Introduction
When it comes to cyber security many of us are blindingly unaware of how attacks can occur and how important it is to lock down our data. In this regard, restaurateurs are no different.
You may not think hackers would necessarily target restaurants but because cyber security often features very low on a restauranteur’s radar compared to the more pressing issues of running a profitable business, they often represent low lying fruit for cyber criminals. Restaurants routinely keep customer information within their POS and third-party software such as email addresses and credit card details or staff information such as NI numbers and bank details – all information that in the wrong hands can cause a variety of serious fraud.
There have been numerous reported attacks within the hospitality sector ranging from ransomware attacks where the user is locked out of their files or devices unless they pay a ransom or from virus infection where POS software is compromised by a planted virus. Viruses work by attaching their malicious code to clean code and then wait for an unsuspecting user or automated process to execute them such as a ‘phishing’ email containing an innocuous link. When clicked by a staff member, this sets the virus in motion to spread quickly within the IT system, corrupting files and locking users out of their computers.
A further dimension of attack
It doesn’t always require human action to trigger these attacks as hackers have become even more sophisticated in finding loopholes to instigate infections. This is thanks to the advancement of modern tech – the internet of things – where malware attacks can come via something as innocent as a ‘smart’ self-serve coffee machine. This breach is possible because the coffee machine must talk to the POS which is linked to the network. Even though the machine has protection on the data going from the coffee machine to the POS, no firewall is necessarily set up for data going into the machine. Malware can therefore enter unchallenged to the coffee machine and potentially compromise all the POS terminals.
The consequences
According to governmental report, Cyber Security Breaches Survey 2019 cyber attacks cost businesses an average of £4,180 a year and among those victims, 21% had staff stopped from carrying out their daily work and 32% took up staff time dealing with the aftermath of these security breaches. This demonstrates the gravity of these attacks is not just felt through a loss of faith by customers in businesses who have allowed their personal data to be compromised but also a great cost in time and energy internally to manage these breaches.
The US food chain Wendy’s, who will soon be opening locations in the UK, were victim to a malware attack back in 2016 which saw at least 1025 of their restaurants targeted. Hackers had installed malware into their POS via a breach from a third-party service provider’s remote access and stolen customers debit and credit card details from as early as 2015 without Wendy’s knowledge.
It’s not surprising with these more sophisticated attacks that businesses who carry out an annual cyber risk assessment has increased from 20% in 2018 to 32% in 2019 in a bid to shut the door on these criminals. Thankfully there are some relatively simple measures than any restaurant business can put in place to combat these security breaches whether you are a 1 site or 50 site operator.
7 ways to shut the door on cyber attack
1. Make sure you are using the latest operating system
Many devices are still running on Windows XP which is no longer supported by Windows and therefore not protected by ongoing software updates. These older systems are more prone to having security loopholes which represent an open door to any would-be hacker.
2. Internal security
Make sure your internal IT such as EPoS tills and tablet devices are locked down by utilising the login with password or pin code setting for staff. More secure still are EPoS login with a thumbprint reader. It’s also important to assign the appropriate permissions to your managers and staff to keep access to your business sensitive data limited.
3. Manage your Wi-Fi network
If you offer free open Wi-Fi access to your customers this can potentially be an easy way for hackers to infiltrate other parts of your network so shut that door by segmenting your network and keeping your guest Wi-Fi completely separate to your business Wi-Fi (and lock it down with a strong password).
Secondly, make sure that your back-office server on a PC or your front-of-house EPoS device is not used by staff to browse the internet. This is exactly how a lot of malware gets into a network so don’t invite the problem by allowing it. Some EPoS providers lock down the POS by default so it can’t be used to browse the net but if not, you can ask that this is done to prevent access.
4. Caution staff about Malware guises
Given that most malware attacks are still triggered by human action, it’s important to caution your staff about phishing emails and to always air on the side of caution if they see a suspicious email, link or attachment.
If they need to create passwords for accessing any third-party software, ensure they follow best practice for setting passwords and store these securely using an online password manager. If any staff members have to remote-in to the network you must also ensure their personal computers are using a secure Wi-Fi network as hackers often target remote login setups to compromise the entire POS network.
5. Vetting your third-party vendors
Restaurants will routinely use third-party vendor software to integrate with their EPoS and wider network such as their payroll, a loyalty app or online ordering service. Many of these have associated consumer or staff payment information and so it’s essential these third parties are PCI (Payment Card Industry) compliant. The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards requiring all companies (regardless of size) that receive, process, store or transfer credit card information to do so in a secure environment.
Make sure that you manage your vendors third-party access privileges and ensure that they only see the information they need to limit any potential for fraud. You could have an iron-clad IT system but if your vendors security practices are lapse then you are creating a possible chink for a hacker to exploit.
Questions to ask your vendors:
For your EPoS provider:
Do they have a portfolio of APIs such as a dedicated loyalty API, a payroll API etc to ensure that they only give granular access to the data needed?
For all third-party software vendors:
- Do they have a security program?
- Do they use firewall and security services to protect their business?
- Is its security audited by any third-party companies? Can it send you reporting results of those tests?
- Does it need to put equipment on your network? If so, what kind?
- If the vendor is hacked, how will this affect your restaurant?
- If they answer no to the first three questions then this should be a huge red flag and show that they don’t take their business security seriously.
- The last two questions will help you understand the extent to which your vendor needs access to your network and how you can police this access so that even if the vendor is compromised, your network and data remain safe.
6. Build your armour: anti-virus and anti-malware software and firewalls
Firstly, it’s important to have and maintain anti-virus or anti-malware software as if these are not routinely updated, they cannot benefit from the latest security patches.
Firewalls can be your first line of defence against keeping malware-infected devices from infecting other parts of your network. Make sure your network is configured by your IT with appropriate firewalls. For example, your receipt and kitchen printers are on a separate network to your office printer so the POS can only access this network. By ringfencing your networks with firewalls, you not only secure the network but if it is penetrated, you will limit the malware’s access to designated areas rather than the entire system.
7. Cloud back-up
And last by not least, if you do become victim to an attack, ensure you have a back-up to safeguard your data. The most secure way to do this is to use a cloud back-up service as this not only guarantees that your data is kept off site should you have a fire, flood etc but it means that it can significantly reduce the risk of malware spreading to your on-site backups.
Cloud back-ups like Acronis allow this by using an API rather than an ‘always-mounted’ option which essentially allows your network to ‘mount’ the cloud drive to back-up when requested and then ‘unmount’ it afterwards, physically detaching itself from your system and so making it less likely any malware can spread over to your cloud back-up.
Don’t become the next victim
We know that cyber attacks and their sophistication are becoming more and more common, so restauranteurs need to take this threat seriously and safeguard their business-critical data. Thankfully you can avoid being a victim by making sure all the basic security measures are in place; checking security as part of vetting any vendor; policing access to your network among employees, customers and third parties; utilising firewalls and anti-malware software and finally using a cloud back-up to ensure you never truly lose your business critical data.
If you needed another reason to address your security, look to your most important business critical asset – your customers. They entrust you with their sensitive personal data and payment details and expect to receive your services while retaining their privacy. By taking this responsibility seriously and providing suitable protection you are safeguarding the one crucial aspect that keeps your restaurant in business.
The pointOne approach
At pointOne we take data security very seriously and are partnered with Acronis Cyber Cloud to back up and protect our customer data. For more information on this please contact us.
