What's Wrong With Your Network Security?
Cybercriminals are turning their attention to easier targets: chain restaurants, independent eateries, casual dining locations, and franchised quick service operations that are assumed to have insufficient cyber defenses. Restaurants are perceived to be easier targets due to their lack of on-site tech support and weaker network security capabilities and protocols. Consequently, a significant number of foodservice companies are now being attacked, and discovering they lack adequate security to protect against data breaches, file extortions, or malware infiltrations. The fact is firewalls are no longer enough. For these reasons, the restaurant industry is currently deemed to be especially vulnerable to cyberattacks and unauthorized network access.
Due to the high costs of a breach (financially and otherwise), restaurants should mitigate their risks by regularly assessing the strength of their network security and cyber defenses. A reasonable starting point is to comply with PCI DSS requirements, which can help to mitigate financial liability in the event of a breach. Restaurants can also leverage the available cybersecurity resources from restaurant trade associations and the U.S. government. In addition, particularly if they do not have in-house resources, restaurants can seek guidance and solutions from third-party managed security services providers.
Cybersecurity refers to the practice of securing electronic devices connected to the internet from unauthorized access or the measures taken in pursuit of such practice. Cybersecurity can be categorized into several distinct types, including infrastructure, application software, network, and cloud security. Cybersecurity compliance isn't simply a collection of strict and mandatory requirements coming from regulatory bodies, but rather a function of protection measures aimed at businesses that are at risk of becoming a cyberattack victim. With respect to cybersecurity, compliance can be defined as creating a program that establishes risk-based controls to protect the integrity, confidentiality, and accessibility of information that may be stored, processed, or transferred. Cybersecurity compliance is not based on a stand-alone standard or regulation, but on layers of applied strategies. When a restaurant complies with cybersecurity requirements, the restaurant is communicating to its customers that it can be trusted with their personal information. The goals of both security and compliance revolve around managing risk.
Common strategies for cybercrimes include ransomware and malware. Ransomware is a form of malicious software that may lock or encrypt connected devices, data files, and network resources in a way that disables user access until a sum of money (ransom) is paid to the perpetrator. Security specialists claim cyber criminals have begun favoring ransomware over other disruptive formulations due to how well it works. According to Sophos State of Ransomware 2022, ransomware hit 66 percent of mid-sized organizations with an average payment of $812,000. A recent report by Scientific American noted that a primary ransomware target appears to be the restaurant industry. Research findings support the claim that cyber attackers choose a variety of ransomware strategies and monetizing scales based on the characteristics of the targeted operation. In some cases, cybercriminals have even reviewed the victim’s cyber insurance plan and then based their ransomware demands on coverage amounts. This level of deception and ingenuity makes ransomware a serious and significant security concern, leading to predictions that ransomware hacks on restaurants will likely multiply. Restaurants are wise to take necessary precautions to safeguard their businesses and avoid becoming victims.
Why is cyber protection so critical? Experts estimate that nearly 60 percent of companies go out of business following a cyberattack. Cybersecurity training and insurance can help limit damages and speed recovery.
Cybercrime, or cyber heist, is a corruption committed using an internet-connected computer or device. This broad definition includes any kind of wrongdoing including mass email broadcasts (spam), unauthorized access to data, and malicious intrusion with criminal intent. It also covers online postings involving libel, defamation, or hate speech, all of which are generally regarded as criminal.
As cybersecurity threats and data security events continue to evolve, determining the costs and resources necessary to respond and recover is essential. While outrageous incidents garner most of the headlines, attacks on small and mid-sized businesses, such as restaurants, often result in more harmful damages. The recently published 2021 Net Diligence Cyber Claims Study details actual losses for nearly 6,000 data breaches occurring between 2016 and 2020. Losses were attributable to various cybercrimes, including phishing, malware, ransomware, social engineering, and denial of service.
Operators need to decide ahead of time if they might be willing to pay a ransom should the situation arise. Having to decide spontaneously at the time of assault to an active ransomware event is not wise. Some businesses decide it’s unethical to pay a ransom while others are worried about the potential resolution and repercussions. Experts advocate a strategy of maintaining a secure backup system of critical data that can be confidentially restored, in an acceptable time frame, should system servers become inoperable. The backup system should be tested to verify that the backups will work since backups are a prime target for cybercriminals. Backup procedures need to be protected from ransomware as well to avoid false confidence during a crisis situation.
