The notion of the restaurant as the refuge from the day-to-day connectivity of life has changed. A restaurant that does not offer WiFi so patrons can upload photos of the chef’s Spéciale du jour may earn the ire of Yelpers, once connection to the digital world is restored. This means that nearly all restaurants are facing several of the same cyber security challenges typical tech-based businesses face every day. In this article, I’ll present five practices that any one store café or large chain restaurant group can adopt around cyber security which could prevent data breaches and keep both company and patron information safe from the rising threat of cyber criminals. Preventing a single breach could save a business hundreds of thousands of dollars.
Practice 1: Separation of networks
I’ve encountered many eateries where I see their POS systems on the same network as their free Wifi for customers; Do Not be this restaurant. When you do not have a physical or firewall divide between your POS system and patron’s devices you are exposing your most critical technology asset to the millions of trojans, obsolete operating systems and infected devices out in the wild.
A device with a time-based trojan could be lying in wait, probing your POS machines until it finds a vulnerability and then will launch a crypto attack against your POS system. Ultimately, you could wind up paying thousands to hackers and still may not get your data back. Which leads into Practice 2…
Practice 2: Backup, Backup, Backup
Backups are a critical component to any operation. Backup of POS data, marketing information and any other business critical data should be part of any cyber security plan. Backups protect against data loss from an event like a crypto attack and also allow comparison of files for unauthorized modifications. To be able to quickly recover from any unexpected event, have backups, in fact, have two levels of backups. As my 99 year old grandfather likes to say, “If one is good, two is better!”
A backup is only good if it works, so make sure to frequently restore your backups and ensure what was desired to be in the backup was actually backed up and was recoverable.
A major key benefit to using Data Central is that our clients do not have to worry about backup of their back-office data as it is handled entirely by our software. Client data is backed up locally, and then is transferred to georedundant storage. This means that in the unlikely chance something should occur at the local data center, Data Central can grab backups from another center that’s in an entirely different physical location. Additionally, as part of our SOC 1 and 2 compliance we perform regular data restore tests of customer backup data.
Practice 3: Train employees on Cyber Security practices
Over the many years I’ve been working in restaurant technology I’ve encountered this scenario dozens of times:
“Hi, I’m Mike with XYZ Company, I help with your computer systems. I need you to give me access to your system, so I can complete my (insert task).”
In almost all cases, I’m never asked to validate who I am, and the manager just complies and goes to the website I specify and downloads the remote tool and lets me access the machine.
This should never happen in the current cyber threat world. Employees should be trained to call a number that is known ahead of time to validate any access requested to secured systems. Without this simple check, you are a phone call away from letting a cyber-criminal steal any digital data on any of your secured systems.
All Restaurant Magic employees go through regular cyber security training. These certification trainings ensure that our employees know how to safely handle confidential data transmission such as PII (Personally Identifiable Information) and passwords. We work with technology teams of our clients to establish best practices for our interactions with store managers and to ensure that through our partnership, both organizations maintain secure policies.
Practice 4: Passwords
Everyone dreads seeing a prompt to change your password, even more so when it informs you that it must have upper case, lower case, numbers, be at least eight characters, and have a special character. So, most users create something that easy to remember, and that usually means easy to crack with software. Even worse, the user will write it down on a sticky note and put it near the machine or put it in a phone contact. If the password is easy to crack, it might as well not be present. If the password is written down, see the prior sentence. If you are storing your credentials as phone contacts, STOP IT IMMEDIATELY and delete those contacts. Your phone contacts are the least secure place to store anything, they are in plain text and un-encrypted. They are present anywhere your phone is, and you give access to all sorts of applications and services to read your phone contacts, so that means your passwords are all over the web on systems that may or may not be secured.
Here is an example: you stored all of your bank account numbers and your bank login in your phone contact. Some company where you use your email address was hacked, the hacker figures out how to access your email account, they find a contact that says Bank Info, and suddenly all of your cash has been wired to a foreign country.
Instead of passwords, use pass phrases. They are easier to remember and will almost always easily meet the minimum password requirements.
Here is an example: 2DucksLightsaberFight!
Easy to remember! It’s 22 characters! It has uppercase, lowercase and a number and even a special character.
I like to use zxcvbn (https://lowe.github.io/tryzxcvbn), to get an idea of how strong a password is. It is the same tool Dropbox uses to estimate password strength for their platform.
What the results mean is this is a complex hard to crack password!
Here at Restaurant Magic, we have strict password policies for our employees, and for our employees with privileged access, we employ an additional security layer of multi-factor authentication. This ensures that the risk of a compromised employee account is mitigated with the best security practice recommendations. We do regular exercises to reinforce how to choose good passwords and passphrases and we audit our network on a frequent basis.
Practice 5: FIREWALL
I’ll preface this with saying that the Linksys router from BestBuy is NOT a firewall. You should have a real, at least business grade, firewall in front of your network and it should have an active subscription where the rules and definitions are updated constantly to protect against zero-day threats. Firewalls from these companies: Juniper, Sonicwall, Watchguard, Sophos, Cisco, Meraki are great for all size restaurants and organizations. If you have limited support staff, Meraki provides an easy to setup and manage system with good firewall capabilities.
At Restaurant Magic we have several layers of firewalls that manage our corporate network and our production and development environments. We use best in class equipment with the latest definitions to check every data byte that comes in and out of our networks.
By adhering to these five practices, an organization can go a long way toward increasing its security posture. In this day in age, the question a CEO, CIO or CTO should be asking is not, “How much is this going to cost me to implement?” but “How much could I lose by not spending on cyber security?”
With Restaurant Magic as a partner and Data Central in your back office management stack, your organization can rest easy knowing that we take cyber security seriously and will work with your tech teams to make sure our companies are in perfect security alignment.