Top 11 Ways to Control Cyber Risk at Your Restaurant
New technologies such as online ordering, digital receipts, third-party delivery apps and mobile payments are transforming the restaurant industry. Although restaurant executives are adopting these new technologies to enhance customer experience and improve operational efficiency, they’re also increasing their vulnerability to cyber attacks. Recent breaches reported by Sonic, Applebee’s, Chipotle and other popular chains show how restaurants have become just as vulnerable as any other business. Small businesses are as equally exposed to cyber attacks as global corporations and are less likely to recover from a breach if they do not have adequate risk controls in place. The National Restaurant Association has responded to this growing concern with a timely guide titled “Cybersecurity 201: The Next Step”. Here are several key takeaways that will help you control cyber risks at your restaurant.
1. Map out how data and information flow internally and externally.
Document how digital information flows within your network and how IT software, hardware, and employees support the flow of information. For example, create a diagram that shows how credit card information moves from the point of Sale (POS) devices to the server to the processor, etc.
2. Identify critical functions that could be disrupted by a breach.
Create a list of the services that are critical to your restaurant and document all the technologies, vendor partners and service providers that are required to deliver these services. Understand which services are essential to running your restaurant and the potential consequences if they become unavailable.
3. Know the industry standards and your legal obligations.
Keep up with changing industry standards and regulatory requirements to control risks better. For example, use Payment Card Industry (PCI) compliant POS devices to add an extra blanket of security.
4. Build an inventory of internal and external threats.
Employees pose the biggest internal threat to your restaurant. Networks can be compromised internally due to the negligence or malicious intent of an employee. Hackers and third-party vendors pose an external threat. If your restaurant relies on third-parties for payment processing or mobile deliveries, understand who they are and what their cyber risk controls are.
5. Develop and update a risk management process.
Organizational stakeholders must agree on a documented risk management process and update it regularly. The method should include identifying all possible threats and areas of vulnerability, analyzing how each threat can impact business operations and designing risk controls that address each threat.
6. Establish protocols for remote access to IT systems.
Manage the internal business connections, service providers and third-party vendors who can access your network remotely. Limit remote access to only the hardware, applications or data that are required for a specific function. Keep a log of all activities performed remotely to monitor remote access.
7. Create roles and privileges for individual users.
Manage each user’s level of access to your network systems and ensure they understand their responsibilities. Provide the least amount of access required to perform a job. Closely guard administrative and super-user accounts and only share them with trusted employees.
8. Install adequate network protections.
Implement physical and virtual firewalls, cyber security software, and state-of-the-art POS systems. POS systems with credit card encryption and cloud-based storage capabilities can safeguard your customers’ credit card information and create peace of mind.
9. Proactively monitor your network.
Utilize anti-malware systems to monitor your networks and detect malicious code. Monitor account usage and deactivate accounts assigned to terminated employees or vendors. Alert security personnel the moment you suspect a breach.
10. Prepare and execute an incident response plan.
Devise a plan to respond to potential breaches. Communicate the impact of the incident with appropriate stakeholders. Your entire team of personnel should work to solve the problem and keep your restaurant functional if a breach happens. Customers, vendors and stakeholders will be satisfied that you’re taking the necessary steps to respond to a breach.
11. Create a long-term public relations plan.
Avoid reputational risk by making the public aware of your response to a breach. Ensure your customers fully understand how you will recover from the incident and mitigate future attacks. Make sure your restaurant is compliant with your state’s breach notification laws and have an appropriate long-term communications plan in place.
Just one breach, whether it’s a sophisticated hacking or simple employee mishap, can significantly damage a restaurant’s reputation and bottom line. According to the National Restaurant Association, the average small business pays $36,000 to $50,00 in fines to credit card brands for breaches involving card payment data. Other fees and penalties, including forensic investigation fees, security remediation, card reissuing and monitoring fees, fraud-reimbursement penalties and class-action litigation costs, add to the total cost of a breach. Reputational damage and the loss of customer loyalty are difficult to quantify but do the most damage to a restaurant’s bottom line after a breach. The financial impact of lost business and attempts to recover brand image and acquire new customers can end up forcing a company to close.
Restaurant executives need to consider implementing payment technologies, risk controls, and risk transfer solutions to protect their businesses. Technologies such as EMV migration, Point-to-Point Encryption, tokenization, and mobile POS systems can enhance the customer experience and strengthen security. Creating and updating a cyber risk management plan on a regular basis can reduce the frequency and likelihood of an attack. Cyber insurance policies are designed to help restaurants recover from a breach and are a small fraction of the cost a breach has on a business. Contact a BKS Commercial Risk Advisor to learn more about managing cyber risks at your restaurant.