Attacks often begin without warning. A cryptic email appears in an employee’s inbox. Someone opens the attachment because it appears to be from a boss or vendor.
Suddenly your POS or computer system is breached, giving cyber criminals access to everything from customers’ credit card information to employees’ social security numbers.
Restaurants are a particularly enticing target for cyber criminals due to the number of credit card and debit transactions they process every day.
“Restaurants are relatively low-hanging fruit,” says Dave Hylender, a senior network analyst with Verizon Enterprise Solutions, which released its 10th annual Data Breach Investigations Report in 2017.
Vulnerabilities abound, but according to Verizon, more than nine out of 10 restaurant intrusions involved external actors, many of whom break in via third-party-managed cash registers, table-based credit-card readers or back-office terminals.
Here are some tips for building a digital rampart that will keep your data safe and secure.
1. Know the Risks.
Hackers can gain access to POS systems using stolen passwords or default manufacturer passwords. Once inside, they install malware that capture data, then set up openings so they can return. The result? Financial penalties from credit card companies, remediation costs, lawsuits and bad press. “The last thing a restaurant wants is to have its name on the front page of a newspaper over a data breach,” said Michael Stovsky, chairman of the IT practice at the law firm Benesch, Friedlander, Coplan & Aronoff.
2. Get a risk assessment.
“You can’t protect what you don’t know to protect,” says KLR information-security specialist Daniel Andrea. Find a firm experienced in cyber risk. Start with the basics: What is your system? Who uses it? Where does the data go? After sizing up threats, you’ll learn how to protect against them. Costs vary, but for a small- to mid-sized organization, Andrea estimates between $20,000 and $75,000.
3. Empower employees.
Establish your security policies, then train staff in solo, group or web sessions to spot dangers, including unusual emails, computers lock-ups or password problems. “I can’t tell you how many times a breach happens not because of an active brute force attack but because an employee left a back door open,” says Taft data expert Scot Ganow.
4. Invest in cyber-secure equipment.
Look for safe hardware and software that runs the latest virus scans. Restaurants offering free Wi-Fi can get spoofed by hackers using a “pineapple” device to intercept data. “If a customer checks email, buys a plane ticket or checks a bank account, that can all be captured ... and reported back to the hacker,” says Patrick Wartan, head of the food and beverage group at Taft. Restaurants with Wi-Fi should apply the most stringent encryption, publicly display Wi-Fi names and instruct guests to ask for passwords.
5. Start encrypting.
The gold standard is “end-to-end” encryption that makes credit card data indecipherable to outside actors when it enters the restaurant’s POS system and then protects it, The PCI Security Standards Council offers guidelines.
6. Request a review of third-party vendors.
Make vendor agreements requiring them to meet your standards, or ask to audit their practices. “There’s nothing to stop you from saying, ‘Show me your data protection policies,’” Ganow says.
7. Head to the cloud.
Storing data on remote servers managed by third-party providers, such as Upserve and Brink POS, is usually safer than keeping it in-house. But also consider the cloud. Cloud-service providers are obligated to provide strict control over your data and can help restaurants detect cyber intrusion or employee theft.
8. Consider cyber insurance.
These policies can protect you from fines and fees if your company’s credit card data is stolen. They also cover expenses from breach notifications to customers, settlements and judgments, business interruptions and hiring a crisis-management firm, says Jill White of the Sylvia Group. Prices range from $1,000 to $5,000.