Are you employing reliable cyber security measures when hiring new team members?

Hospitality, leisure and tourism businesses will no doubt be preparing for the summer season ahead, ensuring food menus are enticing, bed linens are crisp and rehearsals for the kids’ club shows are underway. All these things are of course integral to having a successful outcome and having customers wanting to come back for more.

Something that may be overlooked, however, is the cyber security aspect of running a smooth operation. the Cyber Security Breaches Survey 2025 says 4 in 10 UK business experienced a cyber-attack or breach in the last 12 months.

People are the first line of defence in every business and there is plenty of solid evidence that shows human error is the cause of most cyber-attacks and breaches, which means these incidents can be avoided. So many SMEs in the hospitality, tourism and leisure industries rely on temporary staff during peak seasons and this is one area that poses increased risk if careful attention isn’t paid to the offboarding of leavers and how new hires are onboarded - these are sometimes referred to as ‘insider threats’.

Here are three things to help you get started with boosting security measures:

1.      Former employees should not be able to check-in again

Something else to keep in mind is that while insider threats tend largely to be accidental, they can be of a malicious nature in some cases, for example, a disgruntled ex-employee may have a motive to cause chaos and disruption to your business.

So, when someone leaves, revoking their access to all company networks and accounts should be done immediately. Being able to retain entry to sensitive information and data can bring significant security risks.

Be sure to:

• Disable their email accounts

• Remove their credentials from all internal and external systems

2.      Not everyone needs ‘back-of-house’ access

Reviewing permissions and access controls on a regular basis ensures that only authorised, current employees are permitted to see crucial data. Appropriate levels of access must be set for everyone. Does the head of maintenance need to see guests’ personal booking details? Of course not. Temporary bar staff being able to view supplier contracts? Another absolute no-no.  If it’s not necessary for their role, keep the boundaries strict!

3.      The hot ticket to increased cyber safety

As the saying goes, ‘you don’t know what you don’t know’ so if you’re a small business owner or a decision maker within one and have limited cyber knowledge, it may seem that security awareness training is unnecessary for a café/independent travel agent/spa etc in Portmeirion/Tenby/Hay-on-Wye (delete as appropriate).

We highlighted earlier that most cyber incidents can be prevented, which means educating all team members - those at the top to junior-level employees - new starters included. Security awareness training is a valuable investment that not only reduces risks of insider threats but also strengthens the cyber posture of businesses.

The WCRC offers bespoke training which teaches what the online risk profile looks like, how to be safer online, and what the warning signs are of a potential attack. Topics include phishing, social engineering and ransomware and the session is non-technical and tailored to the team’s level of knowledge. The content uses real-world scenarios to make it relevant to the working environment and boosts people’s confidence to flag activity that doesn’t seem right.

We are here to support small businesses by highlighting what the online hazards are and the simple and effective ways to reduce the chances of being impacted by cybercrime. The tips above are just a few of the basics and if you’d like more cyber guidance on employee safety or any business aspect, here’s what free WCRC membership can do for you.

Finally, let’s be hopeful that the yellow thing we sometimes see in Welsh skies will stay for a good while this summer.