In a year fraught with challenges for the restaurant industry, cyber security might not be a top concern for many. From third-party delivery apps to QR-code menus, however, the pandemic is driving restaurants to rely on technology more than ever before — and with new technology comes an increased risk of cyber fraud.
According to the National Cyber Threat Assessment 2020 report by the Canadian Centre for Cyber Security, small- and medium-sized organizations, such as restaurants, are among the most frequent victims of cyber-threat activity.
Customer payment data, such as names, card numbers and expiration dates, is a major target. Hackers can also gain access to proprietary business information, sometimes even holding it for ransom. “The bad guys are pretty smart. They’ll take a look at your industry, they’ll do some research on your company revenues, if they can get their hands on it, and they’ll ask for a ransom that’s manageable,” says Kimberley St. Pierre, director of Strategic Accounts for Washington-based cybersecurity and systems-management company Tanium.
Cyber fraud can cause lasting damage to a restaurant’s reputation, customer base and profit margins. “Restaurants have to accept that cyber-attacks are a reality and it’s not a matter of if, it’s a matter of when,” says Dr. Ali Ghorbani, director of the Canadian Institute of Cybersecurity.
Ghorbani adds that restaurants face a heightened risk of cyber fraud because they often share their customer data with third parties, including POS-system providers and delivery apps.
“You want to make sure you’re vetting your third-party providers on a regular basis,” says St. Pierre. “Then you can start to set some parameters around those third-party contractors so that they only have access to certain pieces of information for a certain period of time.”
Nav Sangh, founder and CEO of Ambassador AI, a Toronto-based software company that offers online ordering and customer-support tools for restaurants, says tries to limit customer-data collection to the essentials needed for a user-friendly experience. “We’ve always viewed the data we store as a bit of a liability,” he says.
The importance of considering who has access to sensitive information and how much access they have extends beyond third-party contractors, to a restaurant’s internal team. “We encourage our users to assign different permissions for different people on their team so they all have varied access to customer and sales data,” says Sangh. “If not everyone on your team needs to handle sensitive customer data, then don’t increase that liability. Don’t make them handle it.”
Whether it’s phishing emails or easily guessed passwords, cyber fraud often takes advantage of human error. “Your people are your first weakest link, unfortunately,” says St. Pierre. “But they can also be your strongest human firewall.”
Ghorbani stresses the importance of basic cyber-security training to prevent data breaches caused by avoidable human oversights. The Cyber Centre offers a set of guidelines, called the Baseline Cyber Security Controls for Small and Medium Organizations, that can be a helpful starting point for restaurant operators looking to evaluate their cyber vulnerabilities and work with their teams to implement stronger cyber-security protocols.
Some key suggestions include:
- To minimize data loss, develop an incident response plan to detect, respond to, and recover from a potential cyber incident
- Regularly back up essential data and business information to an external secure location
- Patch software as soon as updates are available
“The most critical thing for a restaurant is to have visibility over their assets and what’s on their network,” says St. Pierre. “How many computers, servers, POS systems, or stations do I have? Where are they? Who’s accessing them? What’s running on those assets as far as software? Is that software up to date?”
In addition to considering these vital questions, Sangh says that effective cyber security comes down to managing your customer data the same way you would want your own sensitive information to be treated. “We’re coming out of an era where online privacy wasn’t necessarily valued and secured effectively,” he says. “Customer data is immensely valuable for marketing, but at the end of the day it has to be handled with care.”
BY JESSICA HURAS