Restaurant Cyber Security: How To Prevent Data Breaches

When you think about issues that arise in your restaurant that could cost you significant amounts of money, what first comes to mind? If you're like most restaurateurs it's things like theft (both time and material), lawsuits, spoilage, or staff turnover.

But, what if we told you, all of those issues pale in comparison to the potential damage that data breaches could cost your restaurant?

The cost of restaurant cybersecurity

According to data from IBM, in 2021 the average cost of a data breach in restaurants cost $3.03 million dollars, up from $1.72 million in 2020 alone. That's a lot more than a few missing steaks from the walk-in!

Over the years, there have been numerous high-profile restaurants that have fallen prey to data breaches. Those include CiCi's Pizza, Dickey's BBQ, Select Restaurants, and Zaxby's —just to name a few —all of which amounted to millions in losses for the restaurants and months to recover from.

With the potential for serious financial impact, it's imperative that restaurateurs and operators pay attention to the impact cybersecurity can have on your business, and your bottom line. Your restaurant needs to have a robust, proactive restaurant cybersecurity plan to understand and identify risks, protect your business and customer data, comply with industry best practices, and react strategically if a security breach does occur.

What is a restaurant data breach?

According to Norton, a data breach is classified as a “security incident in which information is accessed without authorization.”

In a restaurant this can mean a number of things, but in practical terms a restaurant data breach is where guest or company information is accessed and inappropriately used. This means access to things like:

• Unauthorized access to POS data
• Unauthorized access to guest data
• Unauthorized access to team data

(More on this below!)

Once data has become part of a breach, the information is open to use by bad actors or, and can be sold to 3rd parties that may conduct illegal activities such as phishing, spamming, identity theft, or unauthorized purchases.

Data breach statistics show that nearly 1 billion email accounts have been exposed in both 2020 and 2021

Since restaurants often store and hold so much guest information, or work with so many integrated pieces of technology to run their day-to-day operations, they present a juicy target for criminals looking to exploit it for their purposes. This is why, according to research from Sift, 62% of American restaurant guests fear data breaches in restaurants, and are often hesitant to order directly from restaurants that don't make them feel as though their data is safe.

Types of sensitive data in a restaurant

Given the nature of how restaurants operate —with complex systems in the FOH and BOH —ensuring that receive orders, collect payment, and pay teams—here are numerous areas of the business that could be breached. The most important ones for restaurateurs and operators to be aware of are:

POS Data

As the tech heart of most restaurants, the POS is the most important thing to lock down to ensure that your restaurant cybersecurity is airtight. By containing payment information, the POS is the biggest target for breaches, but also the most complex to protect. The most important thing a restaurant operator can do is to rigorously vet your POS vendor and ask them about what security measures they have in place to protect you and your customers' information. To start, check out this guide from the National Restaurant Association on cybersecurity preparedness.

Employee Data

Even though 9 out of 10 restaurants have less than 50 staff members, your team's personal information is also a potential source of misuse. Just think about the scenario that is all too common in restaurants —your staff have a group chat where they swap shifts. This may seem innocuous at first, but it means that your team's contact information is now accessible by all other team members and can lead to abuse or harassment. Restaurants should be limiting who has access to other team members' contact information, and look to implement a secure chat platform you control to limit your team's information being accessible.

Sensitive Employee Information

Ask yourself—who in your restaurant has access to your team's personal information? The answer is most likely not just you. Whenever a new team member joins your restaurant, how and where are you storing information such as W2s, contact details, and direct deposit information. Most restaurants will file this information away in the back office or in a cloud-based HR platform, but it's critical you audit who has access to this information and for what purposes.

Guest Data

With the rising importance of restaurants owning their guest data (and not giving it away to 3rd party delivery platforms), many restaurants are collecting large swags of guest data that present a risk for a restaurant. If you use tools like a loyalty program, a marketing CRM, or even a reservation platform such as OpenTable or Resy, you need to be aware of who has access to this information and how exposed it is A real-world cautionary tale comes in the form of the “Cloud Hospitality” software from Prestige, which suffered a breach in 2020 that exposed the information of more than 10 million guests worldwide.

How Criminals Get Access to Your Data

For the most part popular culture has painted an inaccurate picture of data breaches, especially those targeting businesses. Criminals are depicted as stealthy adversaries, who stay in the shadows, and “hack” millions from their victims. The reality is that like most thefts, data breaches are crimes of opportunity.

While some criminals look to break into specific businesses in-particular, restaurants are usually impacted because they accidentally expose themselves to risk or do not take the proactive actions necessary to protect their business and customer data.

According to data from Verizon's 2021 Data Breach Investigation Report, there are 5 common ways in which data breaches occur. While the total below tallies more than 100% of all breaches, that is because oftentimes elements of different methods are used in a breach.

1. Physical breaches (4% of all breaches)

While we often tend to think of data breaches as being a result of online activities, a significant number of incidents don't involve the internet at all. There are some physical incidents that involve the theft of paperwork or devices. The other leading physical action is card skimming. This is where crooks insert a device into card readers and ATMs to harvest payment card information. This is a method of breach that was responsible for high-profile breach in NYC, back in 2011 and has only grown in prominence since.

2. Unauthorized Use (8% of all breaches)

This can happen in two ways. The first is abuse of privilege, in which employees misuse information they've been given legitimate access to. Just like the example mentioned earlier of having access to teammates' contact information. The second common type of privilege misuse is data mishandling, or, using data that they shouldn't have access to do something malicious. The most common example of this in restaurants is buddy-punching, which is why it's important to ensure that your time clocking software has features like photo or geo verification.