The most common ransomware attack involves criminals repeatedly sending fraudulent messages from fake or compromised email addresses designed to look legitimate. Another common tactic is more sophisticated, specifically targeting networks or systems that have been identified as vulnerable. According to the NetSPI Ultimate Guide to Ransomware Attacks, cyber criminals tend to follow a balanced sequence of acquisition, encryption, ultimatum, payoff, and decryption.
Step 1 – Accessing Targeted Network/Data via Weak or Default Credentials
Step 2 – Escalating Intrusion to Databases and File Shares
Step 3 – Exfiltrating Sensitive Data from Targeted Network for Ransom
Step 4 – Deploying Ransomware (Locked Screen and/or File Encryption)
Step 5 – Seeking Ransom Payment for Decryption Key (File Releasing/System Access)
Step 6 – Threatening Additional Extortion via Exposure or Publication
Legacy versions of ransomware were designed to spread like a virus, or worm, collecting credentials and encrypting files along the way. Threat actors have become more sophisticated so that ransomware can now send a communication that enables the hacker to analyze and evaluate data and compute a more appropriate ransom. Operators who have suffered a ransomware attack point out that the time and cost of recovery and downtime expenses often exceed the ransom amount.
Many cyber experts discourage ransomware payments because they often fuel a threat actor’s ability to conduct future ransomware attacks. In NetSPI’s guide operators are cautioned that paying a ransom does not always resolve the issue. The report points out that the likelihood of getting all encrypted data back after paying a ransom is slim. In 2021, according to SonicWall’s Cyber Threat Report less than 10 percent of those firms paying a ransom received all files in return.
Scareware is a form of malicious software (malware) that uses social engineering to cause shock, anxiety, or the perception of a network threat to manipulate a user into purchasing unwanted software or paying to restore system access. Scareware typically produces frivolous alarm warnings, or threat notices, that cripple network functionality and motivate a user to take immediate action. The term scareware can be attached to any unauthorized computer application that causes significant network disruption It can inflict rogue security software, termed scam software, to trick a user into believing an application or network is corrupted, then suggesting the user download, and/or pay and download, a fake antivirus software to remove the blockage. Often the virus is fictional, yet the downloadable software is not and may in fact be unwanted malware. It is important to note that business interruption (75 percent), reputational damage (59 percent), breach of customer information (55 percent), data or software damage (49 percent), and extortion/ransomware (41 percent) were the top cited cyber loss scenarios recently reported. According to the Anti-Phishing Working Group, the number of scareware packages in circulation, totals in the tens of thousands with new forms continuing to evolve. The most common form of malware likely to scare the restaurant industry is ransomware.
Social engineering is the act of deceptively manipulating system users into performing actions or divulging confidential information contrary to a business’s best interests. Social engineering can be performed in person, using a paper-based mail delivery method, over the phone, or digitally online. Social engineering is one of the most problematic attack techniques to combat as it preys on human nature not technology skills. Research indicates that user education is most effective at stopping a social engineering breach as it raises awareness of attack recognition and the simple methods to thwart such attacks. Techopedia.com defines social engineering as deception for the sole purpose of gathering information, fraud, or system access. Webopedia.com adds, it is the act of obtaining or attempting to obtain secure data by persuading a user to reveal secure information. This is not unlike phishing attempts. But social engineering is harsher and involves deception, fraud, and manipulation. The Verizon DBIR report defines social engineering as psychological compromise of a person that alters behavior into taking an action or breaching confidentiality. The report also mentions that social attacks as a pattern have continued to increase in the past 5 years, with breaches nearly doubling annually. Web-based email is a favorite target. Additionally, more than 80 percent of social engineering breaches are discovered by external parties
Cyberthieves design the interaction so that it seems natural, normal, or helpful to provide the requested information or to click a displayed link. Social engineering red flags (for example, hyperlinks and attachments) tend to be somewhat obvious. Social engineering has become a favorite attack method due to the low level of technical expertise necessary to execute an attack. The same is true for phishing attacks.
