Besides the obvious challenges and confusion we are all facing during the COVID-19 pandemic, we are also facing concerns over who and what personal information we share. We are being asked to provide personal information to restaurants and hairdressers to assist in monitoring exposure to the coronavirus. If that is not confronting and confusing enough, we are also being made aware that cybercrime is on the increase more than ever before. Without tougher regulations on who we need to share our private information with, it is open season for cybercriminals, and they are taking full advantage of us all.
Cybercriminals are interested in two things: money and information. To make their job a lot easier, cybercriminals will target unsuspecting average Joe’s, because let’s face it, hacking into financial systems or monetising stolen credit cards is not always an easy task. This is the ‘easier’ option, as they only need to trick an individual (the average Joe) who is not always aware of the threats, as opposed to infiltrating an organisation’s IT network. Stealing information is also less dangerous, because in most cases, it is more difficult to block or track the use of information compared to tracking stolen money.
Not being able to track information has led to a huge increase in cyber-attacks on governments, businesses within all industries and individuals. As countries start to ease their COVID-19 restrictions, governments are implementing legal requirements on businesses to keep control of the rate and spread of the virus. But, by making it a legal requirement for restaurants, retail shops, and other businesses to store information like mobile numbers, email address and the full name of every customer who walks in, it is making a cybercriminal’s job that much easier.
New Zealand, and some states in Australia, have already enforced these regulations and more countries are likely to follow. Residential properties open for inspection, hairdressers, shoe stores and venues who host weddings or funerals, must now keep a record of all patrons. We understand these requirements may assist in contact-tracing of coronavirus if a patron tests positive in the weeks after visiting that venue. The idea is that other patrons can be alerted to the fact that they may have come into contact with someone who is infected, however, on the flip side, this poses a huge risk to the private information of patrons by giving cyber criminals easy access to it. The most likely culprit for this easy access can be directly associated to the fact that most of the businesses collecting the data will not have adequate security measures in place to keep details private.
One of the biggest threats for your business, if information is stolen, is cybercriminals using it to perform phishing attacks. They do this by using the stolen information to contact clients and impersonating a fictitious person working for your business and, “Presto!” – they have obtained information directly from the source. The outcome of this is not going to bode well for your business. Not only will you have very annoyed and angry customers, because you allowed their information to be stolen, but the damage to your business’ reputation will be something you may never recover from. Afterall, who will want to shop or dine at your business when they are knowingly putting themselves at risk of having their personal information hacked? And let’s not forget the large fines that are imposed on businesses in cases of data breaches.
We understand these new regulations might be hard to navigate, but there are some simple steps you, as a business owner, can implement to increase data security and protect your clients.
• Choose a data storage vendor who offers data security measures. Wherever you choose to store customer information, whether it’s local storage or in the cloud, security measures are a must. It is advisable to choose a well-known vendor who offers secure data storage and then rely on their protection.
• Only store necessary information. Do not collect information you are not obliged to keep. In this situation, the less information you have, the better.
• Keep your system credentials secure. Only share your credentials with relevant parties.
• Implement two-factor authentication. This is already considered a basic security measure. It means that access to the stored information can only be obtained after authenticating via two different methods, for example, a typed password and a code sent to your mobile number. This makes it harder for hackers, as they must gain access to both credentials to infiltrate the system.
• Ignorance is no excuse. Be aware of the law. If it defines the exact length of time the records need to be kept, configure your systems to delete information after the set amount of days. Keeping the information for longer than defined, exposes your business to a higher risk. If possible, implement systems to help you follow local regulations to support this endeavour.
• Inform your patrons. There is no harm in informing your customers of the additional security measures your business has implemented. This will make them far more confident in passing over their private information in the world of COVID-19.