After targeting government agencies, healthcare institutions, banks, and the maritime industry, bad actors have now turned their attention to restaurants.
Last month, the Canadian company Recipe Unlimited (formerly Cara Operations), announced that they were experiencing a “malware outbreak” that caused partial network outage and disrupted operations at several locations.
The restaurant brands that were affected during this malware/ransomware attack are as follows:
- Bier Markt
- East Side Mario's
- Swiss Chalet
The Landing Group of Restaurants and Prime Pubs brands were also affected by this malware attack. Some of these locations were forced to temporarily shut down while others offered reduced services (on a cash-only basis with no credit or debit card transactions unless it was processed manually).
Following the attack, a ransom letter popped on the computers at multiple restaurants owned by the company demanding a ransom payment in Bitcoin. However, we don’t know if the ransom was ever paid by the company.
At the beginning of the year, several Tim Hortons locations had to shut down because cash registers in about a 1,000 stores were infected with a virus. Before that, over the festive season, more than 160 Applebee’s restaurants found malware on their point of sale systems that were set up to capture guests’ names, credit or debit card numbers, expiration dates, and card verification codes.
Dominos had the unfortunate experience of finding out about a data breach in their supply chain from their own customers. These attacks while sometimes disastrous, make a lot of sense because restaurant networks are a goldmine of sensitive customer data and cybercriminals will do just about anything to get their hands on it.
So how do restaurants and their management companies protect themselves from the next cyber attack? Let’s take a look.
Conduct a Vulnerability Assessment
The first step to securing your restaurant is to conduct a company-wide vulnerability assessment to better understand your current security posture. This approach will help your security team understand the true health of your security defenses.
To do this right, it’s essential to get your internal security team to conduct an audit and then engage an established third-party to do the same. This is because an external security team will be able to identify what was missed by your internal team.
It’s also a good idea to engage in penetration testing to ascertain what your systems are capable of handling. Once vulnerabilities are identified, they have to be resolved immediately.
Vulnerability assessments should also be extended to review your security policies and best practices. Whenever there are shortcomings, it’s imperative to take a proactive approach and respond to them effectively.
Establish Ongoing Security Training
Whether it’s at the restaurant location or at the company’s head office, it’s vital to regularly engage in security and awareness training programs. This is because most data breaches occur due to employees lacking cybersecurity awareness or education. In fact, four out of five data breaches can be directly attributed to human error.
When you take a proactive approach to staff training, you also lay the foundation for a secure future that can mitigate the long-term costs associated with a security incident. So it’s important to make security a part your restaurant culture where everyone is alert and engaging in the right behaviors (that will help better secure your network).
Security training should also be highly interactive, engaging, and employ gamification techniques. This way, you can keep your staff motivated while reinforcing learning and desired behaviors.
Engage in Extreme Vetting
Even if your business is proactively securing their enterprise restaurant network, an insecure vendor in the supply chain can leave you vulnerable to a breach (just like Dominos found out the hard way).
If the vendors connected to your network aren’t following best practices to secure their digital assets, it will create a path for hackers to penetrate your network and lock down your systems.
In this scenario, bad actors can either choose to steal the data, hold your business to ransom, or do both. As a result, it’s critical to rethink your network security strategy and engage in the extreme vetting of third-party vendors before adding them to your supply chain.
Historically, most third-party vendors (whether its a produce or a cleaning service) were hired based on the quality of service and reputation. Today, we have to add security best practices into to the mix to keep your restaurant brand out of the headlines.
So if you’re about to partner with a third-party vendor who’ll need access to your system, first ask them the following questions:
- Do you use a firewall to protect your IT infrastructure?
- Do you follow cybersecurity best practices?
- Have you experienced a data breach?
- Has your security been audited by a third-party? Can we see those results?
- If your network is compromised, how will it affect our digital assets? What steps will you take to protect us?
If they answered “no” to the first two question, you don’t really have to follow up with the rest. In the fourth industrial revolution, vendor security trumps customer service and quality, so if they don’t make the grade, find someone else!
Cyber attacks on the restaurant industry aren’t going to go away anytime soon. Instead, you can be certain that they’ll escalate. As a result, it’s critical for the industry to act now!
To keep restaurant brands in business while staying out of the six o’clock news, it crucial to take an active approach to security. This means, conducting risk assessments, following best practices, training restaurant and office staff, vetting vendors, and actively policing your enterprise networks.
As no security program is bulletproof, it will also help to have a plan in place to respond to an active breach. Protecting customer data is critical to business relevance and restaurant security can’t be an afterthought.