Denial of Service
A distributed denial of service (DDoS) attack is intended to cause interruption to system functionality. This cybercrime does not always involve theft of proprietary information, but rather to promote an unwanted social or political agenda. DDoS attacks take servers or networks out of normal operations. Such attacks involve overwhelming those servers with excessive traffic that can’t be contained. If a server is hyper-occupied dealing with an attack, it cannot enable system resources to do anything else. In a DDoS attack, cyberthieves drown the servers with huge volumes of bogus network traffic. The bogus traffic will bog down servers, preventing them from sending those alerts.
Cybercriminals consider many variables when choosing which businesses to attack. It is important to understand that attacks are both opportunistic and intentional. No industry is exempt from being targeted. Opportunistic attacks may target foodservice which traditionally have immature and underfunded cybersecurity programs and cannot afford downtime and therefore are more likely to try to resolve an attack quickly.
Fraudsters have found opportunities to target restaurants in new ways due to the unfamiliar nature surrounding the COVID-19 pandemic. Many of these types of scams revolve around people impersonating roles related to the pandemic, such as a health inspector or loan provider. Ultimately, these scammers are targeting personal data and credit card information, often over the phone or via email with a spoofed email address that looks official (e.g., phishing). Toast.com warns that official organizations will not request proprietary information over the phone or email and that restaurant operators should never provide this information through those channels. It is often wise to contact the inquiring organization, through its official channel, to determine if the notice received is legitimate.
Hospitalitytech.com cites impersonation of a health inspector as a common method of restaurant phishing. Amid the pandemic, cyber criminals preyed on well-intentioned employees through COVID-19-related schemes and malware minefields posing as COVID-19 relief websites. For example, cyber criminals sent emails to restaurant employees purportedly authored by the World Health Organization or the US Centers for Disease Control that contain malware embedded within attachments or bogus inks disguised as vaccine and treatment notes. Other phishing emails took the form of purported information on infection rates and related statistics.
A scammer can call, email, or arrive on site with claims of a health code violation and attempt to collect a baseless fine or gather personal information to be used later for identity theft. Even when a scammer doesn't have an official business card or paperwork, they can feed off an operator’s fear through an increased sense of urgency that forces a compromised situation. As toast.com suggests, foodservice personnel should not provide personal, business, or financial information on the spot. Instead, the owner or manager should take the time to contact the local county's health division or other relevant official. Do not trust contact information given by an uninvited visitor. Take the time to stop and think about whether the questionable interactions could be a phishing scam.
Cybercriminals may use social engineering on the restaurant staff to execute a successful phishing attack. Attackers may persuade employees to share or reveal network login credentials or other sensitive data or provide phishing emails with links to infected websites that harvest data. Phishing emails can also contain file attachments with malware that installs upon download. Equally as dangerous are malicious websites created by cyber criminals using domain names containing the words “coronavirus” and “Covid-19”. Well-intentioned employees seeking to donate to COVID-19 relief or simply get an update on COVID-19-related information may visit these websites via the restaurant’s network. Unbeknownst to the employee, the website may be riddled with malware.
According to the cyber security company Inky, researchers detected 121 phishing emails in an attack that originated from a compromised Mailgun email marketing account used by the foodservice chain. It found that of those 121 attacks, two were fake voicemail notifications with malware attachments (also known as vishing), fourteen impersonated USAA Bank and had links that redirected to a malicious USAA Bank credential-harvesting site, and the other 105 impersonated Microsoft and had links that redirected to a malicious Microsoft credential-harvesting site. Researchers said the bulk of the attacks impersonate Microsoft. The giant software company is often the subject of impersonations because Microsoft credentials are highly valuable.
The biggest threat from a cybersecurity issue is not necessarily the cost of correction and recovery, but the potential long-term effects on reputation. Many of these incidents were related to payment card security.
