According to PAR CTO Chas Wurster, the average data breach costs $4 million and impacts 25,000 customer records. If you haven’t seen 2020 and Beyond: 10 Restaurant Cybersecurity Best Practices for Every Concept, you can view the full webinar here. Here are 3 facts to keep in mind before you watch:
1 – Big Investments = Big Responsibility
“As we’re making technology investments, we need to make sure that those investments don’t become the way that bad actors get into our systems.”
-PAR CTO Chas Wurster
As your restaurant invests in new payment solutions, POS systems and back-office software, you need to be aware of the potential vulnerabilities each time these systems interact. Mobile card readers may be convenient and cheaper to use, but security researchers found that the way they interact with POS systems allows hackers to change the amount charged on a credit card and even the payment method. If your POS system uses Bluetooth to send data to your payment provider’s server through a mobile app, your restaurant is at risk for Man-in-the-Middle (MITM) attacks.
According to ICANN, the internet security nonprofit responsible for assigning IP addresses that led to the global Internet we have today, MITM attacks happen when hackers intercept communication between two systems. For instance, a hacker can exploit your restaurant’s local area network to create a message on your credit card machine prompting customers to re-enter their PIN or CVV numbers, gathering enough data to bypass EMV protections for chip-card readers. When viewing PAR’s webinar, pay close attention to tip #2, which covers how to protect your restaurant from such an attack.
2 – Connectivity Can Be a Security Flaw
The word “restriction” gets a bad name in our society, especially as more devices are talking to each other than ever before. However, restricting access to your network on a need-to-know basis is important for preventing system vulnerabilities. Everyone, regardless of their level of access—from employees that log into your POS system to cash out customers to your IT experts that run back testing—needs to create their own unique, complex passwords.
Even if you remind customers and employees to only use sites they trust, your restaurant’s network can still be vulnerable to phishing attacks. Last year, Wired reported that hackers can even get HTTPS certification for a counterfeit website to make it seem trustworthy. Also, your restaurant’s network only has a finite amount of bandwidth, so you need to prioritize data from payments and POS transactions over other sources. Before you allow customers to stream Netflix over your WiFi, remember to follow tip #3 from our webinar.
3 – Not All Vendors Are Created Equally
Ask your hardware and software vendors for a SOC 2 compliance report to make sure they are monitoring data and configuration changes, file transfers and system logins for suspicious activity. Threatstack, a cloud security company, says vendors should have audit trails and actionable forensics in order to pinpoint the source of system modifications and know which steps to take if a data breach happens.
According to Wurster, you should hire a third party to assess which vendor platform has the lowest number of security gaps and ask about third party reports in the requests for proposal (RFPs) you send out, including PCI compliance and SOC 2 documentation. Ethical hacking companies can conduct penetration testing to gauge the specific vulnerabilities of your POS system, as Secureworks did with one global fast food chain. After upgrading the POS network and connecting it to back-of-house operations to simulate a store environment, the testing company was able to compromise the POS system’s memory and infect it with malware, exposing credit card data. This test allowed for the QSR brand to fix its system gaps before launching the new POS system network nationwide – protecting their franchisees, employees and customers from a real-life data breach.
Watch the full 2020 and Beyond: 10 Restaurant Cybersecurity Best Practices for Every Concept webinar for 10 indispensable tips on protecting your brand, employees and customers from a data breach.