5.2 FINDINGS OF THE RESEARCH
5.2.2 Research sub-question 2 Policies and measures
This research sub-question seeks to assist the researcher to explore what policies and measures have been put in place by hospitality SMMEs to ensure customer security. The empirical data results for this research sub question are discussed in Chapter 4 (Section 4.3.1).
What policies and measures are in place for businesses to ensure customer security when conducting online business?
This research sub question also assisted the researcher to explore what policies and measures have been put in place to curb security breaches. Considering that personal data is important to the hospitality industry, companies are expected to put measures in place to ensure security. Even though the majority of the respondents indicate that they understand the importance of policies, a considerable percentage of the respondents do not have these in place. Without security policies, there will not be a document available to specify how to safeguard confidentiality, integrity and availability of information. Technology alone cannot effectively address security breaches, these SMMEs are thus putting customers’ information at risk. A combination of both technology and human aspects can assist in dealing with security issues effectively. Some respondents indicated that they have policies but they are not enforced. This makes security policies somewhat useless. Surprisingly, some respondents indicate that they do not have any security measures in place to minimise security breaches, as a result making it easy to compromise their information. It is noted that the majority of respondents indicate that they encourage their employees to follow provided guidelines. Considering the importance of information security policies, it is of paramount importance to ensure that these documents reach their target audience. Some respondents admit that even though they have security policies, they are not presented to employees who are sometimes the targets. As a result, staff members struggle to effectively deal with breaches without any documentation. On the other hand, some SMMEs do not take precautions to avoid data loss.
Fifty percent of the respondents indicate that they do not have password policies. According to Bafna and Kumar (2012:130), in order to enhance the security of passwords, SMMEs must make use of a set of rules, commonly known as password policies. These findings indicate that these respondents’ information resources are at risk because staff members may not be aware of how to keep passwords secure.
Without password policies, staff members will in the dark on how to formulate passwords that cannot be cracked easily. They also would not know that they are not supposed to share passwords with anyone. Considering that phishing is on the rise, respondents who indicate that they do not have password policies are putting their information resources at risk because staff members may end up revealing their passwords to strangers.
Unauthorised access, which has the capability to cripple a company’s information systems, appears not to be given the attention it deserves. Considering that unauthorised access is carried out by people with a motive of taking subversive action, it needs to be minimised at all cost. The lack of procedures to deal with unauthorised access is tantamount to disaster. It equates to the lack of measures to address rising security breaches, which can result in loss of critical data. Unauthorised access can also be as a result of both inside or outside attacks. These companies are not immune to unauthorised access, as some respondents reveal that they have been victims of such attacks. It is of great concern, considering the impact that can be caused by unauthorised access.
Insider attacks appear to be common amongst hospitality SMMEs. For example, 10.7 per cent (section 4.3.1) of respondents disclose that they have been victims of insider attacks. This indicates that hospitality SMMEs are not immune to such attacks as it was previously thought. It is probable that some insider attacks might go unnoticed because insiders are familiar with company’s information systems.
Theft of computers appears to be another problem that is a concern for hospitality SMMEs. A total of 35 per cent (section 4.3.1) of respondents indicate that they have been victims of computer theft. Considering that computers and laptops are used to store data, losing these can have serious consequences to the business.
Virus attacks are common amongst SMMEs in the hospitality industry. As long as this problem persists, there is always a risk of losing information. Virus attacks have the capability of causing damage to company resources, especially those companies that deal with confidential data. It is found that some respondents fail to update their anti- virus software. The lack of updated anti-virus software will leave company information
It is evident that SMMEs are aware of the implications of exposing confidential information, especially client information, but they tend to fail where it matters most, putting measures in place. For example, some respondents indicate that they do not make use of devices to minimise security breaches. Considering that all respondents are connected to the Internet and deal with confidential data on a daily basis, they are taking a serious risk by not making use of any device. Hospitality SMMEs deal with confidential customer data that needs to be protected. Although these companies are aware that it is their responsibility to ensure that they monitor all external and internal distribution of paper work, and removal of media that contains client information, some companies however, still fail in this regard. This can have serious implications for the company should a breach occur as a result of this type of negligence.
5.2.2.1 Research sub-question 2 summary
Respondents appear to understand the importance of putting security measures in place to address security breaches. However, they tend to be slow to put this into practice. Information security policies can play an important role in addressing internal attacks but it appears that many hospitality SMMEs are not making use of this. Some of the respondents have policies in place but they do not enforce them, rendering them useless. In some instances, security policies are not properly distributed making them inaccessible to staff members. Even though passwords are commonly used by SMMEs, the majority of respondents fail to implement password policies. As a result, staff members might not know the details of password control. Virus attacks appear to be common amongst SMMEs but some respondents fail to update their anti-virus software on a regular basis. Unauthorised access which can also contribute to loss of information is not properly addressed. Respondents appear to understand the importance of keeping customer information secure as a majority of the respondents disclose that they have a procedure to make sure that customer information is kept secure. Customers are the reason why these companies are in business and therefore they cannot afford to expose their customer information.
5.2.3 Research sub-question 3-Information security training
This research question seeks to assist the researcher to investigate if hospitality SMMEs provide security training and if they do, what type of training is done. This research reveals that close to a third (section 4.3.2) of the respondents indicate that they do not provide security training to new employees.
To what extent is security training provided in the hospitality SMMEs?
By failing to provide security training to new employees, companies are putting themselves at risk. Companies that provide training to their staff members, help in internalising knowledge and skill so that employees take decisions that are in line with company objectives. Without training, employee mistakes will persist and some mistakes can be costly. It is known that fraudsters are becoming more sophisticated and poor training or the lack of it, can lead to security breaches that can cost companies dearly. Equipped with a security program, staff members will know their roles and be aware of their responsibilities and as a result, will assist IT personnel in minimising security breaches. This program can reduce losses as a result of intentional or accidental disclosure or modification of information.
A total of 69.6 percent (section 4.3.2) indicate that they do not have security awareness programs to help employees keep up with security developments. Knapp
et al., (2009:499) indicate that and awareness are intertwined when applied to security. The fact that most of these companies do not have awareness and training programs in place, results in security breaches and employee mistakes will persist. Considering that some respondents disclosed that their networks are regularly being tampered with, it therefore makes sense to provide training and awareness programs for staff members. This will equip them to effectively deal with attacks that may confront their companies.
It is revealed that spam mail is common amongst these companies. Training can help reducing security because it alerts employees to a number of issues. This includes information security, including spam mail. It is revealed that fraudsters make use of phishing which can be in the form of spam mail to trick users into revealing sensitive information. Employees will be able to differentiate between spam mail and legitimate mail if they are provided with suitable training.
5.2.3.1 Research sub-question 3 summary
Training appears to be alien to some hospitality SMMEs. Some respondents indicate that they do not provide training or induction to new employees. Considering that employees’ mistakes are costing companies in monetary terms, it is of concern that some respondents indicate they do not provide training to new staff members.
Hackers have become sophisticated and use various techniques such as social engineering to coerce users into revealing their log-in details. It is therefore, crucial to empower employees to ensure they do not fall into the trap of hackers. Trained staff members will understand how to deal with spam mail.
5.2.4 Research sub-question 4 customer protection in an online environment