The common goal of a restaurant cyberattack is to exfiltrate the firm’s credit card and customer relationship databases. This attack is often achieved via malware attaching to the restaurant’s point of sale (POS) system. Malicious code then records transaction detail for transmission to an external, unsanctioned server. Restaurant POS systems are considered particularly vulnerable to ransomware attacks since they are an essential component in order production, payment processing, and sales revenue. In addition, POS applications can link to data analytics, inventory controls, financial accounting, and labor management. For restaurants, the threat of a ransomware attack may cause more immediate harm than a malware attack. That’s because a typical POS ransomware attack needs only minutes to execute, shut down operations, and effectively bring the business to a sudden halt. By comparison, a malware attack must remain on the target’s network for quite some time, often months or years, while it syphons off sensitive data.
POS ransomware isn’t simply about paying to get data back, it’s about paying to regain access to the POS systems. Cybersecurity Ventures, which predicted global ransomware-related damages to reach $20 billion in 2021, offers the following best practices aimed at helping operators minimize or avoid POS ransomware attacks.
- Contract a managed security services provider that can provide 24/7 monitoring via a security operations center.
- Adopt a software-defined branch networking strategy to standardize security measures across all outlets and maximize threat detection.
- Segment network traffic to lock down POS systems from the rest of the network and implement a cloud-based managed firewall to protect traffic.
- Invest in endpoint threat detection and response to shorten the active window of a breach and limit the damage.
- Maintain PCI compliance as PCI standards provide an additional layer of security.
The above practices should be considered part of an integrated cybersecurity solution for a restaurant. Partnering with a managed security service provider can be especially helpful with stolen credit card data and related payment data.
The National Restaurant Association suggests several essential steps to protect a restaurant from cybercrimes. These steps involve identifying at-risk assets, protecting assets by leveraging access, detecting when a breach is present, responding by taking corrective action, and facilitating recovery and a return to normalcy. The NRA also points out that there are at least four ways a data breach can negatively impact an eatery, including:
- Investigations, fines, and remediation cam be quite costly.
- State breach notification laws may require informing customers of breach.
- Inevitable class action lawsuits tend to arise from data breaches.
- Inescapable brand damage and loss of customer loyalty.
While often used interchangeably, data security refers to payment card data and cybersecurity refers to all other sensitive data that resides within a network. To emphasize the ongoing, persistent cybersecurity threat to the middle market, 98 percent of claims in this year’s survey ($589 million in total) came from small to medium firms.
While there have been many published reports suggesting ways restaurants can reduce the risk of a cyberattack, the following items are almost always mentioned:
- Inspect devices connected to any network to ensure updated security
- Be sure passwords are strong (>12 characters) and stored securely
- Provide a unique identifier for each system user to enable tracking
- Implement firewall, and other software protection, on all devices
- Train staff to identify possible phishing emails and other malware
- Employees must limit or eliminate personal information shared online
As mentioned previously, experts estimate that 60 percent of companies go out of business following a cyberattack. The expense of incident response, investigation, remediation, and recovery can be catastrophic. Plus, businesses don’t end up paying for an incident just when it happens. It can take months or years to determine the full extent of damage.
Cybersecurity insurance helps to limit financial damage from a covered cybersecurity incident to the maximum of the agreed upon deductible. Just as important, when a user contacts the insurance company for a covered event, the insurance company will usually put the caller in contact with an expert incident response agent.
These vendors normally have extensive experience in minimizing the damage from a cybersecurity event and guiding quick but reasonable recovery times.
Although the cost of cybersecurity insurance has been increasing (due primarily to payouts involving ransomware attacks), it still ranks as one of the best coverages for the risks and cost of premium. Unfortunately, attacks have escalated in all industries and financial demands are getting much higher. Criminals know that more companies are buying cyber insurance, which has made them even aggressive. Some recent changes in the cyber insurance area include:
- Reduced capacity: Insurance carriers are more conservative in underwriting coverage given the reality of a higher probability of paying claims.
- Rate increases: Cyber insurance has increased 25 to 100 percent to account for higher, more frequent loss claims.
- Underwriting scrutiny: Underwriters have gone from asking very little about a business to wanting to be much more knowledgeable about specific details.
Insurance companies have enhanced their application questionnaires to understand whether a company is at risk for ransomware and various other types of cyberattacks. Although the cyber insurance market has become more complex, it remains a key pillar of an effective approach.
