Why Senior Business Managers Need More Security Education

Alex Morkos | Co-founder and Director | Aleron
Why Senior Business Managers Need More Security Education

Why Senior Business Managers Need More Security Education

Businesses are becoming more aware of the need for strong cybersecurity at all levels.

Data breaches can affect a brand’s image, leading customers to wonder if they can trust the brand. Even if just one franchisee is struck by a significant data breach, the reputational damage can extend to all businesses in the franchise.

Franchisors have, in some US cases, even been held responsible for franchisees’ data breaches. This creates a worrying precedent for franchisors who need to do what they can to help franchisees keep systems secure.

With new legislation such as the mandatory Notifiable Data Breach (NDB) scheme in place, the stakes are getting higher all the time. NDB legislation means businesses have to report a data breach if it’s likely to result in serious harm to individuals. The business must notify both the affected individual(s) and the Office of the Australian Information Commissioner. Failing to comply can result in fines and penalties. It can also make it difficult for businesses to build trust relationships with their customers.

The definition of serious harm includes financial losses such as those that would occur if your database was breached and your customers’ credit card details were stolen, for example. However, serious harm doesn’t have to be financial; it can be emotional or psychological. So, if you have information about your customers that, if exposed, would cause embarrassment or discomfort, that could fall under the definition of serious harm.

To avoid this, franchisors and franchisees need to take cybersecurity extremely seriously. This includes seeking education to ensure you’re not missing any potential gaps that could leave your business vulnerable.

Franchise businesses can be vulnerable to attack because they believe they’re a low-priority target for cybercriminals, so they invest less time and funds in securing the organisation compared to larger organisations. However, even smaller businesses can be highly attractive to cybercriminals, often because cybercriminals know that their mistaken belief in safety or immunity will translate to inadequate security.

Franchise businesses have two options when it comes to security. The franchisor can mandate a uniform approach and solutions throughout the franchise network. Or, alternatively, the franchisor can let the franchisees determine their own security posture. Both approaches have pros and cons.

For example, if a franchisor has strong security measures in place with very few gaps, then passing this same approach to its franchisees means they will all have equally strong security. However, if a franchisor’s security has a vulnerability, cybercriminals can then use that vulnerability to attack all the franchisees, netting them a bigger target and causing a bigger problem for the organisation.

Letting each franchisee determine their own security approach can also be risky. Many franchisees aren’t security-savvy enough to know whether their security measures are really strong enough to keep cybercriminals out.

This means vulnerabilities can be overlooked and a cybercriminal can gain access to the franchisee’s systems. Then, it could be possible for the attacker to use that opening to gain access to the franchisor’s own systems and spread the attack throughout the entire franchise network, just because of a vulnerability in a single franchisee’s systems.

Complexity is added when you consider how many third parties work with franchises. For example, if your franchise outsources its Point of Sale (POS) system to a third party, then your business depends on the security of that system. If the third-party provider has vulnerabilities, then cyberattackers can use those to access not just your franchise network but the networks of all the businesses working with that third-party provider. In the case of POS systems, that means cybercriminals can access customer payment information, which would potentially fit the ‘serious harm’ definition under the NDB scheme.

To overcome these challenges, franchisors and franchisees need to seek education to ensure you’re aware of the security risks and vulnerabilities your organisation could face, and you need to take all possible steps to put cybersecurity at the top of your agenda.

According to recent research by Kaspersky Lab, only 12 per cent of employees know or understand their information security policy. When 88 per cent of an organisation doesn’t even know what’s required of them to help keep the business secure, this indicates a significant problem. Even more worrisome, around a quarter of employees surveyed for the same report said they believe their organisation doesn’t even have any established security policies. This means either these organisations are trusting their continued ability to operate to luck, or their employees are simply unaware of what the organisations are doing to stay safe from cyberattacks.

Employees have always been the top security risk factor in organisations. A business can have the most advanced security technology in place but if its employees don’t abide by security policies and processes, it will be easy for malicious hackers to get around the technology barriers. All it takes is for an employee to click on a suspicious link, provide their password to a third-party, or insert an infected USB stick into their laptop and the entire organisation could be compromised.

Since human error is such a huge contributor to successful cyberattacks, this low level of security awareness should prompt all franchisors and franchisees to revisit their approach to the awareness of their security policies and communicate clearly to employees regarding what is expected of them.

Security attitudes in an organisation come from the top down, so it’s important for franchisors to set the tone in terms of the amount of focus given to security. It needs to be made clear that security is everyone’s responsibility, and no one is immune from attacks.

In fact, executives at the top of an organisation have proven to be lucrative hunting grounds for phishing attacks. These social engineering schemes work by sending an email to an executive. The email looks like it’s from a reputable source and it contains a link for the executive to click on. Often, the email will contain a message along the lines that the executive needs to re-enter their password to a crucial system. The link in the email doesn’t connect to that system, but to a dummy website created by the cyberattackers and designed purely to collect the executive’s  credentials.

Once the executive has entered their credentials, the phishing attack has been successful. Now the cybercriminal can easily access all of the organisation’s systems simply by entering the executive’s username and password. By nature, executives have full access to all a company’s systems, so from here it’s easy for the cybercriminal to do real damage. They can deploy malware that sabotages the system, or they can simply view and steal information ranging from customer details to commercially-sensitive data.

Even though high-ranking executives are hot targets for this sort of attack, many of them resist the calls for training and education, either because they’re so busy with operational concerns that they feel they don’t have time for training, or because they don’t believe they would fall victim to such an obvious attack.

The problem is, the attacks aren’t always so obvious, and many executives fall for these attacks every day. Individual intelligence alone is no protection against sophisticated phishing attacks. Instead, executives need to be educated regarding what a phishing attack looks like and what to do if they receive a suspicious email.

Executives also need to be educated about the importance of keeping their own systems secure. A lost or stolen smartphone could potentially give cybercriminals full access to the company’s network if the executive hasn’t password-protected it. Everyone in the organisation needs to maintain constant vigilance, and that is especially true for high-value targets like C-level executives.

Regardless of whether you’re an executive at a franchisor or you’re the franchisee, you should insist on receiving appropriate training to avoid the nightmare scenario of accidentally compromising the entire business. With the consequences of attacks being far-reaching and, potentially, expensive, security is no longer an IT-only concern. Rather, it’s now a boardroom issue that demands attention at the highest levels. This issue has never been more urgent as the threat landscape continues to expand and worsen. You must act now to keep your business safe.

Alex is the co-founder and director of cyber security consulting firm Aleron. He has 20 years’ experience in IT security consulting and management. Alex has managed and implemented IT  security projects at several leading financial institutions, including Westpac, Commonwealth Bank, Suncorp Group and Macquarie Bank.

Aleron was established in 2010 to provide skilled and experienced information security consultants and engineers. Aleron provide IT security consulting, technical implementation and staff augmentation to deliver a variety of specialised security skills and functions. Aleron provides cyber security services across multiple industries including financial services, retail, construction and education. Some key clients are CBA, Westpac, McDonald’s,  Woolworths, Coles FS, Superannuation, and Insurance companies.

Contact Alex on:

0400 090 074
amorkos@aleron.com.au
www.aleron.com.au