Salon security: is your data safe?

With a staggering 56% of UK beauty salons and hairdressers reporting that they’ve been the victim of cyber fraud, according to a 2018 survey of National Beauty Federation (NBF) and National Hairdressers’ Federation (NHF) members, knowing how to successfully protect your business against the financial, reputational and legal damage of a hack has never been more important. 

It’s a common misconception that high-street businesses are unlikely to be the target of malicious activity, with big tech companies more at threat, but this isn’t true – the Government has revealed that more than 40% of UK companies (both big and small) have experienced a cyber breach in the past 12 months. 

Plus, with business secretary Greg Clark announcing that the Government is now investing £70 million into cyber security to help small businesses become more resilient to these threats, now is the time to take stock of your processes to make sure your data is secure. 

“Cyber-crime describes any criminal act dealing with computers and networks. ‘Hacking’ can be a completely automatic process that changes your computer files after accessing a compromised website or suspicious email attachment,” says Ian Johnstone, software support manager at SalonGenius. “Even if you have anti-virus software, it’s not impossible for your PC or Mac to get infected.” 

A successful cyber-attack can cause major damage to your business, affecting your clients’ trust in you, as well as your bottom line. “In some data breach cases, there will be an immediate financial loss – a hacker could lock you out from your appointment software and demand a ransom to restore access,” explains Andrew Schofield, chief technology officer at Timely

They can play havoc with your day-to-day business operations, too. “If you have online booking, and appointments are being made maliciously by hackers, then this will fill up your calendar with fake slots, which will lose your salon money,” says Nicola Soanes, marketing and sales manager for Salon Tracker

Threat one: phishing emails

Woman on the phone

There are two main types of attack you should be aware of. The first is phishing emails, which are used by criminals to trick owners into handing over their login details for popular sites such as Facebook, eBay and PayPal. These emails typically attempt to get personal information like your bank account details by claiming to be an unpaid or overdue invoice from a reputable supplier you work with. 

“You should never open attachments to emails when you don’t recognise the sender,” advises Andy Heathershaw, chief technology officer at Premier Software. “If you receive an email directing you to log in to a service, type in the URL instead of clicking the link to ensure it’s a reputable site before entering any usernames or passwords.” 

Although this is an external threat, it needs one of your employees to open the attachment or click on the link, which is why staff training on cyber security should be a top priority. “It could be as simple as human error or a negligent employee, but one of the biggest threats to your data is internal,” says Sebastian Maska, chief executive at Versum. 

“Create different access levels for employees, as not everyone needs entry to financial data or clients’ full contact details, and set up a user activity log that will register each operation performed in the system, allowing you to see who makes changes and when.” 

If the websites you use for business offer two-factor authentication (known as 2FA), then Heathershaw recommends switching it on to further protect your livelihood. “It usually takes the form of the website sending a unique code to the mobile of the person logging in, which they must enter to gain access,” he says. “This ensures the person logging in is the same one who has control of the account, as a criminal wouldn’t have access to your phone.” 

Threat two: hacking

Woman paying on card

Hacking – shutting down or misuse of your website or network – is the other big issue that can lead to data being damaged or leaked on the internet.

“Salons and spas often store sensitive health-related information and credit card details for clients, which can be of real interest to criminal elements. In the darker corners of the internet, there is a market for these stolen details,” explains John Doran, director of engineering in development for Phorest. “The risk of all this being exposed could lead to fraud, impersonation or bribery, as well as humiliation and emotional trauma.” 

One of the easiest ways a hacker can gain access to your system is through sloppy password practices. Bad habits such as using the same password across all your accounts or weak choices such as “123456” – which topped the National Cyber Security Centre’s 2019 list of worst passwords, with 23.2 million accounts using this sequence – can put you at risk. “Password01”, “123456789” and “qwerty” also made the list. 

“Creating user-specific passwords and pin-protection for logins will protect your salon against serious cyber threats. Choose strong passwords to protect your security and identity, using numbers, characters and letters, in a mix of lower and uppercase,” says Andrew Walker, head of IT and implementation for Shortcuts. 

Further ways to protect your network include changing the default password on your wifi routers and ensuring your devices are continually updated with anti-virus and malware software – you can configure most operating systems to do this automatically.