FSR Magazine suggests that for most restaurants a minimum cyber insurance premium may be less than $100 per month to provide major protections and digital expert assistance. While policy costs will vary, they should reflect the level of cyber security needed in addition to embedded protection already in place (for example, firewalls and two-factor authentication). Cyber experts stipulate that what makes a good cyber insurance policy worth the investment is the quality of the response team that’s provided after a claim is filed.
Phishing, malware, ransomware, and social engineering attacks tend to rely on human error and vulnerabilities in restaurant cybersecurity protocols. With the increasing number of foodservice transactions happening online, opportunities for digital breaches rise. Industry experts suggest the following best practices to minimize or avoid breaches:
- Update software applications and firmware on network devices;
- Enable multi-factor authentication for all applications on all devices;
- Secure application settings and administrative accounts;
- Store data in a secure cloud environment and eliminate on-premises file servers;
- Replace outdated firewall protection; and f) implement a secure off-premises backup procedure.
Cloud computing has also proven to be an extremely valuable strategy against threats. Companies can use the cloud to gain stronger control over data with increased access and visibility into information. With the increasing scale of many cloud providers, security capabilities that were once out of reach are now an option for many restaurants. That means a business can significantly decrease its cybersecurity risks and prevent many common phishing, malware, and ransomware scams.
Data Privacy Compliance
Data privacy compliance is the practice of following regulations set forth by corporate governance, industry organizations, and governments. These regulations dictate how sensitive data is collected, used, stored, and managed, among other requirements. Compliance is not security. It is taking accountability for meeting the mandates and specific security requirements. Compliance and risk management are closely aligned: Compliance with established rules and regulations protects restaurants from a variety of unique risks, while risk management protects against procedures that may lead to non-compliance. A common compliance risk is the violation of privacy laws. Hacking, viruses, and malware are some of the cyber risks that may affect eateries.
Cyber threats come in many forms, such as phishing, ransomware, scareware, malware, social engineering, and much more. Cybersecurity is the protection of internet-connected systems (or networks) and their hardware, software, and data from cyber threats. The practice is used by individuals and enterprises to prevent unauthorized access to data centers, cloud operations and any set of connected digital devices and systems.
As larger enterprises make greater investments in their cyber defenses, criminals are focusing on easier targets, the small to medium sized business that may not have strong network security in place. These vulnerable businesses enable cyber criminals to make more money with less efforts. The restaurant industry – and every business owner, franchisor and franchisee associated with it – must be prepared to combat this growing threat.
Cyber Security Tips for Restaurant Owners in 2022
The food and hospitality industry is vulnerable to cyber security threats and attacks like as any other industry. Hackers literally have various dining establishments in their cross hairs. After recently being alerted by government officials, Red Robin Gourmet Burgers & Brews informed shareholders that criminals have targeted restaurants to mine personal data about staff and customers alike. Hence, cyber security directly affects the restaurant business as well as patrons. Losing customers’ personal information can potentially reduce a restaurant’s foot traffic. However, this predicament can be avoided if restaurant owners are proactive in securing the IT infrastructure which can save them a lot of money but most importantly, create a safe environment for their customers.
BREACH OF TRUST AMONG CUSTOMERS
Cyber crooks are drawn to the food service and even hospitality industry primarily because of the high volume of credit card transactions that are regularly made. According to the latest Trustwave Global Security Report, the food and the beverage industry has accounted for 10 percent of data breaches in 2016. Breach in the PoS system has been made up for 75 percent of the cyber-attacks which has recently been brought to the attention of restaurant management nationwide. The most critical aspect of customer relations and loyalty is trust. All the attention from hackers poses a threat to the restaurant’s financial and reputation. Restaurants, hotels and other commercial venues are starting to understand how critical data security is for protecting their business and maintaining the trust of their customers.
EDUCATING RESTAURANT MANAGEMENT ABOUT CYBER SECURITY
When a customer enters your venue and takes a seat on one of your booths as he/she waits for service, the last thing that should be on their mind is their information being stolen by hackers. But the unfortunate reality shown by a Gallup poll states that 70 percent of Americans are concerned about their personal information being compromised, whether it be cases of identity theft or credit card fraud. Therefore, it has never been more important until now for restaurant owners to take necessary precautions and ensure the protection of their customers at all costs. The better understanding, they have of the importance of cyber security, the more they are likely to develop business solutions to assure the success and longevity of their venue.
