— By Ara Aslanian —
How to reopen your restaurant free of cyber concerns.
Despite an apocalyptic prediction last year, only 14% of restaurants closed permanently during the pandemic. After a dark winter of to-go-only orders or limited capacity, restaurants are finally seeing the light and preparing for the coming summertime boom as the dining restrictions lift across the country. However, while restaurants are rushing back to full operation, many are doing so without running a thorough IT upgrade and cybersecurity check. The pandemic has seen a surge in different types of cyberattacks, including data breaches, ransomware attacks and more. Restaurants have been one of the primary targets for all of these attacks due to the volume of credit card and customer information they process every day — which can be huge goldmines for cybercriminals.
With the average ransomware payment jumping by 43% in first quarter 2021, restaurants that survived COVID could find themselves opening only to be sunk by a cyberattack. Therefore, it is critical that restaurants prepare themselves against the possible wave of cyberattacks as the dining industry reopens fully. There are several cybersecurity risks restaurants face, including: emerging payments security, third-party vendor vulnerability, and missing cybersecurity budgets.
Emerging Payments Security
In order to shift the operational focus to support online ordering, restaurants widely adopted contactless and digital payment during the pandemic, which have sustained to today. With both diners and restaurants veering away from cash, POS (point-of-sale) systems and digital payment become criminals’ major focus.
There are various ways POS systems can become lucrative targets for hackers, these include clerk skims, POS swaps, and malware attacks. Clerk skims happen when the clerk processes a customers’ card on a tempered device. The device makes a copy of each card via the swipe so the hackers would have all the information for malicious use. POS Swaps are hackers swapping out an existing POS terminal with a cloned device that allows hackers to remotely access the terminal. POS malware attacks happen when the POS software is remotely planted with software that gives hackers control of the device. Compared to card payments, mobile payment is less likely to be copied during the process of a physical scan, since the emerging digital wallets (such as Apple Pay and Google Pay) usually hide the information of the card or bank account linked to the phone. But similar to the POS malware attacks, mobile phones can easily be spied on or breached by malware when using public WiFi or hotspots.
To increase the security of these payments, restaurants should stay vigilant and utilize point-to-point encryption (P2PE) to encrypt payment card data from point of capture, such as swiping on a POS machine or “wave-and-pay,” until it arrives at the secure endpoint. Once the information is encrypted, hackers won’t be able to read the data even if they were able to intercept the transaction process. Owners should also train frontline employees to observe suspicious behaviors and implement chip-card readers instead of magnetic stripe readers to defend against those types of attacks — this is because EMV chip technology makes it harder for cybercriminals to copy the data as opposed to the magnetic stripe swiping or in-person transactions. Additionally, restaurants should set up separate WiFi networks for business operations and customers and ensure all the routers use strong unique passwords as well as run on the latest firmware.
Third-Party Vendor Vulnerabilities
There are many reasons why hackers want to target reopening restaurants, but the most tempting one is their mixed types of transactions via an extensive network of third-party vendors where they can find multiple vulnerable points to breach. As restaurants begin to reopen and return to normal operations, the habit of ordering takeout instead of dining in may stick longer with customers who are still cautious of being in public spaces. This means that third-party delivery vendors, such as Postmates and Uber Eats, will continue to be the platforms on which customers’ information and payments are processed, as well as private restaurant information. However, these ‘middlemen’ between customers and businesses have fallen victim to several major data breaches during the past years, leaking thousands of user and restaurant information out to hackers. Doordash, one of the biggest food delivery service vendors, is still trying to search and compensate the victims of a data breach it had in 2019. Besides delivery vendors, other third-party tools such as accounting software and IoT devices can also be of high risk.
Combining a “zero-trust” approach with vendors and a cybersecurity education program with employees remains the ideal protection for restaurants. To achieve that, restaurant owners should always confirm that any vendor software they choose complies with the Payment Card Industry Data Security Standard (PCI-DSS). A quarterly PCI scan is also vital for spotting vulnerabilities and ensuring continued compliance. Owners should limit vendors’ access to their systems as much as possible.
Missing Cybersecurity Budgets
Restaurants were forced into hasty make-or-break pivots to new business models last year and many may have cut down or diverted the budget for IT and cybersecurity to support more burning issues. However, as the reopening of restaurants comes sooner than expected, many owners flustered for an early chance to make up for the loss are jumping back into operation without increasing IT budgets and conducting a thorough cybersecurity check. An outdated firewall and unsecure WiFi connection can easily open the back door for preying hackers. Even a lack of network bandwidth due to the increase of diners could result in service paralysis as most restaurants now use digital systems to communicate between the dining room and back kitchen. Before putting the idle spaces back to work, restaurant owners should sit down and set aside time and a budget for cybersecurity hygiene — break down the plan into three major sectors: employee education, security control and IT hardware. It is important to find time to research the tools and plans that fit your business needs.
Every owner is an essential component in the ongoing effort to fight against cyber risks. It is imperative to the reopening restaurant industry that the necessary steps are taken to protect businesses from the increasing cybersecurity risks. Setting up a cybersecurity budget, guarding the payment processing system, and carefully vetting third-party vendors are all necessary in the fight against cybercriminals and the pursuit of good food. The process might start as costly and tedious, but the weight will become armor for future operations.
— Ara Aslanian is co-founder and CEO of Inverselogic, a technology consulting and management company. He is a member of the advisory board at LA CyberLab and on the leadership council of Secure the Village, both of which monitor emerging online threats and provide education on countering them.