With restaurants facing a menu full of challenges, from severe staffing shortages to COVID-19-related safety precautions, chances are, cybersecurity posture fell to the back burner.
Although the hospitality industry might not receive as much press related to cyberattacks and security breaches as other sectors, it is just as vulnerable since restaurants hold valuable customer data – gold in the minds of cyber criminals.
Cyber threats are rising, with one report suggesting cybercrime could cost the world $10.5 trillion annually by 2025. Cybercriminals work long and hard, carefully honing their skills and creating new ways to try and breach your systems and data. The size of business doesn’t matter and neither does the industry – hospitality included.
The FBI’s cyber division recently sent U.S. food and agricultural organizations a warning related to cybercriminals hacking online accounts at grocery stores, restaurants and food delivery services. The warning noted hackers have been logging into customers’ accounts and using credential stuffing attacks to seize their grocery store, food delivery and online restaurant accounts to steal their sensitive financial information.
Restaurants should be aware of the credential stuffing threat and phishing attacks, which are the most prevalent form of cybercrime. Further, restaurants should prioritize their security measures including educating management on how to recognize potential threats and not take the bait.
Email recipient, beware
According to the FBI Internet Crime Report 2020, phishing was the most common type of cybercrime in 2020. Phishing incidents went from 114,702 incidents in 2019 to 241,324 incidents in 2020 – more than doubling in frequency.
Most (91%) of phishing attacks start with an email. Often, the subject line will include the words urgent, important, attention, payment or request and try to scare the recipient into acting before thinking. With restaurant managers juggling so many duties, it’s important for them to slow down when it comes to email correspondence and think before reacting.
The first line of defense is adopting a security-first culture among all team members, which educates staff on basic cybersecurity best practices, spotting different types of attacks, and reporting incidents.
Training in the hospitality industry is often customer-service focused. In today’s environment, restaurants need to place just as much emphasis internally on making sure all employees are aware of the dangers of phishing emails and the best ways to spot them.
Be alert and aware
Here are some things common things to look for in a phishing email:
- Incorrect spelling and bad grammar: If an email message has errors that include misspelled words or incorrect grammar, it’s likely to be a scam.
- Suspicious links: Never click on a link before knowing whether it’s legitimate. To test a link, hover your mouse over a link to find out whether the address matches what’s typed in the message. Don’t click! If it’s a scam, the IP address will differ from the supposed company’s web address.
- Questionable attachments: If you don’t know the person sending an email with an attachment, don’t click it. And if you do get an email from a familiar person but with an unexpected attachment, avoid it until you know whether it’s legitimate. When in doubt, ask the sender that you know whether they emailed an attached file.
- Threats: Emails conveying pressure to get you to respond quickly or causing a sense of panic (‘Urgent! your account will be closed if you don’t pay immediately’) are likely scams.
- Spoofing: The emails look as if they are connected to a real company or website. However, they lead to fake sites.
Rely on technology
While education is key, restaurants must also examine the technology they’re using to combat rising cybercrime and stay on top of all patches. This means updating all software and operating systems in a timely manner, including POS software.
Many ransomware attacks start by exploiting unpatched software vulnerabilities, so proper patch management is a quick win in your defenses.
Finally, be prudent in the access controls you provide to employees – only giving access to team members who really need it. When in doubt, adopt the principle of least privileges – limiting access to the necessary assets to perform job duties. This means, not every team member needs access to a POS system, for example.
Cyber criminals are smart and often seek the path of least resistance or, in other words, the easiest targets. They’ll continue to try and exploit the networks of hospitality companies partly because there’s a prevailing perception this sector is less cyber aware than other vertical markets like finance or technology.
While other business challenges continue to rise to the top in the hospitality sector, it’s critical to start preparing for ransomware attacks today and adopt prevention strategies. This applies to everyone from large chains to local restaurants. Adding the necessary security measures and educating employees on the latest cyber threats is almost as critical as taking health precautions seriously as the industry works to recover.