GEARING EMPLOYEES FOR BATTLE
More often than not, there have been reports of hackers posing as electricians or representatives from cable companies that visit venues and request for full access to their computer system. Once these rogue agents have access to the server, they are able to install malware or obtain credit card data, loyalty program information, and other sensitive files. Some hackers use social media to gather information about a person by creating a phishing scheme. Employees’ going through cyber security training is essential for the restaurant’s security. This training will alert them of warning signs, suspicious emails, and potential triggers of data breach. They will also be provided with the equipment to strategize and effectively implement preventative measures to counter other cyber-attacks. Besides waiting on tables, operational staff can serve as watchdogs if they know what to look out for.
POS SYSTEMS FOR RESTAURANTS WITH EMV COMPLIANCE
Hackers frequently look for the biggest result that requires the least amount of work. That is one of the main reasons why data breaches of POS systems are one of the highest ranked. Consequently, cybercriminals are able to steal large amounts of personal information from a single system with very little to no effort at all! Avoiding this predicament demands that restaurant owners use the most updated POS system and meet government related PCI compliance guidelines. EMV chip card readers are highly recommended – a device that uses computer chips to authenticate and secure transactions made through debit and credit cards.
However, many small businesses, and restaurants in particular can be very hesitant to employ EMV technology for a myriad of reasons with cost being one of them next to the pressures of adopting new technology. Security is the concern that stands out from the rest. With incalculable cases of data breeches that surface the news every day making both the customers and staff vulnerable to having their information hacked, it’s no surprise that restaurant owners are very critical about the new technology they implement. While their reluctance is understandable, EMV cards are rapidly becoming a global standard for all payments and processing them. The shift of EMV compliance is therefore becoming compulsory for restaurant POS systems.
UTILIZATION OF IT PROFESSIONALS
Investing in an IT provider with expertise and experience in the technology industry may be one of the best business decisions you can make. Finding a competent third-party vendor to install and host all IT necessities from well protected POS systems for restaurants, Wi-Fi networks to security systems. With a trusted IT professional, restaurant owners can build their confidence and knowledge of all the technology components along with the reassurance that they are in the safe hands of an expert who understands the intricacies of cyber security the best. It’s always good to have someone on stand-by when an IT issue arises. Someone who understands the problem can easily resolve it so nothing is compromised.
HAVING A COMMUNICATIONS CRISIS PLAN
Many restaurant owners do everything in their power to prevent data breach, but they unfortunately sometimes fall victim. Attacks from cyber criminals have a devastating effect on the business be it loss of reputation, declination of customer loyalty, and additional fines that can cause damages beyond repair. It is best business practice to have a well thought-out and effective communications crisis plan in place for these dilemmas. Should and when a data breach occurs, you can take immediate action to provide customer support and sustain your brand reputation.
Transparency is paramount to informing your customers about the threats of data breach by hackers. Providing your customers with the details in that regard will assure them that the issue is being addressed and solutions are in progress. A leadership team member should be designated to address this crisis to the public in order to prevent the leakage of confident information. In doing so, everyone involved with awareness of the situation knows that the vulnerability is coming from a reliable source. Updating patrons on the recovery process tells them that this calamity is being dealt with. Once all the issues have been addressed and that this quandary is now under control, you should notify your customers and explain to them the steps you have used to prevent the recurrence of this problem.
It literally takes hackers seconds to break into a restaurant’s computer system while reversing the repercussions of a data breach can take years. If not handled properly, restaurants may never be able to recover from this painful blow. By thinking ahead of time and taking action to secure all IT components, restaurant owners are not only saving their business but are also protecting the people who make it functional – that is being their customers.
About the Authors
Michael Kasavana is CHTP, CFTP MSU/NAMA Professor, Emeritus IFBTA Education; and Tim Tang is Director, Enterprise Solutions, Hughes Network Systems LLC