3. Malware / Spyware (22% of all breaches)

Criminals use malware or spyware for any number of purposes, but Verizon's report highlights a handful of prominent types. Some programs are designed to intercept the data flowing to and from a POS system, as was that case with a breach at Wendy's locations. The report also noted the use of keyloggers, which are programs designed to capture the keys struck on a keyboard. They are usually used to steal passwords and other sensitive information, such as when a member of a team is taking a credit card over the phone.

4. Social Engineering / Human Error (44% of all breaches)

According to Verizon, almost half of breaches happened because of the “human” element. That is, people either doing the wrong thing inadvertently or by people manipulating their way into getting access to sensitive information. In a restaurant context this might mean things like, sending an email to the client guest, letting a vendor into the kitchen that wasn't authorized, or someone watching a server enter an order into the POS over their shoulder.

5. Criminal Hacking (45% of all breaches)

When restaurant folks think of “hackers” this is what they are most commonly thinking about. It's usually associated with computer coding, but Verizon found that the most common criminal hacking technique involved something as simple as stolen credentials. This doesn't require any technical knowledge. Crooks can purchase the credentials on the dark web, find them written down, crack them using a password-generating machine or guess them. Remember to update your passwords and don't leave sticky notes lying around!

The best way to keep passwords safe is by using a password manager designed for businesses such as 1Password or Dashlane.

How To Protect Your Restaurant Data + Enhance Cybersecurity

Now that we've covered what's at risk for your restaurant and how breaches happen, we can delve into what you can do to protect your business and minimize risk. It's worth noting, however, that complete protection is not possible. Cybersecurity is a constantly evolving area of concern, and cybersecurity professionals are in a constant game of cat and mouse with criminals who look for increasingly complex ways to do harm to businesses.

For example, the past couple of years there has had a sharp increase in Supply Chain Attacks where hackers break into a company that provides an integrated tool that businesses (like restaurants) rely on, in order to compromise other businesses they are connected to. Or, there is a recent rise in so-called “SIM-swapping” attacks, in which hackers take over the phones of targets to prey on their contacts. If you ever get a strange message from your manager or GM, you could be a target!

PCI Compliance

PCI stands for Payment Card Industry and is a list of industry standards that help safeguard customer payment information. Compliance with the standards puts a digital “lock” on your POS system, which prevents any unauthorized individuals from intercepting or accessing your customers' sensitive payment card information.

In practical terms, think about how many orders your restaurant processes per day using debit or credit. According to data from Toast, 88% of meals are paid for with a credit card. Given the shift to “cashless” credit and debit purchases because of the pandemic, it's more important than ever to protect your customers' payment information.

To get started, there are two crucial things to protect your restaurant:

1. Audit your existing POS and check to see what PCI compliance standards they have. Upserve has a good primer on this.

2. Ensure that your restaurant network is using a firewall to protect any data that is transmitted by any of your systems in-house

Review 3rd Party Vendors

Building on what was mentioned above regarding PCI compliance, the next step is to ensure that any data transmitted to 3rd-party vendors is safe and encrypted. This limits the likelihood that those companies compromise your systems via a “man in the middle” attack.

The first step is to audit all vendors you work with —both integrated and not —to determine what data from your restaurant they have access to. For example, at 7shifts we offer documentation on all of our integrations with POS and Payroll partners that show that we take security as seriously as our partners.

Safe Data Storage and Access Procedures

While your staff might handle cardholder or guest information when completing tasks such as processing payments or confirming reservations, there is no need for them to actually see the information to do their job. Ensure that your operating procedures limit who can view and access guest information is crucial to limiting your exposure to breaches.

Bonus points if your software offers different levels of account access to ensure that only managers or operators can see things like wages, alter timesheets, or approve requests. Doing so ensures that data is stored securely and only those with sufficient privileges can see sensitive information.

Train Staff in Best Practices

Referring back to the most common breaches above, a full 44% of cybersecurity breaches happen because of human error. While (mostly) not malicious in nature, the “human factor” is always a risk to businesses. The simplest and most effective way to address this is by ensuring that security training is part of your employee training program and training manual. Even the most basic training can show your team what they need to watch out for in order to prevent criminals from taking advantage of them and your business. Here is where you can find all sorts of tailored training for your team.

Got Wi-Fi?

While the overwhelming majority of guests prefer open Wi-Fi in restaurants (96%) this convenience also represents a real risk for restaurants. When a network — especially one which your restaurant systems also use — is exposed to outsiders, the risk of a breach increases greatly. Luckily, there are a couple of easy things to do to solve this.

1. Make sure you set up your restaurants' networks with strong encryption and passwords. The industry standard for wireless networks is WPA2, and you can easily set up a password manager such as 1Password to give you a strong password you don't have to memorize and can easily and often change it.

2. Make sure that if you offer guest Wi-Fi access, it is on a separate network from the systems your restaurant runs on. Most IT vendors can easily do this for you, and it's also pretty easy to do yourself.

Frequently Asked Questions

Who is responsible for restaurant cybersecurity?

At the end of the day, the simple answer is that everyone in a restaurant (no matter the size) is responsible for cybersecurity. While the financial burden and legal exposure are greater for restaurateurs and operators, it's important to communicate the risks to all members of your team to ensure they stay vigilant to potential threats, and feel empowered to raise concerns if they notice something.

According to the FBI's 2020 Internet Crime Report, the Internet Crime Complaint Center received 791,790 cybercrime complaints in 2020, with reported losses exceeding US$4.1 Billion, which is a 69% increase over 2019.

Which begs the question, if it's only a matter of time before your restaurants' cybersecurity is affected in some way, shape, or form, what are you doing to protect and prepare?