briefed on security? Are they lax when choosing passwords? Are they aware of how important it is to not discuss information with third parties? Do you change passwords when staff leave?
Putting a new regime in place
Controlling access to your network is the first line of defence. This means turning on the firewalls on your computers and network devices. Also, take care of your wireless networks by enabling the strongest encryption allowed, engaging MAC address filtering and turning off the SSID broadcasting.
In simple terms, the encryption is akin to a lock to your front door; the MAC address can be likened to an approved guest list; and the SSID is the name the device broadcasts to other network devices — sometimes the default setting broadcasts a product name that helps hackers crack it.
You need good antivirus software on all computers — PCs and, to a lesser extent, Apple Macs. As one unnamed Oxfordshire NHS surgery recently found, once a virus is loaded to one networked computer, it can quickly propagate around the whole network causing pandemonium. The lesson? Lock down computers to allow acceptable sites. At the same time, ensure all computers are regularly updated to take account of software patches.
Educate employees
Part of the solution is to also educate employees (and write policies) as to what they can and cannot do with a computer and the best practices of data security (and passwords).
The advice on email is to be careful on what is opened and the links that may be offered. The best phishing scams replicate legitimate organisations and seek information that can be used to log on to ac-counts without the need to hack. Don’t let browsers store passwords and also look for ‘https’ in the web address of any organisation you are logging in to so site safety can be demonstrated.
Secure the equipment — this means restricting the use of USB memory sticks and external hard drives. This makes it harder for anyone to take data off the premises and also reduces the risk of data being lost.
Manage user rights for systems and control access to sensitive equipment and data. Ensure computers don’t have administrator rights that will allow users (or hackers) to easily change system settings or load unauthorised software.
Only collect and store data that you need. The Data Protection Act 1998 makes this clear but, in simple terms, one way to limit the risk of breach is to simply not collect and store information beyond what is necessary, because whatever you do collect has to be protected.
Invest in regular credit report checks looking for unauthorised activity or an unexpected drop in credit rating.
These can be signs that your systems have been compromised. Credit references agencies — see http://www.bipa.uk.com — provide various products to alert subscribers of suspicious activity.
For best practice on data security visit www.ico.gov.uk.